Trendnet TW100-BRV204 User Manual
VPN
69
• Phase I is the negotiation and establishment of the IKE connection.
• Phase II is the negotiation and establishment of the IPsec connection.
• Phase II is the negotiation and establishment of the IPsec connection.
Because the IKE and IPsec connections are separate, they have different SAs (security associa-
tions).
tions).
Policies
VPN configuration settings are stored in Policies.
Each policy defines:
• The address of the remote VPN endpoint
• The traffic which is allowed to use the VPN connection.
• The parameters (settings) for the IPsec SA (Security Association)
• If IKE is used, the parameters (settings) for the IKE SA (Security Association)
• The address of the remote VPN endpoint
• The traffic which is allowed to use the VPN connection.
• The parameters (settings) for the IPsec SA (Security Association)
• If IKE is used, the parameters (settings) for the IKE SA (Security Association)
Generally, you will need at least one (1) VPN Policy for each remote site for which you wish
to establish VPN connections.
to establish VPN connections.
It is possible, and sometimes necessary, to have multiple Policies for the same remote site. In
this case, the order (sequence) of the policies is important. The policies are examined in turn,
and the first matching policy will be used.
this case, the order (sequence) of the policies is important. The policies are examined in turn,
and the first matching policy will be used.
VPN Configuration
The general rule is that each endpoint must have matching Policies, as follows:
Remote VPN address
Each VPN endpoint must be configured to initiate or accept con-
nections to the remote VPN client or Gateway.
nections to the remote VPN client or Gateway.
Usually, this requires having a fixed Internet IP address. However,
it is possible for a VPN Gateway to accept incoming connections
from a remote client where the client's IP address is not known in
advance.
it is possible for a VPN Gateway to accept incoming connections
from a remote client where the client's IP address is not known in
advance.
Traffic Selector
This determines which outgoing traffic will cause a VPN connec-
tion to be established, and which incoming traffic will be accepted.
Each endpoint must be configured to pass and accept the desired
traffic from the remote endpoint.
tion to be established, and which incoming traffic will be accepted.
Each endpoint must be configured to pass and accept the desired
traffic from the remote endpoint.
If connecting 2 LANs, this requires that:
• Each endpoint must be aware of the IP addresses used on the
• Each endpoint must be aware of the IP addresses used on the
other endpoint.
• The 2 LANs MUST use different IP address ranges.
IKE parameters
If using IKE (recommended), the IKE parameters must match
(except for the SA lifetime, which can be different).
(except for the SA lifetime, which can be different).
IPsec parameters
The IPsec parameters at each endpoint must match.