Table of Contents
Advertisement
After defining the Config Mode object, the only remaining action is to enable Config Mode to be
used with the IPsec Tunnel.
Example 9.8. Using Config Mode with IPsec Tunnels
Assuming a predefined tunnel called vpn_tunnel1 exists, this example shows how to enable
Config Mode for that tunnel.
Web Interface
•
Go to: Network > Interfaces and VPN > IPsec
•
Select the tunnel vpn_tunnel1 for editing
•
Select the pool in the IKE Config Mode Pool drop down list
•
Click OK
IP Validation
NetDefendOS always checks if the source IP address of each packet inside an IPsec tunnel is the
same as the IP address assigned to the IPsec client with IKE config mode. If a mismatch is
detected the packet is always dropped and a log message generated with a severity level of
Warning. This message includes the two IP addresses as well as the client identity.
Optionally, the affected SA can be automatically deleted if validation fails by enabling the
advanced setting IPsecDeleteSAOnIPValidationFailure . The default value for this setting is
Disabled.
Local Gateway
In the situation where clients are initiating IPsec connections to the firewall, the usual situation is
that the client will send the initial IKE request to the IP address bound to a physical interface.
However, if there are other IP addresses being ARP published on the interface and IKE requests
are being sent to these addresses, the IPsec tunnel property Local Gateway is used to specify the
IP addresses on which IKE requests will be accepted.
The Local Gateway property is never used if NetDefendOS is initiating the IPsec tunnel
connection.
The Client's Inner and Outer IPs Should Be Different
With IKEv1, NetDefendOS requires that a roaming client's inner and outer IP addresses for the
tunnel should be different. If they are the same, connections will be dropped by NetDefendOS
and a ruleset_drop_packet log message will be generated with rule=Default_Access_Rule.
If the IP addresses must be the same, the situation can be corrected by using separate routing
tables for the tunnel itself and the traffic the tunnel carries. Alternatively, NetDefendOS can
allocate a unique IP address to clients from an IP pool using Config Mode.
9.4.4. IKEv2 Support
713
Chapter 9: VPN
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
