beautypg.com

Amer Networks E5Web GUI User Manual

Page 574

background image

Note

The option to dynamically add routes should not be enabled in LAN to LAN
tunnel scenarios.

Enable the option Require IKE XAuth user authentication for inbound IPsec tunnels.
This will enable a search for the first matching XAUTH rule in the authentication rules.

3.

The IP rule set should contain the single rule:

Action

Src Interface

Src Network

Dest Interface

Dest Network

Service

Allow

ipsec_tunnel

all-nets

lan

lan_net

all_services

Once an Allow rule permits the connection to be set up, bidirectional traffic flow is allowed which
is why only one rule is used here. Instead of all-nets being used in the above, a more secure
defined IP object could be used which specifies the exact range of the pre-allocated IP addresses.

B. IP addresses handed out by cOS Core

If the client IP addresses are not known then they must be handed out by cOS Core. To do this
the above must be modified with the following:

1.

If a specific IP address range is to be used as a pool of available addresses then:

Create a Config Mode Pool object (there can only be one associated with a cOS Core
installation) and in it specify the address range.

Enable the IKE Config Mode Pool option in the IPsec Tunnel object ipsec_tunnel.

2.

If client IP addresses are to be retrieved through DHCP:

Create an IP Pool object and in it specify the DHCP server to use. The DHCP server can
be specified as a simple IP address or alternatively as being accessible on a specific
interface. If an internal DHCP server is to be used then specify the loopback address
127.0.0.1 as the DHCP server IP address.

Create a Config Mode Pool object (there can only be one associated with a cOS Core
installation) and associate with it the IP Pool object defined in the previous step.

Enable the IKE Config Mode Pool option in the IPsec Tunnel object ipsec_tunnel so the
created pool is selected.

Configuring IPsec Clients

In both cases (A) and (B) above, the IPsec client will need to be correctly configured. The client
configuration will require the following:

Define the URL or IP address of the Clavister Security Gateway. The client needs to locate the
tunnel endpoint.

Define the pre-shared key that is used for IPsec security.

Define the IPsec algorithms that will be used and which are supported by cOS Core.

Chapter 9: VPN

574

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: