Table of Contents
Advertisement
9.4. IPsec Tunnels
Many of the properties of the IPsec tunnel objects required for tunnel establishment have
already been discussed in Section 9.3.2, "Internet Key Exchange (IKE)". This section looks more
closely at IPsec tunnels in NetDefendOS, their definition, options and usage.
9.4.1. Overview
An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a
logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration
capabilities as regular interfaces.
Setting the Local Endpoint
By default, this property of an IPsec tunnel object is the IP address of the Ethernet interface being
used for the connection. Setting this property means the source address of the tunnel is a
specific IP address.
If this property is assigned an IP address, the administrator must also manually configure
NetDefendOS to ARP publish the IP address on the sending interface. Doing this is described in
Section 3.5.3, "ARP Publish".
Setting the Source Interface
If set, the Source Interface property of a tunnel determines which Ethernet interface NetDefendOS
will listen on for incoming IPsec connections. This provides a means to specify that a particular
tunnel is used for connections being received on a particular interface as it takes precedence
over the normal procedure for selecting a tunnel.
Setting the Originator IP Address
An IPsec Tunnel object's Originator IP property is a means to set the source IPv4 address that flows
inside the tunnel when the originator is NetDefendOS itself.
This IP will be needed in such cases as when log messages or ICMP ping messages are sent by
NetDefendOS. Also, when NATing an IPsec tunnel's local network to the remote network, the
originator IP will be the IP address that will be used as the NAT address. This address may need to
be set manually if the automatic choice described below is not suitable.
There are two possible settings for this property:
•
LocalInterface
This is the default setting. In the Web Interface, this corresponds to enabling the option:
Automatically pick the address of a local interface that corresponds to the local net.
NetDefendOS automatically selects the source IP address in the following way:
i.
NetDefendOS looks at the IP address of all non-IPsec interfaces and uses the first IP
address it finds that is within the range of the tunnel's local network.
With an HA cluster, this means the shared and private IP can be different.
ii.
If no suitable address is found in the first step, use the second IP address from the
tunnel's local network. This potentially be an IP address that is already used by a host in
the network and if this is the case the IP address will need to be set manually as
described below.
701
Chapter 9: VPN
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
