Special P ublication 800-7 7 Guide to IPsec VPN s Recommendations of the National Institute of Standards and T echnology Sheila F rankel Karen Kent Ryan Lewkowski Angela D. O rebaugh Ronald W . Ritchey Steven R. Shar ma NIST Special Publication 800-77 Guid e to IPsec VPNs Recomme ndations of the National Institute of Standards an d Tec hnology Sheila Frankel Karen Kent Ryan Lewkowski Angela D. Orebaugh Ronald W. R itchey Steven R . Sharma C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899- 8930 December 2005 U.S. Department of Commerce Carlos M. Gutierrez, Secretary Technology Administration Michelle O'Neill, Acting Under Secretary of Commerce for Technology National Institute of Standa rds and Technology William A. Jeffrey, Director GUIDE TO IPSEC VPN S Reports on Computer System s Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. econom y and publ ic welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technolog y. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and gu idelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800- series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, gove rnment, and academic organizations. Certain comme rcial entities, equipment, or mate rials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recomme ndation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. National Inst itute of Standards and T echnology Special Publication 800-77 Natl. Inst. Stand. Technol. Spec. Publ. 800- 77, 126 pages (Decem ber 2005) iiGUIDE TO IPSEC VPN S Acknowl edgem ents The authors, Sheila Frankel of the National Institute of Standards and Technology (NIST), and Karen Kent, Ryan Lewkowski, Angela D. Orebaugh, Ronald W. Ritchey, and Steven R. Sharma of Booz Allen Hamilton, wish to thank their colleagues who reviewed drafts of this document, including Bill Burr, Tim Grance, Okhe e Kim, Peter Mell, and Mur ugiah Souppa ya from NIST. The authors would also like to express their thanks to Darren Hartman and M ark Zimme rman of ICSA Labs; Paul Hoffman of the VPN Consortium; and representatives from the Department of Energy, the Department of State, the Envi ronmental Protection Agency, and the U.S. Nuc lear Regulatory Commission for their particularly valuable comments and sugge stion s. Tradem ark I nformation Microsoft, Windows, Window s 2000, and Window s XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and ot her countries. PGP is a trademark or registered trademark of PGP Corporation in the United States and ot her countries. Cisco and Cisco IOS are registered trademarks of Cisco Systems, Inc. in the United States and certain other countries. Lucent Technolog ies is a trademark or service mark of Lucent Technolog ies Inc. All other names are registered trademarks or trademarks of their respective companies. iiiGUIDE TO IPSEC VPN S Table of C ontents Executive Su mmary.............................................