With an HA cluster, this means the shared and private IP will be the same.
•
Manual
This option allows the administrator to choose a specific IP. It is possible to choose two IPs:
i.
The non-HA IP address. This is the IPv4 address that will be used except for cluster
situations.
ii.
The HA IP address. This address will be used in HA clusters as the shared and private IP.
If the local network for the tunnel is
all-nets
then NetDefendOS will not be able to assign an IP
address and a value will have to be assigned manually.
Also note that a
core route
is automatically added to all routing tables so that the originator IP
address is routed on
core
.
Remote Initiation of Tunnel Establishment
When another NetDefend Firewall or another IPsec compliant networking product (also known
as the
remote endpoint
) tries to establish an IPsec VPN tunnel to a local NetDefend Firewall, the
list of currently defined IPsec tunnels in the NetDefendOS configuration is examined. If a
matching tunnel definition is found, that tunnel is opened. The associated IKE and IPsec
negotiations then take place, resulting in the tunnel becoming established to the remote
endpoint.
Local Initiation of Tunnel Establishment
Alternatively, a user on a protected local network might try and access a resource which is
located at the end of an IPsec tunnel. In this case, NetDefendOS sees that the route for the IP
address of the resource is through a defined IPsec tunnel and establishment of the tunnel is then
initiated from the local NetDefend Firewall.
IP Rules Control Decrypted Traffic
Note that an established IPsec tunnel does not automatically mean that all the traffic flowing
from the tunnel is trusted. On the contrary, network traffic that has been decrypted will be
checked against the IP rule set. When doing this IP rule set check, the source interface of the
traffic will be the associated IPsec tunnel since tunnels are treated like interfaces in
NetDefendOS.
In addition, a Route or an Access rule may have to be defined for roaming clients in order for
NetDefendOS to accept specific source IP addresses from the IPsec tunnel.
Returning Traffic
For network traffic going in the opposite direction, back into an IPsec tunnel, a reverse process
takes place. First, the unencrypted traffic is evaluated by the rule set. If a rule and route matches,
NetDefendOS tries to find an established IPsec tunnel that matches the criteria. If not found,
NetDefendOS will try to establish a new tunnel to the remote endpoint specified by a matching
IPsec tunnel definition.
No IP Rules Are Needed for the Enclosing IPsec Traffic
Chapter 9: VPN
702
Содержание NetDefendOS
Страница 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Страница 32: ...Chapter 1 NetDefendOS Overview 32 ...
Страница 144: ...Chapter 2 Management and Maintenance 144 ...
Страница 220: ... Enable DHCP passthrough Enable L2 passthrough for non IP protocols 4 Click OK Chapter 3 Fundamentals 220 ...
Страница 267: ... SourceNetwork lannet DestinationInterface any DestinationNetwork all nets 4 Click OK Chapter 3 Fundamentals 267 ...
Страница 284: ...Chapter 3 Fundamentals 284 ...
Страница 360: ...The ospf command options are fully described in the separate NetDefendOS CLI Reference Guide Chapter 4 Routing 360 ...
Страница 392: ...Chapter 4 Routing 392 ...
Страница 396: ...Web Interface 1 Go to Network Ethernet If1 2 Select Enable DHCP 3 Click OK Chapter 5 DHCP Services 396 ...
Страница 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Страница 420: ...Chapter 5 DHCP Services 420 ...
Страница 424: ...2 Now enter Name lan_Access Action Expect Interface lan Network lannet 3 Click OK Chapter 6 Security Mechanisms 424 ...
Страница 573: ...Chapter 6 Security Mechanisms 573 ...
Страница 575: ...This section describes and provides examples of configuring NAT and SAT rules Chapter 7 Address Translation 575 ...
Страница 607: ...Chapter 7 Address Translation 607 ...
Страница 666: ...Chapter 8 User Authentication 666 ...
Страница 775: ...Chapter 9 VPN 775 ...
Страница 819: ...Chapter 10 Traffic Management 819 ...
Страница 842: ...Chapter 11 High Availability 842 ...
Страница 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Страница 879: ...Chapter 13 Advanced Settings 879 ...