Filter
Top Products
Network Addressing for IP Networks
EncrypTight User Guide 35
Another factor to consider if you plan to use certificates is the size of your EncrypTight deployment.
Generating requests and installing certificates for a large number of appliances can take a considerable
amount of time. Therefore, you need to plan for sufficient time to accomplish the necessary tasks.
In addition to strict authentication, EncrypTight supports the use of smart cards such as the DoD
Common Access Card (CAC) to limit access to authorized personnel and to enhance auditing. When a
smart card is used, EncrypTight uses certificates from the card in addition to the certificates you install.
For more information about using smart cards with EncrypTight, see “Using a Common Access Card” on
page 294.
To learn more about working with certificates and strict authentication, see “Using Enhanced Security
Features” on page 261.
Network Addressing for IP Networks
With Layer 3 networks, EncrypTight can use one of three network addressing methods to specify the
source IP address used in the encapsulated packet’s header:
With most distributed key policies, you will preserve the network addressing of the protected networks,
which is referred to as transparent mode. When you preserve the network addressing of the protected
network, the encapsulated packets are routed to their proper destination without changing the routing
tables within the WAN.
However, in certain situations you might want to conceal the original source IP address and replace it
with either the IP address of the PEP’s remote port or a virtual IP address, which is referred to as non-
transparent mode. For example, since private IP addresses cannot be routed over the internet, any traffic
between private networks transmitted over the internet must use public IP addresses.
● If you need to route traffic through a specific PEP, use the PEP’s remote port IP address.
● For load balanced traffic, use a virtual IP address.
In the example shown in Figure 14, traffic is being sent between a corporate data center and remote
locations over a Layer 3 public internet. The traffic is encrypted using a policy defined in ETPM. The
PEPs are configured to operate in non-transparent mode in order to hide the source IP address of the
packets. The traffic to and from the data center is load balanced and therefore a virtual IP address is used
on both data center PEPs (labeled #2 in Figure 14). The remote sites use a remote port IP address to force
traffic through a specific PEP. The specified IP addresses appear in the encryption header rather than the
original source IP address.
Table 3 Network Addressing Options
Addressing Method Description
Preserve network addressing of
the protected network
Uses the original source IP address in the packet header. This is
the default network addressing method.
Use the PEP’s remote port
address
Replaces the original source IP address in the packet header with
the PEP’s remote port IP address.
Use a virtual IP address Replaces the original source IP address in the packet header with a
virtual IP address specified in the network set.