McAfee SG310 Administration Manual page 308

VPN menu features
IPSec VPN offloading
Figure 316 IPSec VPN offloading — Daisy-chain switch configuration
Offloading limitations
There are several limitations on the kinds of tunnels that can be offloaded:
• Only tunnels using IKE and PSK (preshared secrets) that operate on the default gateway can be offloaded.
• The remote endpoint of the tunnel must have a static IP address.
• The remote network or host must not be the remote endpoint IP address, or on the same network as the
IP address of the remote endpoint.
For the most likely combinations, you will be prevented from selecting an incorrect combination.
To specify an offload device, you must initiate the Advanced wizard in IPSec. See
wizard. In addition to the wizard, there is some extra configuration required, as described in the next topic,
Configuring for VPN
Configuring for VPN offloading
In addition to configuring the offload device within the advanced wizard, additional manual file
configurations are required.
Note: Use the UTM Firewall Management Console to ensure changes are saved. For more information, see
Configuration Files
To set up IPSec offload devices, follow these instructions:
On the concentrator (primary) device:
Add the following line to the file
UserKnownHostsFile /etc/config/ssh_known_hosts RhostsRSAAuthentication no
RSAAuthentication no
Create the file
the IP address of the IPSec offload device, followed by the contents of
/etc/config/ssh_host_rsa_key.pub from the IPSec offload device.
Note: This new entry must all be on the same line without changes. Be sure to insert a space between the IP
address and the key.
For example:
308 McAfee UTM Firewall 4.0.4 Administration Guide
offloading.
tab.
/etc/config/ssh_config
/etc/config/ssh_known_hosts
:
(or append the line to it if it already exists) containing
IPSec Advanced Setup