beautypg.com

Ipsec tunnels, Overview – Amer Networks E5Web GUI User Manual

Page 597

background image

9.4. IPsec Tunnels

Many of the properties of the IPsec tunnel objects required for tunnel establishment have
already been discussed in Section 9.3.2, “Internet Key Exchange (IKE)”. This section looks more
closely at IPsec tunnels in cOS Core, their definition, options and usage.

9.4.1. Overview

An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a
logical interface by cOS Core, with the same filtering, traffic shaping and configuration
capabilities as regular interfaces.

Setting the Local Endpoint

By default, this property of an IPsec tunnel object is the IP address of the Ethernet interface being
used for the connection. Setting this property means the source address of the tunnel is a
specific IP address.

If this property is assigned an IP address, the administrator must also manually configure cOS
Core to ARP publish the IP address on the sending interface. Doing this is described in
Section 3.5.3, “ARP Publish”.

Setting the Source Interface

If set, the Source Interface property of a tunnel determines which Ethernet interface cOS Core will
listen on for incoming IPsec connections. This provides a means to specify that a particular
tunnel is used for connections being received on a particular interface as it takes precedence
over the normal procedure for selecting a tunnel.

Setting the Originator IP Address

This optional property is the local IP address inside the tunnel. cOS Core will attempt to set this
value automatically from routing table information but in some cases will be unable to do so and
it will default to the loopback IPv4 address of 127.0.0.1 which will be unacceptable in some
scenarios. Specifically, this property should be set for any of the following cases:

If the local network for the tunnel is all-nets then cOS Core will not be able to assign an IP
address and a value will need to be assigned manually. The assigned IP address can then be
used to NAT connections out into the tunnel.

If cOS Core itself is sending information through the tunnel such as log messages, a valid
source IP address is needed.

If ICMP ping messages are to be sent out inside the tunnel then a valid IP address is required.

Note that if a value is assigned to this property, a core route is automatically added to all routing
tables which routes the IP address on core.

Remote Initiation of Tunnel Establishment

When another Clavister Security Gateway or another IPsec compliant networking product (also
known as the remote endpoint) tries to establish an IPsec VPN tunnel to a local Clavister Security
Gateway, the list of currently defined IPsec tunnels in the cOS Core configuration is examined. If a
matching tunnel definition is found, that tunnel is opened. The associated IKE and IPsec

Chapter 9: VPN

597

This manual is related to the following products: