Table of Contents
Advertisement
bintec elmeg GmbH
bintec RS Series
bintec elmeg Gateways support two different methods for establishing IPSec connections:
• a method based on policies and
• a method based on routing.
The policy-based method uses data traffic filters to negotiate the IPSec phase 2 SAs. This
enables the filtering of the IP packets to be very "fine grained" down to protocol and port
level.
The routing-based method offers various advantages over the policy-based method, e.g.,
NAT/PAT within a tunnel, IPSec in combination with routing protocols and the creation of
VPN backup scenarios. With the routing-based method, the configured or dynamically
learned routes are used to negotiate the IPSec phase 2 SAs. While it is true that this meth-
od simplifies many configurations, at the same time there can be problems due to compet-
ing routes or the "coarser" filtering of the data traffic.
The Additional Traffic Filter parameter fixes this problem. You can filter more "finely", i. e.
you can, e. g., specify the source IP address or the source port. If there is a Additional
Traffic Filter configured, it is used to negotiate the IPSec phase 2 SAs; the route only de-
termines which data traffic is to be routed.
If an IP packet does not match the defined Additional Traffic Filter it is discarded.
If an IP packet meets the requirements in an Additional Traffic Filter , IPSec phase 2 ne-
gotiation begins and data traffic is transferred over the tunnel.
Note
The parameter Additional Traffic Filter is only relevant to the initiator of the IPSec
connection, it only applies to outgoing data traffic.
Note
Please note that the phase 2 policies must be configured identically on both of the
IPSec tunnel endpoints.
Add new entries with Add.
15 VPN
323
Hide quick links:
Advertisement
Table of Contents
