Nortel Networks 620 User Manual
Chapter 6
Advanced Features
E-DOC-CTC-20051017-0169 v0.1
214
Local network
[localnetwork]
This parameter is used in the proposal presented to the remote Security Gateway
during the Phase 2 negotiation. It determines which messages have access to the
IPSec connection at the local side of the tunnel. This is basic parameter for the
dynamic IPSec policy capabilities of the SpeedTouch™. As an outcome of the
Phase2 negotiations, a static IPSec policy is derived. This results in a cloned
connection, where the parameters localmatch, remotematch, localselector,
remoteselector are automatically filled in by the SpeedTouch™.
The valid settings are:
during the Phase 2 negotiation. It determines which messages have access to the
IPSec connection at the local side of the tunnel. This is basic parameter for the
dynamic IPSec policy capabilities of the SpeedTouch™. As an outcome of the
Phase2 negotiations, a static IPSec policy is derived. This results in a cloned
connection, where the parameters localmatch, remotematch, localselector,
remoteselector are automatically filled in by the SpeedTouch™.
The valid settings are:
the keyword: retrieve_from_server
This setting can be used in an IPSec client/server configuration. It is only
relevant at the client side of the connection where the SpeedTouch™ acts as
an initiator for the IPSec Security Association.
This setting can be used in an IPSec client/server configuration. It is only
relevant at the client side of the connection where the SpeedTouch™ acts as
an initiator for the IPSec Security Association.
the keyword: black_ip
This setting is used only for remote management scenarios where the IPSec
tunnel is used exclusively for information generated or terminated by the
SpeedTouch™.
This setting is used only for remote management scenarios where the IPSec
tunnel is used exclusively for information generated or terminated by the
SpeedTouch™.
a symbolic name of a network descriptor
This is the most common selection in a site-to-site application. In this case the
localnetwork parameter holds the symbolic name of the network descriptor
that refers to the local private network having access to the IPSec connection.
As mentioned above, the access can be restricted to a single protocol and port
number.
This is the most common selection in a site-to-site application. In this case the
localnetwork parameter holds the symbolic name of the network descriptor
that refers to the local private network having access to the IPSec connection.
As mentioned above, the access can be restricted to a single protocol and port
number.
Remote network
[remotenetwork]
[remotenetwork]
This parameter describes the remote network that may use the IPSec connection.
This parameter expresses a dynamic policy, which during the Phase 2 negotiation
results in a static policy expressed by the localmatch, remotematch, and
localselector and remoteselector parameters.
The valid settings are:
This parameter expresses a dynamic policy, which during the Phase 2 negotiation
results in a static policy expressed by the localmatch, remotematch, and
localselector and remoteselector parameters.
The valid settings are:
the keyword: retrieve_from_server
This setting can be used in an IPSec client/server configuration. It is only
relevant at the client side of the connection where the SpeedTouch™ acts as
an initiator for the IPSec Security Association.
relevant at the client side of the connection where the SpeedTouch™ acts as
an initiator for the IPSec Security Association.
the keyword: allocated_virtual_ip
This setting can be used in an IPSec client/server configuration. It is only
relevant at the server side of the connection.
relevant at the server side of the connection.
the keyword: black_ip
Designates the public IP address of the remote Security Gateway as the end
user of the secure connection. This setting is useful for a connection that
serves secure remote management of the remote Security Gateway.
user of the secure connection. This setting is useful for a connection that
serves secure remote management of the remote Security Gateway.
a symbolic name of a network descriptor
This setting is used when the network environment at the remote side is
completely known. This is often the case in a site-to-site application where the
VPN structure and the use of specific ranges of IP addresses are under the
control of a network manager.
completely known. This is often the case in a site-to-site application where the
VPN structure and the use of specific ranges of IP addresses are under the
control of a network manager.