9.4. IPsec Tunnels
Many of the properties of the IPsec tunnel objects required for tunnel establishment have
already been discussed in
Section 9.3.2, “Internet Key Exchange (IKE)”
. This section looks more
closely at IPsec tunnels in NetDefendOS, their definition, options and usage.
9.4.1. Overview
An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a
logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration
capabilities as regular interfaces.
Setting the Local Endpoint
By default, this property of an IPsec tunnel object is the IP address of the Ethernet interface being
used for the connection. Setting this property means the source address of the tunnel is a
specific IP address.
If this property is assigned an IP address, the administrator must also manually configure
NetDefendOS to ARP publish the IP address on the sending interface. Doing this is described in
.
Setting the Source Interface
If set, the
Source Interface
property of a tunnel determines which Ethernet interface NetDefendOS
will listen on for incoming IPsec connections. This provides a means to specify that a particular
tunnel is used for connections being received on a particular interface as it takes precedence
over the normal procedure for selecting a tunnel.
Setting the Originator IP Address
An
IPsec Tunnel
object's
Originator IP
property is a means to set the source IPv4 address that flows
inside the tunnel when the originator is NetDefendOS itself.
This IP will be needed in such cases as when log messages or ICMP ping messages are sent by
NetDefendOS. Also, when NATing an IPsec tunnel's local network to the remote network, the
originator IP will be the IP address that will be used as the NAT address. This address may need to
be set manually if the automatic choice described below is not suitable.
There are two possible settings for this property:
•
LocalInterface
This is the default setting. In the Web Interface, this corresponds to enabling the option:
Automatically pick the address of a local interface that corresponds to the local net.
NetDefendOS automatically selects the source IP address in the following way:
i.
NetDefendOS looks at the IP address of all non-IPsec interfaces and uses the first IP
address it finds that is within the range of the tunnel's local network.
With an HA cluster, this means the shared and private IP can be different.
ii.
If no suitable address is found in the first step, use the second IP address from the
tunnel's local network. This potentially be an IP address that is already used by a host in
the network and if this is the case the IP address will need to be set manually as
described below.
Chapter 9: VPN
701
Summary of Contents for NetDefendOS
Page 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Page 32: ...Chapter 1 NetDefendOS Overview 32 ...
Page 144: ...Chapter 2 Management and Maintenance 144 ...
Page 284: ...Chapter 3 Fundamentals 284 ...
Page 392: ...Chapter 4 Routing 392 ...
Page 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Page 420: ...Chapter 5 DHCP Services 420 ...
Page 573: ...Chapter 6 Security Mechanisms 573 ...
Page 607: ...Chapter 7 Address Translation 607 ...
Page 666: ...Chapter 8 User Authentication 666 ...
Page 775: ...Chapter 9 VPN 775 ...
Page 819: ...Chapter 10 Traffic Management 819 ...
Page 842: ...Chapter 11 High Availability 842 ...
Page 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Page 879: ...Chapter 13 Advanced Settings 879 ...