Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

F E A T U R E

PGPvpn Keeps IPsec Simple

February 4, 2002
By Mike Fratto

>> continued from previous page

How We Tested IPsec Clients


	Print Full Article Print This Page Download the PDF E-Mail This URL

We installed and tested each IPsec VPN client on Microsoft Windows 2000 Pro SP2. To interconnect the products, we used a Nortel Networks BayStack 450-24T switch, and we deployed Entrust Authority 6.0 with VPN Connector 5.0 to issue digital certificates. Funk Software's Steel-Belted Radius on Windows NT helped with user authentication. For our VPN gateways, we used a Cisco PIX running PIX OS 6.1, a Cisco 3005 Concentrator v.3.1 and a Nortel Contivity Extranet Switch 2600 v.3.60.45.

Test No. 1: The first test focused on how the IPsec clients created VPNs within each vendor's product line. We installed the clients on multiple machines and through each vendor's management console created and distributed policies to each client.

Test No. 2: In testing client-to-gateway interoperability, we used the local client configuration so we didn't have to wait for policy updates. However, all the configuration options available locally are also configurable centrally, so we suggest that during testing you use the local client configuration, then move to centrally configured polices.

We configured each VPN gateway and client with similar polices and tested with preshared secret IKE and certificates. We configured the policies to 3-DES/SHA-1 (Secure Hash Algorithm-1) or 3-DES/MD5 (Message Digest 5), Diffie-Hellman Group 2, no perfect forward secrecy and no antireplay. The IPsec policies were configured for tunnel-mode IPsec, 3-DES/SHA-1 or 3-DES/MD5. Each interoperability scenario used a host-to-VPN gateway, where we defined a Class C address space behind the VPN gateway.

Test No. 3: With Windows XP, we had to test interoperability a bit differently because Microsoft uses L2TP within IPsec for remote-access VPN connections. We used certificates generated by Microsoft's Certificate Server but configured the VPN gateways to support L2TP within IPsec, a configuration that would normally be supported anyway with XP. We did test (with some difficulty) Windows XP support for preshared secret as well.