Patton electronic SmartNode 4110 Series ユーザーズマニュアル
Key management (IKE)
373
SmartWare Software Configuration Guide
32 • VPN configuration
Creating/modifying an outgoing ACL profile for IPSEC
This is basically the same as for manual keyed IPSEC connections and can be done as described in Chapter 26
of the Software Configuration Guide. Make sure that your ACL allows traffic from and to UDP port 500 in
plaintext to allow ISAKMP messages to be exchanged.
This is basically the same as for manual keyed IPSEC connections and can be done as described in Chapter 26
of the Software Configuration Guide. Make sure that your ACL allows traffic from and to UDP port 500 in
plaintext to allow ISAKMP messages to be exchanged.
Configuration of an IP interface and the IP router for IPSEC
This is exactly the same as for manual keyed IPSEC connections and can be done as described in Chapter 26 of
the Software Configuration Guide.
This is exactly the same as for manual keyed IPSEC connections and can be done as described in Chapter 26 of
the Software Configuration Guide.
Policy matching
Normally, if an initial ISAKMP message is received from the network, the system tries to find the correspond-
ing ISAKMP IPSEC policy by matching the received source-ip address with the peer IP address of an IPSEC
policy.
Normally, if an initial ISAKMP message is received from the network, the system tries to find the correspond-
ing ISAKMP IPSEC policy by matching the received source-ip address with the peer IP address of an IPSEC
policy.
However, in applications with dynamic IP addressing, an FQDN might be specified as the peer instead of an
IP address. In this case, it is not possible to find the correct policy using the source-ip address. To solve this
problem, you can specify the same protection-group ID in the ISAKMP IPSEC policy profiles of all the peers,
which should use the same remote policy. In this case, if the system receives an initial IKE packet, it will search
for an ISAKMP IPSEC policy profile, which has the same protection-group ID as the policy, which created the
ISAKMP packet.
IP address. In this case, it is not possible to find the correct policy using the source-ip address. To solve this
problem, you can specify the same protection-group ID in the ISAKMP IPSEC policy profiles of all the peers,
which should use the same remote policy. In this case, if the system receives an initial IKE packet, it will search
for an ISAKMP IPSEC policy profile, which has the same protection-group ID as the policy, which created the
ISAKMP packet.
Sample configuration snippet
Below you see a sample of the minimal required settings to be added to a configuration file in order to establish
an IKE IPSEC connection:
Below you see a sample of the minimal required settings to be added to a configuration file in order to establish
an IKE IPSEC connection:
profile acl WAN_Out
permit 1 esp any any
permit 2 ah any any
permit 3 udp any any eq 500
8
(optional)
node(pf- ipsik)[<name>]# protected-
network {host <local-host-ip>}|{sub-
net <local-subnet-address> <local-
subnet-mask>}|{range <local-range-
start> <local-range-end>} {host
<remote-host-ip>}|{subnet <remote-
subnet-address> <remote-subnet-
mask>}|{range <remote-range-start>
<remote-range-end>}
network {host <local-host-ip>}|{sub-
net <local-subnet-address> <local-
subnet-mask>}|{range <local-range-
start> <local-range-end>} {host
<remote-host-ip>}|{subnet <remote-
subnet-address> <remote-subnet-
mask>}|{range <remote-range-start>
<remote-range-end>}
Optionally if the remote system requires pro-
tected networks to be specified in the identity
payload of the quick mode, you can define one
or more protected networks using this command.
tected networks to be specified in the identity
payload of the quick mode, you can define one
or more protected networks using this command.
9
(optional)
node(pf- ipsik)[<name>]# protection-
group <group>
group <group>
If required, you can specify a protection-group.
The protection-group is a proprietary feature and
is not compatible with third-party devices. There-
fore do not configure it for connections to third
party devices.
The protection-group is a proprietary feature and
is not compatible with third-party devices. There-
fore do not configure it for connections to third
party devices.
Step
Command
Purpose