Configuring VPN Sites
Quantum Spark 1500, 1600 and 1800 Appliance Series R80.20.40 Locally Managed Administration Guide | 236
IKE
Version
Notes
Prefer
IKEv2,
support
IKEv1
Configure the fields as explained for the first two options.
l
Additional Certificate Matching (does not apply when you use a pre-shared
secret):
When you select certificate matching in the Remote Site tab, you first need to
add the CA that signed the remote site's certificate in the VPN > Certificates
Trusted CAs page.
In the Advanced tab, you can select to match the certificate to Any Trusted
CA or an Internal CA.
You can also configure more matching criteria on the certificate.
l
Probing Method
This section is shown only when you select High Availability or Load Sharing
for the connection type in the Remote Site tab.
When the remote site has multiple IP addresses for VPN traffic, the correct
address for VPN is discovered through one of these probing methods:
o
Ongoing probing - When a session is initiated, all possible destination
IP addresses continuously receive RDP packets until one of them
responds. Connections go through the first IP to respond (or to a
primary IP if a primary IP is configured and active for High Availability),
and stay with this IP until the IP stops responding. The RDP probing is
activated when a connection is opened and continues a background
process.
o
One time probing - When a session is initiated, all possible destination
IP addresses receive an RDP session to test the route. The first IP to
respond is chosen, and stays chosen until the VPN configuration
changes.
Notes:
n
For more information on installing the certificate, see
"Managing Installed Certificates" on page116
.
n
The initiator's gateway ID must be set in the responder gateway as the peer ID.
n
The Remote Access blade must be enabled for peer ID to work.
n
On the gateway that is not behind NAT, for Connection type, select Only remote site initiates VPN.
n
When you configure the remote site, do not select behind static NAT.
An initial tunnel test begins with the remote site. If you have not yet configured it, click Skip. The VPN site is
added to the table.
Locally managed gateways can be part of these site to site communities:
n
VPN mesh community – All gateways are connected to each other, and each gateway handles its
own internet traffic. Encrypted traffic is passed from networks in the encryption domain of one
gateway to the networks in the encryption domain of the second gateway.
n
VPN star community – One gateway is the center and routes all traffic (encrypted and internet traffic
of the remote peer) to the internet and back to the remote peer. The peer gateway is a satellite and is
configured to route all its traffic through the center.
To Next Page
Loading...
Need help?
General
