Nortel Networks 620 User Manual
Chapter 6
Advanced Features
E-DOC-CTC-20051017-0169 v0.1
200
6.8 One Peer - Multiple Connections
Multiple tunnels
In order to setup a Phase 2 tunnel, a Phase 1 IKE tunnel is required first. Via this
Phase 1 tunnel the signalling messages, negotiating the Phase 2 tunnel, are
transferred.
Phase 1 tunnel the signalling messages, negotiating the Phase 2 tunnel, are
transferred.
The SpeedTouch™ allows setting up several Phase 2 tunnels, all using a common
Phase 1 tunnel. In the configuration example below, it is shown how a single peer
has various connection attached to it. Traffic originating from network 10.0.0.0/8 will
be sent in one of the Phase 2 tunnels, depending on the destination IP address. If no
IPSec policy match is found, the packet is sent unencrypted.
Phase 1 tunnel. In the configuration example below, it is shown how a single peer
has various connection attached to it. Traffic originating from network 10.0.0.0/8 will
be sent in one of the Phase 2 tunnels, depending on the destination IP address. If no
IPSec policy match is found, the packet is sent unencrypted.
[ipsec connection]=>network
[ipsec connection network]=>list
[n1] : range 10.60.11.[20-30]
[n2] : address 10.50.2.22
[n3] : subnet 10.50.2.128/25
[ipsec connection network]=>list
[n1] : range 10.60.11.[20-30]
[n2] : address 10.50.2.22
[n3] : subnet 10.50.2.128/25
[ipsec connection network]=>..
[ipsec connection]=>list
[connect1]
[ipsec connection]=>list
[connect1]
Peer
: rempeer2
Local network
: n1
Remote network : n2
Always on
Always on
: disabled
Descriptors
: AES_HMAC-MD5_TUNNEL
Options
: <unset>
State
: enabled
[connect2]
Peer
: rempeer2
Local network
: n1
Remote network : n3
Always on
Always on
: disabled
Descriptors
: NullEnc_HMAC-SHA1_TUNNEL
Options
: <unset>
State
: enabled
[ipsec connection]=>
The IPSec descriptors of the two Phase 2 configurations may be different.
SpeedTouch620 [1]
SpeedTouch620 [2]
Phase 1 (IKE) tunnel (IKE1)
Phase 2 tunnel (conn1)
Phase 2 tunnel (conn2)