Best Practices For Deploying IPsec VPN
Except on the first page, right running head:
Heading1 or Heading1NewPage text (automatic)
867
Alcatel-Lucent
Beta Beta
OmniAccess 5740 Unified Services Gateway CLI Configuration Guide
NETWORK ADDRESS TRANSLATION
NAT can occur after or before IPsec. NAT interferes with IPsec by blocking tunnel
establishment or traffic flow through the tunnel due to change in IP headers. It is a
best practice to avoid application of NAT and IPsec traffic on the same interface. If
they are applied on the same interface until and unless it is absolutely necessary,
appropriate NAT bypass must be configured.
Generally NAT and IPsec are applied on same interface (public). From a
performance perspective, this is not a good conjunction. Hence OmniAccess 5740
USG allows you to use the bypass command, to bypass all the IPsec traffic and
NAT the other traffic.
Note: The match-list used in IPsec should be applied as bypass rule in NAT with higher
priority as compared to the match-list specifying traffic for which NAT is intended.
NETWORK ACCESS CONTROL
Filtering inbound traffic is recommended to allow only IKE and ESP on the
particular interface from where the IPsec tunnels is initiated.
INTEROPERABILITY
Although IPsec is a documented standard, it has still left a room for interpretation.
In addition, Internet Drafts such as IKE mode-configuration and vendor proprietary
features increase the likelihood of interoperability challenges. For these reasons,
check should be made with the vendor of the products for interoperability
informations.
ROUTING ENTRY
For IPsec tunnel to come up, you must have a routing entry for the destination
address in the match-list.
For example:
match-list m1
ip prefix 10.0.0.0/8 prefix 9.0.0.0/8
This is applied to the crypto map attached to interface gig3/1.
Then, you should have a routing entry
ip route 9.0.0.0/8 gig3/1
Otherwise the tunnel will not come up.
To Next Page
Loading...
Need help?
General
