D-Link DFL-260E User Manual for DFL-260E - Page 438
IPsec Tunnels, 9.4.1. Overview, IP Rules Control Decrypted Traffic
View all D-Link DFL-260E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 438 highlights
9.4. IPsec Tunnels Chapter 9. VPN 9.4. IPsec Tunnels This section looks more closely at IPsec tunnels in NetDefendOS, their definition, options and usage. 9.4.1. Overview An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration capabilities as regular interfaces. Remote Initiation of Tunnel Establishment When another NetDefend Firewall or another IPsec compliant networking product (also known as the remote endpoint) tries to establish an IPsec VPN tunnel to a local NetDefend Firewall, the list of currently defined IPsec tunnels in the NetDefendOS configuration is examined. If a matching tunnel definition is found, that tunnel is opened. The associated IKE and IPsec negotiations then take place, resulting in the tunnel becoming established to the remote endpoint. Local Initiation of Tunnel Establishment Alternatively, a user on a protected local network might try and access a resource which is located at the end of an IPsec tunnel. In this case, NetDefendOS sees that the route for the IP address of the resource is through a defined IPsec tunnel and establishment of the tunnel is then initiated from the local NetDefend Firewall. IP Rules Control Decrypted Traffic Note that an established IPsec tunnel does not automatically mean that all the traffic flowing from the tunnel is trusted. On the contrary, network traffic that has been decrypted will be checked against the IP rule set. When doing this IP rule set check, the source interface of the traffic will be the associated IPsec tunnel since tunnels are treated like interfaces in NetDefendOS. In addition, a Route or an Access rule may have to be defined for roaming clients in order for NetDefendOS to accept specific source IP addresses from the IPsec tunnel. Returning Traffic For network traffic going in the opposite direction, back into an IPsec tunnel, a reverse process takes place. First, the unencrypted traffic is evaluated by the rule set. If a rule and route matches, NetDefendOS tries to find an established IPsec tunnel that matches the criteria. If not found, NetDefendOS will try to establish a new tunnel to the remote endpoint specified by a matching IPsec tunnel definition. No IP Rules Are Needed for the Enclosing IPsec Traffic With IPsec tunnels, the administrator usually sets up IPsec rules that allow unencrypted traffic to flow into the tunnel (the tunnel being treated as an NetDefendOS interface). However, it is normally not necessary to set up IP rules that explicitly allow the packets that implement IPsec itself. IKE and ESP packets are by default dealt with by the NetDefendOS's internal IPsec engine and the IP rule set is not consulted. This behavior can be changed in the IPsec advanced settings section with the IPsec Before Rules setting. An example of why this might be done is if there are a high number of IPsec tunnel 438