Nortel Networks 608(WL) Manuale Utente
Chapter 6
Advanced Features
E-DOC-CTC-20051017-0169 v0.1
216
Remote match
[remotematch]
This setting is relevant in responder mode only.
It is optionally filled out. In a basic configuration it is left unset. When unset, the
SpeedTouch™ uses its dynamic IPSec policy capabilities to complete this field. The
SpeedTouch™ uses its dynamic IPSec policy capabilities to complete this field. The
ipsec connection advanced
command group allows manual control over
this parameter.
The remotematch expresses the traffic policy for access to a remote private network
in responder mode. It describes which IP addresses, address ranges or subnets can
be reached in a remote private network through an IPSec Security Association.
During the Phase 2 negotiations, the proposals of the remote peer (initiator) are
compared with the contents of the remotematch parameter. As a result, a remote
traffic selector is derived in compliance with the local and remote traffic policies.
in responder mode. It describes which IP addresses, address ranges or subnets can
be reached in a remote private network through an IPSec Security Association.
During the Phase 2 negotiations, the proposals of the remote peer (initiator) are
compared with the contents of the remotematch parameter. As a result, a remote
traffic selector is derived in compliance with the local and remote traffic policies.
The valid values for the remotematch parameter are limited to specific keywords,
eventually followed by a network name.
eventually followed by a network name.
The meaning of the keywords is the following:
exactly_<network name>:
The proposal issued by the remote initiator must exactly match the network
described by the symbolic network name. This network descriptor can
designate an individual IP address, an IP address range, or an IP subnet in the
remote private network. If the proposal of the remote initiator does not exactly
match the designated net, then the local responder does not establish a
Security Association.
The proposal issued by the remote initiator must exactly match the network
described by the symbolic network name. This network descriptor can
designate an individual IP address, an IP address range, or an IP subnet in the
remote private network. If the proposal of the remote initiator does not exactly
match the designated net, then the local responder does not establish a
Security Association.
one_of_ <network name>:
The proposal issued by the remote initiator must contain an IP address that
lies within the range described by the symbolic network name in order to
successfully set up the Security Association.
The proposal issued by the remote initiator must contain an IP address that
lies within the range described by the symbolic network name in order to
successfully set up the Security Association.
subnet_of_ <network name>:
The proposal of the remote initiator must contain a subnet that lies within the
range described by the symbolic network name in order to successfully set up
the Security Association.
The proposal of the remote initiator must contain a subnet that lies within the
range described by the symbolic network name in order to successfully set up
the Security Association.
subrange_of_ <network name>:
The proposal of the remote initiator must contain a subrange that lies within
the range described by the symbolic network name in order to successfully set
up the Security Association.
The proposal of the remote initiator must contain a subrange that lies within
the range described by the symbolic network name in order to successfully set
up the Security Association.
black_ip:
The proposal of the remote initiator must contain the public IP address of the
remote Security Gateway.
The proposal of the remote initiator must contain the public IP address of the
remote Security Gateway.
Keyword:
Followed by a Network name:
exactly_
one_of_
subnet_of_
subrange_of_
one_of_
subnet_of_
subrange_of_
A symbolic name of a network
descriptor, defined in the
descriptor, defined in the
ipsec
connection network
command
group.
black_ip
-