Amer Networks E5Web GUI User Manual
Page 584

unique piece of data uniquely identifying the endpoint.
Authentication using Pre-Shared Keys is based on the
Diffie-Hellman algorithm.
Local and Remote
Networks/Hosts
These are the subnets or hosts between which IP traffic will
be protected by the VPN. In a LAN-to-LAN connection,
these will be the network addresses of the respective LANs.
If roaming clients are used, the remote network will most
likely be set to all-nets, meaning that the roaming client
may connect from anywhere.
Encapsulation Mode
IPsec can be used in two modes, tunnel or transport.
Tunnel mode indicates that the traffic will be tunneled to a
remote device, which will decrypt/authenticate the data,
extract it from its tunnel and pass it on to its final
destination. This way, an eavesdropper will only see
encrypted traffic going from one of VPN endpoint to
another.
In transport mode, the traffic will not be tunneled, and is
hence not applicable to VPN tunnels. It can be used to
secure a connection from a VPN client directly to the
Clavister Security Gateway, for example for IPsec protected
remote configuration.
This setting will typically be set to "tunnel" in most
configurations.
Remote Endpoint
The remote endpoint (sometimes also referred to as the
remote gateway) is the device that does the VPN
decryption/authentication and that passes the unencrypted
data on to its final destination. This field can also be set to
None, forcing the Clavister Security Gateway to treat the
remote address as the remote endpoint. This is particularly
useful in cases of roaming access, where the IP addresses of
the remote VPN clients are not known beforehand. Setting
this to "none" will allow anyone coming from an IP address
conforming to the "remote network" address discussed
above to open a VPN connection, provided they can
authenticate properly.
The remote endpoint can be specified as a URL string such
as vpn.company.com. If this is done, the prefix dns: must be
used. The string above should therefore be specified as
dns:vpn.company.com.
The remote endpoint is not used in transport mode.
Main/Aggressive Mode
The IKE negotiation has two modes of operation, main
mode and aggressive mode.
The difference between these two is that aggressive mode
will pass more information in fewer packets, with the
benefit of slightly faster connection establishment, at the
cost of transmitting the identities of the security gateways
in the clear.
When
using
aggressive
mode,
some
configuration
Chapter 9: VPN
584