Setting Up an Encrypted Connection From a Host to an Encrypting Gateway or SunScreen

The following figure depicts the configuration in which a host is communicating with an encrypting gateway.

Figure 5-3 Communicating with an Encrypting Gateway

In this case, both the host and the encrypting gateway, whether it be a gateway or a SunScreen, must

• Have the same key type, such as UDH, SunCA X.509, or the like, and of the same encryption strength. If X.509 certificates and keys are used, the certificates and keys for both hosts must be from the same vendor.

• Exchange names or certificates.

• Use the same version of the SKIP protocol.

• Have an IP address or remote name.

• Use the same algorithm that includes authentication, key encryption, and traffic encryption.

• Enable SKIP.

A machine must also have a local identity. Hosts can have many identities, but you must choose one to use when communicating with the remote host. This local identity consists of the local key type and the local key name.

Both machines install or generate their keys and exchange namespace/key ID information. You should do this over the telephone or some other out of band media.

Type the encrypting gateway's information into the Add System box of skiptool. Then, set the Tunnel Address field of this box to be the IP address of the intermediate system. This action lets certificate discovery ask the correct host for its certificate.

For example: You are contacting a gateway that has three networks attached to it (networks 199.190.177, 199.190.176, and 199.190.176) and these networks are to remain hidden. It also has a local host attached to it. You should set up the ACL in the host as shown in the following table.

You can configure a default so that everything is sent to the gateway where it will be decrypted and sent to the proper recipient in the clear. The recipients of the packets will not be aware of any encryption. The gateway will handle all the encryption and decryption of packets from and to everything behind it.