Advanced Encryption Scenario

Figure 5-8 shows the Boston and Hong Kong segments of the network. In this example, a VPN will be configured between the Boston and Hong Kong offices. It shows tunnel addresses between the stealth Screen (bos-screen) and the routing Screen (hk-screen). SunScreen SKIP or IKE encrypts the entire original packet, including the IP header, and inserts a new IP header. The new IP header uses either the same addresses as the original packet or different (tunnel) addresses.

Figure 5-8 Boston and Hong Kong Segments

The hosts in Boston have non-routable addresses (10.0.2.20x in this example), so a tunnel address is used to hide these addresses. The stealth Screen in Boston (bos-screen1) has no IP addresses on its filtering interface so a tunnel address must be added to the 192.168.1.0 subnet. When the Screen in Hong Kong inserts a new IP header on packets destined for Boston, it uses this tunnel address on and routes the packet over the Internet to the Boston router. Although bos-screen does not have an IP address, it responds to ARPs from the Boston router for the tunnel address so the packets from hk-screen are passed to bos-screen. There, they are decrypted and, if the Packet Filtering Rules allow, are passed on to the Boston network.

Although the hosts in Hong Kong have routable addresses, a tunnel address is also used to hide the Hong Kong network topology. this example uses the IP address of the Screen network interface nearest the internet (192.168.6.2) as the tunnel address.

Encryption and decryption are done by both hk-screen and bos-screen. Thus, if some tool like snoop was used to show the packets on the Internet, only encrypted IP packets would appear (Protocol 57 for SKIP, Protocol 50 for ESP and 51 for AH in IPSec) with the tunnel address as the source and the destination. If someone ran snoop or some tool to capture packets on the inside of either Screen they would find the packets unencrypted and using their original IP addresses.