Cisco AIM-VPN - DES/3DES VPN Data Encryption AIM Module Uživatelský manuál stáhnout pdf (Strana 5)

Q. What kind of IPsec support does Cisco IOS Software provide?

A. IPsec uses encryption technology to provide data confidentiality, integrity, and authenticity between participating peers in a private

network. Cisco provides full ESP and authentication header (AH) support.

Q. What is IKE?

A. IKE , or Internet Key Exchange, provides security association management. IKE authenticates each peer in an IPsec transaction,

negotiates security policy, and handles the exchange of session keys.

Q. What type of certificate management support does Cisco IOS Software provide?

A. Cisco fully supports the X509.V3 certificate system for device authentication and the Simple Certificate Enrollment Protocol (SCEP),

a protocol for communicating with certificate authorities. Several vendors, including VeriSign, Entrust Technologies, Baltimore

Technologies, and Microsoft, support SCEP and are interoperable with Cisco devices.

Q. What is SCEP?

A. SCEP, or Simple Certificate Enrollment Protocol, is a certificate enrollment protocol based on common and well-understood Public

Key Cryptology Standards (PKCSs) 10 and 7 and standards using hypertext transfer protocol (HTTP transport methods. SCEP

provides a standard way to enroll network devices with a certificate authority, as well as to look up and retrieve certificate revocation

list (CRL) information from Lightweight Directory Access Protocol (LDAP) or HTTP methods. The 1.1 Version supports registration

authority (RA) mode for SCEP enrollment.

Q. What management tools are available that support VPN module configuration and monitoring?

A. For management of firewall and VPN features on Cisco routers, use Cisco Security Manager, part of the Cisco Security Management

Suite. For more information about Cisco Security Manager, see the data sheet at:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6498/product_data_sheet0900aecd803ffd5c.html

Q. What mechanisms are available for IPsec VPN recovery and failover?

A. Three main features are available for the recovery and failover of IPsec VPNs. For dynamic route recovery, a combination of

generic routing encapsulation (GRE) and IPsec tunnels can be used. For dynamic failover of IPsec tunnels, IPsec keepalives are

recommended. For dynamic failover of IPsec gateways, tunnel endpoint discovery (TED) can be implemented.

IPsec stateful failover is a feature added to the Cisco 3800 Series Integrated Services Routers in Cisco IOS Software Release 12.4(6)T

and made available by the use of the VPN accelerator modules. IPsec stateful failover works in conjunction with the Hot Standby

Router Protocol (HSRP) to replicate the state of security associations on the standby router, thus preventing existing IPsec tunnels

from having to reestablish associations if the active router fails.

Q. What is IETF Extended Authentication (Xauth)?

A. IETF Xauth provides user authentication within the IKE protocol. IETF Xauth prompts the user for authentication information (a user

name and password) and verifies this information through an authentication, authorization, and accounting (AAA) server (using either

RADIUS or TACACS+). Authentication occurs after IKE phase 1 but before IKE phase 2. If the user successfully authenticates, phase

2 security association establishment commences, after which data can be sent securely to the protected network.

Q. What is Mode-Config?

A. This Internet Security Association Key Management Protocol (ISAKMP) allows configuration items such as IP addresses. In the case

of the VPN client, the VPN gateway can push an IP address to the client to use for communication with private networks.

1 2 3 4 5 6 7 8

Žádné komentáře

Cisco AIM-VPN - DES/3DES VPN Data Encryption AIM Module Uživatelský manuál Strana 5