Determining where you will terminate your VPNs
2-8
Planning Your VPN Configuration
More about virtual burbs and VPNs
Consider a VPN association that is implemented without the use of a
virtual burb. Not only will VPN traffic mix with non-VPN traffic, but
there is no way to enforce a different set of rules for the VPN traffic.
This is because proxies and ACLs, the agents used to enforce the rules
on a Sidewinder, are applied on burb basis, not to specific traffic
within a burb.
Note:
Do not terminate VPN connections in the Internet burb.
You can define up to nine physical and virtual burbs. For example, if
you have two distinct types of VPN associations and you want to
apply a different set of rules to each type, simply create two virtual
burbs, then configure the required proxies and ACLs for each virtual
burb.
One question that might come to mind when using a virtual burb is:
"How does VPN traffic get to the virtual burb if it doesn’t have a
network card?" The answer is found in the way that a VPN security
association is defined on the Sidewinder. All VPN traffic originating
from the Internet initially arrives in the Internet burb. A VPN security
association, however, can terminate VPN traffic in any burb on the
Sidewinder. By terminating the VPN in a virtual burb, the VPN traffic
is automatically routed to that virtual burb within Sidewinder.
Defining a virtual burb
To create a virtual burb on the Sidewinder for terminating a VPN, do
the following.
1.
Select
Firewall Administration -> Burb Configuration
.
2.
Click
New
and create the new virtual burb.
3.
Click
Apply
.
4.
Assign DNS to listen for the virtual burb. Enter the following command:
cf dns add listen burb=burbname
where:
burbname
= the name you have assigned your virtual burb
5.
Verify that DNS is listening on the virtual burb by typing the following
command:
cf dns query