VPN
71
•
Phase I
is the negotiation and establishment up of the IKE connection.
•
Phase II
is the negotiation and establishment up of the IPsec connection.
Because the IKE and IPsec connections are separate, they have different SAs (secu-
rity associations).
Policies
VPN configuration settings are stored in
Policies
.
Each policy defines:
•
The address of the remote VPN endpoint
•
The traffic which is allowed to use the VPN connection.
•
The parameters (settings) for the IPsec SA (Security Association)
•
If IKE is used, the parameters (settings) for the IKE SA (Security Association)
Generally, you will need at least one (1) VPN Policy for each remote site for which you
wish to establish VPN connections.
It is possible, and sometimes necessary, to have multiple Policies for the same remote
site. In this case, the order (sequence) of the policies is important. The policies are
examined in turn, and the first matching policy will be used.
VPN Configuration
The general rule is that each endpoint must have matching Policies, as follows:
Remote VPN ad-
dress
Each VPN endpoint must be configured to initiate or accept
connections to the remote VPN client or Gateway.
Usually, this requires having a fixed Internet IP address.
However, it is possible for a VPN Gateway to accept incom-
ing connections from a remote client where the client's IP
address is not known in advance.
Traffic Selector
This determines which outgoing traffic will cause a VPN
connection to be established, and which incoming traffic will
be accepted. Each endpoint must be configured to pass and
accept the desired traffic from the remote endpoint.
If connecting 2 LANs, this requires that:
•
Each endpoint must be aware of the IP addresses used
on the other endpoint.
•
The 2 LANs MUST use different IP address ranges.
IKE parameters
If using IKE (recommended), the IKE parameters must match
(except for the SA lifetime, which can be different).
IPsec parameters
The IPsec parameters at each endpoint must match.