beautypg.com

Fetching crls from an alternate ldap server, Using config mode with ipsec tunnels – Amer Networks E5Web GUI User Manual

Page 606

background image

Example 9.8. Using Config Mode with IPsec Tunnels

Assuming a predefined tunnel called vpn_tunnel1 this example shows how to enable Config
Mode for that tunnel.

InControl

Follow the same steps used for the Web Interface below.

Web Interface

Go to: Network > Interfaces and VPN > IPsec

Select the tunnel vpn_tunnel1 for editing

Select the pool in the IKE Config Mode Pool drop down list

Click OK

IP Validation

cOS Core always checks if the source IP address of each packet inside an IPsec tunnel is the same
as the IP address assigned to the IPsec client with IKE config mode. If a mismatch is detected the
packet is always dropped and a log message generated with a severity level of Warning. This
message includes the two IP addresses as well as the client identity.

Optionally, the affected SA can be automatically deleted if validation fails by enabling the
advanced setting IPsecDeleteSAOnIPValidationFailure . The default value for this setting is
Disabled.

Local Gateway

In the situation where clients are initiating IPsec connections to the security gateway, the usual
situation is that the client will send the initial IKE request to the IP address bound to a physical
interface.

However, if there are other IP addresses being ARP published on the interface and IKE requests
are being sent to these addresses, the IPsec tunnel property Local Gateway is used to specify the
IP addresses on which IKE requests will be accepted.

The Local Gateway property is never used if cOS Core is initiating the IPsec tunnel connection.

The Client's Inner and Outer IPs Should Be Different

With IKEv1, cOS Core requires that a roaming client's inner and outer IP addresses for the tunnel
should be different. If they are the same, connections will be dropped by cOS Core and a
ruleset_drop_packet log message will be generated with rule=Default_Access_Rule.

If the IP addresses must be the same, the situation can be corrected by using separate routing
tables for the tunnel itself and the traffic the tunnel carries. Alternatively, cOS Core can allocate a
unique IP address to clients from an IP pool using Config Mode.

9.4.4. Fetching CRLs from an alternate LDAP server

Chapter 9: VPN

606

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: