IPsec can also be configured to connect an entire network (such as a LAN or WAN) to a remote network using a network-to-network connection. A network-to-network connection requires the setup of IPsec routers on each side of the connecting networks to transparently process and route information from one node on a LAN to a node on a remote LAN. Figure 43.11, “A network-to-network IPsec tunneled connection” shows a network-to-network IPsec tunneled connection.
A network-to-network IPsec tunneled connection
Figure 43.11. A network-to-network IPsec tunneled connection
This diagram shows two separate LANs separated by the Internet. These LANs use IPsec routers to authenticate and initiate a connection using a secure tunnel through the Internet. Packets that are intercepted in transit would require brute-force decryption in order to crack the cipher protecting the packets between these LANs. The process of communicating from one node in the 192.168.1.0/24 IP range to another in the 192.168.2.0/24 range is completely transparent to the nodes as the processing, encryption/decryption, and routing of the IPsec packets are completely handled by the IPsec router.
The information needed for a network-to-network connection include:
-
The externally-accessible IP addresses of the dedicated IPsec routers
-
The network address ranges of the LAN/WAN served by the IPsec routers (such as 192.168.1.0/24 or 10.0.1.0/24)
-
The IP addresses of the gateway devices that route the data from the network nodes to the Internet
-
A unique name, for example,
ipsec1. This is used to identify the IPsec connection and to distinguish it from other devices or connections. -
A fixed encryption key or one automatically generated by
racoon -
A pre-shared authentication key that is used during the initial stage of the connection and to exchange encryption keys during the session.