beautypg.com

Fig. 35.2, Internet – Westermo RedFox Series User Manual

Page 790

background image

Westermo OS Management Guide

Version 4.17.0-0

(192.168.10.0/24)

NetworkA

(192.168.11.0/24)

NetworkB

Alice

VPN
GW1

Bob

VPN
GW2

Secure tunnel

Initiator

Responder

Internet

Figure 35.2: By establishing a secure IPsec Tunnel between the VPN gateways
(Alice and Bob), traffic between Network-A and Network-B will be protected when
sent across the Internet.

will take the role of tunnel initiator and the other takes the responder role.

Initiator and Responder: The VPN initiator is the peer that is responsible

for initiating the tunnel establishment by contacting the other peer - the
responder. In

fig. 35.2

we have assumed that Alice is the responder and

Bob is the initiator.

A WeOS switch configured as a VPN gateway is able to act both as responder
(default) and as initiator.

NAT-traversal, Peer IP addresses and DDNS: In order to act as a responder,

Alice must be assigned a public (routable) IP address on its interface towards
the Internet. Thus, Alice generally cannot be located behind a NAT gateway,
since the initiator (Bob) would not be able to initiate the tunnel. Bob will
need to know Alice’s IP address (or domain name) in order to know where
to send the tunnel establishment messages. If Alice is assigned a fixed
IP address, Bob can choose between using Alice’s IP address or her domain
name. But if Alice gets her address dynamically (e.g., via DHCP), Bob should
use her domain name to establish the contact. WeOS supports dynamic
DNS (DDNS), thus Alice can dynamically register her current IP address, see

section 19.3.3

.

The initiator (Bob) does not need to be assigned a public IP address. Bob
is able to establish the tunnel even if he is located behind a NAT gateway,
given that NAT-traversal (NAT-T) is enabled both in Alice’s and Bob’s VPN
configurations.

Furthermore, it is not mandatory for Alice to know Bob’s IP address before-
hand. It is possible to configure the VPN tunnel such that Bob could connect
to the Internet at various locations and still be able to establish the VPN
tunnel. This is commonly referred to as Bob being a road warrior.

Local and Remote Subnet: Each peer will define what traffic should be al-

790

➞ 2015 Westermo Teleindustri AB

This manual is related to the following products:
See also other documents in the category Westermo Equipment: