Setting Up an Encrypted Connection From a Host to an Encrypting Gateway, or SunScreen EFS

Figure 5-3 depicts the configuration in which a host is communicating with an encrypting gateway.

Figure 5-3 Communicating with an Encrypting Gateway

In this case, both the host and the encrypting gateway, whether it be a gateway, or a SunScreen EFS must

1. Have the same key type, such as UDH, SunCA X.509, or the like, and of the same encryption strength. If X.509 certificates and keys are used, the certificates and keys for both hosts must be from the same vendor.

2. Exchange names or certificates.

3. Use the same version of the SKIP protocol.

4. Have an IP address or remote name.

5. Use the same algorithm that includes authentication, key encryption, and traffic encryption.

6. Enable SKIP.

A machine must also have a local identity. Hosts can have many identities, but the user must choose one with which to communicate to the remote host. This local identity consists of the local key type and the local key name.

Both machines install or generate their keys and exchange namespace/key ID information. This should be done over the telephone or some other media.

The user should type the encrypting gateway's information into the Add System box of skiptool. The user should also set the Tunnel Address field of this box to be the IP address of the intermediate system. This enables certificate discovery to ask the correct host for its certificate.

For example: You are contacting a gateway that has three networks attached to it (networks 199.190.177, 199.190.176, and 199.190.176) and these networks are to remain hidden. It also has a local host attached to it. The ACL in the host should be set up as in Table 5-1.

The user can configure a default so that everything is sent to the gateway where it will be decrypted and sent to the proper recipient in the clear. The recipients of the packets will not be aware of any encryption. The gateway will handle all the encryption and decryption of packets from and to everything behind it.