beautypg.com

AirLive IP-2000VPN User Manual

Page 173

background image

AirLive IP-2000VPN User’s Manual

170

Policies

VPN configuration settings are stored in Policies.

Note that different vendors use different terms. Generally, the terms "VPN Policy", "IPSec Policy", and "IPSec

Proposal" have the same meaning. However, some vendors separate IKE Policies (Phase 1 parameters) from

IPSec Policies (Phase 2 parameters).

For the IP-2000VPN, each VPN policy contains both Phase 1 and Phase 2 parameters (if IKE is used). Each

policy defines:

• The address of the remote VPN endpoint.

• The traffic which is allowed to use the VPN connection.

• The parameters (settings) for the IPSec SA (Security Association).

• If IKE is used, the parameters (settings) for the IKE SA (Security Association).

Generally, you will need at least one (1) VPN Policy for each remote site for which you wish to establish VPN

connections.

It is possible, and sometimes necessary, to have multiple Policies for the same remote site. However, you

should only Enable one (1) policy at a time. If multiple policies for the same remote site are enabled, the

policies are examined in the order in which they are listed, and the first matching policy will be used. While it is

possible to change the order of the policies, it may not be easy to get the desired action from multiple policies.

VPN Configuration

The general rule is that each endpoint must have matching Policies, as follows:

VPN Endpoint

address

Each VPN endpoint must be configured to initiate or accept connections to the

remote VPN client or Gateway.

Usually, this requires having a fixed Internet IP address or domain name. However,

it is possible for a VPN Gateway to accept incoming connections from a remote

client where the client's IP address is not known in advance.

Traffic Selector

This determines which outgoing traffic will cause a VPN connection to be

established, and which incoming traffic will be accepted. Each endpoint must be

configured to pass and accept the desired traffic from the remote endpoint.

If connecting 2 LANs, this requires that:

• Each endpoint must be aware of the IP addresses used on the other endpoint.

• The 2 LANs MUST use different IP address ranges.

IKE parameters

If using IKE (recommended), the IKE parameters must match (except for the SA

lifetime, which can be different).

See also other documents in the category AirLive Routers: