Specifications
Technical Concepts Nur für den internen Gebrauch
A31003-H3580-M103-2-76A9, 01-2009
9-32 HiPath 3000/5000 V8 - HG 1500 V8, Administrator Documentation
hg-09.fm
SSL and VPN
HG 1500 V8 only accepts peer certificates that have been issued by a trusted CA. In
HG 1500, only CA certificates are accepted in the "Trusted CA Certificates" folder. In Inter-
net Explorer, however, both self-signed and CA-signed peer and CA certificates can be im-
ported as trusted certificates.
● Server Certificate
A server certificate is used for data exchange for a typical client/server communication, for
example between a browser and Web server. With this certificate the server identifies itself
to its clients and provides them with its public key. This is also often referred to as "User
Certificate". A server certificate can be self-signed or CA-signed.
● Peer Certificate or VPN Peer Certificate
In the context of IPsec, a server certificate is usually referred to as "Peer Certificate" or
"VPN Peer Certificate". The reason for this is that when using IPsec both communication
peers have a certificate and there is no client or server assignment when communicating
via an IPsec tunnel. A peer certificate is always CA-signed.
● Root Certificate
A root certificate is the highest certificate in a PKI. A root certificate is always a self-signed
CA certificate.
9.6.3 IPsec Tunnel
IPsec (IP Security) is an Internet standard for setting up secure IP connections between two
terminal devices (peer-to-peer communication). An IPsec tunnel is set up for this between the
IP addresses of the connection. IPsec tunnels are used for VPNs. An IPsec tunnel consists of
the following security functions:
● Packet Encryption
All IP packets can be transferred in encrypted format. Encryption routines (encryption al-
gorithms) are used for this. There are two types of packet encryption: transport mode and
tunnel mode. In transport mode, only user data is encrypted while tunnel mode encrypts
both user data and IP header data.
● Packet Integrity
IPsec ensures that all IP packets are intact (that is they have not been manipulated) when
they reach the recipient. Hash algorithms such as MD5 or SHA are used for this. A com-
pletely new byte string is created every time a bit is manipulated in the data package after
using the hash algorithm with the result that even bit-level manipulations are reliably de-
tected.
● Packet Authenticity
IP packets are considered "authentic" if the sender’s and recipient’s IP address could not
be manipulated during data transmission. In other words, packet authenticity guarantees
that the data comes from the recipient you specified. Hash algorithms are also used for
this.