Avaya 3.7 User Manual

In tunnel mode (security gateways and VPNremote Client only), IP packets between members 
are secured by encrypting and authenticating the entire packet, including the addressing 
header. The encrypted and authenticated packet is then used as the payload of a new packet 
with a new addressing header. This new addressing header specifies the IP addresses of 
packet’s source and destination, whether they be two security gateways or a VPNremote Client 
and a security gateway.

The choice between using transport and tunnel mode involves many factors, including the use 
of private IP addresses for Groups and security concerns about the visibility of member 
workstation IP addresses.

The following key management and packet mode combinations are supported:

●

SKIP in Transport or Tunnel mode.

●

IKE in Tunnel mode only.

Default VPN applies only to the IKE VPN and is used in conjunction with RADIUS 
authentication. Only one VPN can be the default VPN in a domain. When you create a VPN, 
you can enable this function.

Default Policy is an alternative method of external user authentication. This feature is suited for 
large IKE-based VPNs where hundreds or even thousands of users are authenticated, or where 
the ability to scale the VPN to large numbers of authenticated users is required. This default 
VPN policy is applied to any remote user authenticated successfully by the external RADIUS 
server.

When a remote user requests CCD from the security gateway, the security gateway’s RADIUS 
client contacts the RADIUS server to authenticate the user. Upon successful authentication, the 
CCD serer provides the default VPN policy to the user.