beautypg.com

AirLive WN-300ARM-VPN User Manual

Page 129

background image

AirLive WN-300ARM-VPN User’s Manual

127

When using IKE, there are 2 phases to creating the VPN tunnel:

Phase I is the negotiation and establishment up of the IKE connection.

Phase II is the negotiation and establishment up of the IPsec connection.

Because the IKE and IPsec connections are separate, they have different SAs (security associations).

Policies

VPN configuration settings are stored in Policies.

Note that different vendors use different terms. Generally, the terms "VPN Policy", "IPSec Policy", and "IPSec

Proposal" have the same meaning. However, some vendors separate IKE Policies (Phase 1 parameters) from

IPSec Policies (Phase 2 parameters).

For the WN-300ARM-VPN; each VPN policy contains both Phase 1 and Phase 2 parameters (if IKE is used).

Each policy defines:

 The address of the remote VPN endpoint

 The traffic which is allowed to use the VPN connection.

 The parameters (settings) for the IPsec SA (Security Association)

 If IKE is used, the parameters (settings) for the IKE SA (Security Association)

Generally, you will need at least one (1) VPN Policy for each remote site for which you wish to establish VPN

connections.

It is possible, and sometimes necessary, to have multiple Policies for the same remote site. However, you

should only Enable one (1) policy at a time.

VPN Configuration

The general rule is that each endpoint must have matching Policies, as follows:

VPN Endpoint

address

Each VPN endpoint must be configured to initiate or accept connections

to the remote VPN client or Gateway.

Usually, this requires having a fixed Internet IP address. However, it is

possible for a VPN Gateway to accept incoming connections from a

remote client where the client's IP address is not known in advance.

Local & Remote

LAN definition

This determines which outgoing traffic will cause a VPN connection to be

established, and which incoming traffic will be accepted. Each endpoint

must be configured to pass and accept the desired traffic from the remote

endpoint.

If connecting 2 LANs, this requires that:

 Each endpoint must be aware of the IP addresses used on the other

See also other documents in the category AirLive Routers: