How it Works
Matrox
Loading...
VPN
Tech Note
4 pgs57.89 Kb0

Matrox VPN Tech Note

Download
www.matrox.com/networks
Matrox
networks.techsupport@matrox.com
+1 (514) 822-6090
1-888-667-4740
Networks
Tech Note #8
Summary
This document describes the use of VPN in the Matrox iSwitch. It contains the following:
A list of products that support this feature
A description of VPN and its features.
Applicability
This feature is available in the following products:
The Matrox iSwitch 8.
What Is It?
Virtual Private Network (VPN) is a technology that allows a business to create a private Wide Area Network (WAN) utilizing more cost-effective public networks as a backbone. Since data
flows over a public network, such as the Internet, encryption technology protects the data. Only networking equipment that contains the correct algorithms and the correct decoding keys could read the data that the VPN transfers over the public network. Since the decoding keys are user configurable, administrators are able to create VPNs.
How Does It Work?
The main ingredients of the VPN are Identification, Encapsulation and Encryption. Identification:
Transmission:
When a LAN client sends a packet, it must be determined whether this packet is destined for the local LAN, the Internet or a remote LAN. The Matrox iSwitch compares the destination IP address of the packet to the addresses defined in the VPN table. If the Matrox iSwitch identifies the packet as being destined for a remote LAN, then it must be processed as a VPN packet.
Reception:
When a Matrox iSwitch receives a packet from the WAN, it checks the IP header to determine if it is VPN packet. If so, then the Matrox iSwitch processes it as a VPN packet.
© Matrox Networks 1999
TechNote #8 - VPN Page 2 of 4
Encapsulation:
Encapsulation, also known as tunneling, is the process of taking the original LAN packet that contains private IP addresses and wrapping it in a new IP packet that contains routable Internet addresses. The two sets of addresses are required to allow communication on both the private and public networks.
Transmission:
The Matrox iSwitch identifies the packet's new IP address as a VPN destination by looking it up in the VPN table. Then the Matrox iSwitch again consults the VPN table to determine the correct tunnel endpoint IP address for when the VPN process encapsulates the packet with the new addresses.
Reception:
In the case of reception, the Matrox iSwitch simply removes the extra header after the source IP address uniquely identified the correct VPN table entry. The Matrox iSwitch requires this information to allow the correct choice of encryption algorithm and decoding keys.
Encryption:
Once the identification and encapsulation steps have allowed the packets to be correct routed across both the private and public networks, then the only remaining component is the encryption choice to allow for privacy and data security.
In the case of encryption, the Matrox iSwitch makes no distinction between transmission and reception since it uses the same algorithm and keys for a given tunnel. The Matrox iSwitch encrypts transmitted data before it encapsulates. Decryption occurs once the
Matrox iSwitch removes the encapsulation from the original packet. Example: To clarify this process, an example based upon Figure 1 follows. Assume that we will follow a
packet as it goes from client A on LAN 1 to client B on LAN 3. The sequence of events is as follows:
1. Client A (192.168.18.9) on LAN 1 builds a packet to send to Client B (192.168.20.5) on
LAN 3.
2. The packet arrives at the default gateway of client A: Matrox iSwitch # 1 at 192.168.18.120.
3. Matrox iSwitch #1 recognizes that the destination Subnet ID of the packet exists in its VPN
table. The VPN table indicates that it is destined for LAN 3 with a corresponding Internet destination address of 132.11.1.12. The entry also indicates the encryption parameters the Matrox iSwitch should use.
4. Matrox iSwitch #1 encrypts the complete packet. It then encapsulates the result in a new
packet with a destination IP address of 132.11.1.12, a source IP address of 200.200.10.1, and a setting to indicate that the payload contains a Generic Routing Encapsulation (GRE) packet.
5. Matrox iSwitch #1 ships this packet across a WAN port to the ISP. The packet is routed
through the Internet to eventually arrive at Matrox iSwitch #3.
c. Matrox Networks 1998
TechNote #8 - VPN Page 3 of 4
(
)
(
)
(
)
(
)
6. Matrox iSwitch #3 inspects the received packet and notes that it contains a GRE packet. It
then extracts the source IP address of 200.200.10.1 and looks for a matching entry in its VPN table. The matching entry allows the encryption parameters to be obtained (the parameters are identical to the parameters used by Matrox iSwitch #1 in step 3).
7. Before applying the encryption parameters, Matrox iSwitch #3 removes the IP header that
was added by Matrox iSwitch #1 in step 4. The encryption algorithm is applied and the result is the original packet sent by Client A.
8. The Matrox iSwitch #3's switching engine examines the packet and sends it to the port to
which Client B connects.
9. The secure transmission of a packet over the Internet is only complete when Client B
receives the packet.
LAN 1
Private Network
192.168.18.x Client A
192.168.18.9
LAN 2
Private Network
192.168.19.x
192.168.18.120
Matrox iSwitch
#1
200.200.10.1
132.11.1.12
192.168.20.120
Matrox iSwitch
#3
192.168.19.120
Internet
public Network
LAN 3
Private Network
192.168.20.x
Matrox iSwitch
#2
204.50.31.5
Client B
192.168.20.5
Figure 1 - Simple VPN Example
c. Matrox Networks 1998
TechNote #8 - VPN Page 4 of 4
What You Should Know
• Each tunnel can have a different encryption keys, encryption type and key length.
• The blowfish encryption algorithm will provide better throughput that the Proprietary
algorithm.
• The Matrox iSwitch at each tunnel endpoint should have a statically assigned IP
address to avoid reconfiguring the IP addresses in the VPN table.
• Each remote LAN segment must use a unique subnet. Select an IP Address for this
subnet from the non-routable (on the Internet) set specified in RFC 1918.
• To ensure that the VPN is not deprived of bandwidth non-mission critical applications
(WWW, FTP, E-Mail, …), configure a WAN access port to be dedicated exclusively to VPN.
• The Random key generation feature is useful for creating a password but this
password must be sent to the peer endpoint on the other side of the tunnel (they must be the same). While you can accomplish this through a telephone communication, we suggest that you obtain a secure E-mail program. This allows for simple cut-and-paste operations that are less error-prone than typing in keys manually. This process also removes the possibility of eavesdroppers obtaining the key.
c. Matrox Networks 1998
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use