With an HA cluster, this means the shared and private IP will be the same.
• Manual
This option allows the administrator to choose a specific IP. It is possible to choose two IPs:
i. The non-HA IP address. This is the IPv4 address that will be used except for cluster
situations.
ii. The HA IP address. This address will be used in HA clusters as the shared and private IP.
If the local network for the tunnel is all-nets then NetDefendOS will not be able to assign an IP
address and a value will have to be assigned manually.
Also note that a core route is automatically added to all routing tables so that the originator IP
address is routed on core.
Remote Initiation of Tunnel Establishment
When another NetDefend Firewall or another IPsec compliant networking product (also known
as the remote endpoint) tries to establish an IPsec VPN tunnel to a local NetDefend Firewall, the
list of currently defined IPsec tunnels in the NetDefendOS configuration is examined. If a
matching tunnel definition is found, that tunnel is opened. The associated IKE and IPsec
negotiations then take place, resulting in the tunnel becoming established to the remote
endpoint.
Local Initiation of Tunnel Establishment
Alternatively, a user on a protected local network might try and access a resource which is
located at the end of an IPsec tunnel. In this case, NetDefendOS sees that the route for the IP
address of the resource is through a defined IPsec tunnel and establishment of the tunnel is then
initiated from the local NetDefend Firewall.
IP Rules Control Decrypted Traffic
Note that an established IPsec tunnel does not automatically mean that all the traffic flowing
from the tunnel is trusted. On the contrary, network traffic that has been decrypted will be
checked against the IP rule set. When doing this IP rule set check, the source interface of the
traffic will be the associated IPsec tunnel since tunnels are treated like interfaces in
NetDefendOS.
In addition, a Route or an Access rule may have to be defined for roaming clients in order for
NetDefendOS to accept specific source IP addresses from the IPsec tunnel.
Returning Traffic
For network traffic going in the opposite direction, back into an IPsec tunnel, a reverse process
takes place. First, the unencrypted traffic is evaluated by the rule set. If a rule and route matches,
NetDefendOS tries to find an established IPsec tunnel that matches the criteria. If not found,
NetDefendOS will try to establish a new tunnel to the remote endpoint specified by a matching
IPsec tunnel definition.
No IP Rules Are Needed for the Enclosing IPsec Traffic
Chapter 9: VPN
702
To Next Page
Loading...
