Ipsec Tunnels; Overview - D-Link NetDefend DFL-210 User Manual
Network security firewall ver 2.26.01
Hide thumbs
Also See for NetDefend DFL-210:
- Log reference manual (476 pages) ,
- User manual (469 pages) ,
- Cli reference manual (213 pages)
Table of Contents
Advertisement
9.4. IPsec Tunnels
9.4. IPsec Tunnels
9.4.1. Overview
An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a
logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration
capabilities as regular interfaces.
Remote Initiation of Tunnel Establishment
When another NetDefend Firewall or another IPsec compliant networking product (also known as
the remote endpoint) tries to establish an IPsec VPN tunnel to a local NetDefend Firewall, the list of
currently defined IPsec tunnels in the NetDefendOS configuration is examined. If a matching tunnel
definition is found, that tunnel is opened. The associated IKE and IPsec negotiations then take place,
resulting in the tunnel becoming established to the remote endpoint.
Local Initiation of Tunnel Establishment
Alternatively, a user on a protected local network might try and access a resource which is located at
the end of an IPsec tunnel. In this case, NetDefendOS sees that the route for the IP address of the
resource is through a defined IPsec tunnel and establishment of the tunnel is then initiated from the
local NetDefend Firewall.
IP Rules Control Decrypted Traffic
Note that an established IPsec tunnel does not automatically mean that all the traffic flowing from
the tunnel is trusted. On the contrary, network traffic that has been decrypted will be checked
against the IP rule set. When doing this IP rule set check, the source interface of the traffic will be
the associated IPsec tunnel since tunnels are treated like interfaces in NetDefendOS.
In addition, a Route or an Access rule may have to be defined for roaming clients in order for
NetDefendOS to accept specific source IP addresses from the IPsec tunnel.
Returning Traffic
For network traffic going in the opposite direction, back into an IPsec tunnel, a reverse process takes
place. First, the unencrypted traffic is evaluated by the rule set. If a rule and route matches,
NetDefendOS tries to find an established IPsec tunnel that matches the criteria. If not found,
NetDefendOS will try to establish a new tunnel to the remote endpoint specified by a matching
IPsec tunnel definition.
No IP Rules Are Needed for the Enclosing IPsec Traffic
With IPsec tunnels the administrator usually sets up of IPsec rules that allow unecrypted traffic to
flow into the tunnel (the tunnel being treated as an NetDefendOS interface). However, it is not
necessary to set up IP rules that explicitly allow the packets that implement IPsec itself.
IKE and ESP packets are by default dealt with by the NetDefendOS's internal IPsec engine and the
IP rule set is not consulted.
This behavior can be changed in the IPsec advanced settings section with the IPsec Before Rules
setting. An example of a reason for doing this is might be if there are a high number of IPsec tunnel
connection attempts coming from a particular IP address or group of addresses. This can degrade the
performance of the IPsec engine and explicitly dropping such traffic with an IP rule is an efficient
way of preventing such traffic reaching the engine. In other words, IP rules can be used to have
complete control over all traffic related to the tunnel.
365
Chapter 9. VPN
Advertisement
Table of Contents
Troubleshooting
