After defining the Config Mode object, the only remaining action is to enable Config Mode to be
used with the IPsec Tunnel.
Example 9.8. Using Config Mode with IPsec Tunnels
Assuming a predefined tunnel called
vpn_tunnel1
exists, this example shows how to enable
Config Mode for that tunnel.
Web Interface
•
Go to: Network > Interfaces and VPN > IPsec
•
Select the tunnel
vpn_tunnel1
for editing
•
Select the pool in the IKE Config Mode Pool drop down list
•
Click OK
IP Validation
NetDefendOS always checks if the source IP address of each packet inside an IPsec tunnel is the
same as the IP address assigned to the IPsec client with IKE config mode. If a mismatch is
detected the packet is always dropped and a log message generated with a severity level of
Warning. This message includes the two IP addresses as well as the client identity.
Optionally, the affected SA can be automatically deleted if validation fails by enabling the
advanced setting IPsecDeleteSAOnIPValidationFailure . The default value for this setting is
Disabled
.
Local Gateway
In the situation where clients are initiating IPsec connections to the firewall, the usual situation is
that the client will send the initial IKE request to the IP address bound to a physical interface.
However, if there are other IP addresses being ARP published on the interface and IKE requests
are being sent to these addresses, the IPsec tunnel property
Local Gateway
is used to specify the
IP addresses on which IKE requests will be accepted.
The
Local Gateway
property is never used if NetDefendOS is initiating the IPsec tunnel
connection.
The Client's Inner and Outer IPs Should Be Different
With IKEv1, NetDefendOS requires that a roaming client's inner and outer IP addresses for the
tunnel should be different. If they are the same, connections will be dropped by NetDefendOS
and a
ruleset_drop_packet
log message will be generated with
rule=Default_Access_Rule
.
If the IP addresses must be the same, the situation can be corrected by using separate routing
tables for the tunnel itself and the traffic the tunnel carries. Alternatively, NetDefendOS can
allocate a unique IP address to clients from an IP pool using
Config Mode
.
9.4.4. IKEv2 Support
Chapter 9: VPN
713
Summary of Contents for NetDefendOS
Page 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Page 32: ...Chapter 1 NetDefendOS Overview 32 ...
Page 144: ...Chapter 2 Management and Maintenance 144 ...
Page 284: ...Chapter 3 Fundamentals 284 ...
Page 392: ...Chapter 4 Routing 392 ...
Page 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Page 420: ...Chapter 5 DHCP Services 420 ...
Page 573: ...Chapter 6 Security Mechanisms 573 ...
Page 607: ...Chapter 7 Address Translation 607 ...
Page 666: ...Chapter 8 User Authentication 666 ...
Page 775: ...Chapter 9 VPN 775 ...
Page 819: ...Chapter 10 Traffic Management 819 ...
Page 842: ...Chapter 11 High Availability 842 ...
Page 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Page 879: ...Chapter 13 Advanced Settings 879 ...