для Cisco Cisco Packet Data Gateway (PDG)
Security Gateway Overview
Network Deployment ▀
SecGW Administration Guide, StarOS Release 17 ▄
21
Network Deployment
SecGW supports the following network deployment scenarios:
Remote Access Tunnels
In a RAS scenario, a remote host negotiates a child SA with the SecGW and sends traffic inside the child SA that
belongs to a single IP address inside the remote host. This is the inner IP address of the child SA. The outer IP address is
the public IP address of the remote host. The addresses on the trusted network behind the SecGW to which the host talks
could be a single IP or a network.
belongs to a single IP address inside the remote host. This is the inner IP address of the child SA. The outer IP address is
the public IP address of the remote host. The addresses on the trusted network behind the SecGW to which the host talks
could be a single IP or a network.
The remote host could set up multiple child SAs to the SecGW. This is still a remote access scenario, as long as a
unique single IP address is used for the inner IP of each child SA. The uniqueness of the inner IP must be maintained
across all child SAs of all remote hosts talking to the SecGW.
unique single IP address is used for the inner IP of each child SA. The uniqueness of the inner IP must be maintained
across all child SAs of all remote hosts talking to the SecGW.
The traffic that is carried inside the child SA is defined during the creation of the child SA, using the traffic selector
(TS) field of the IKE message.
(TS) field of the IKE message.
Figure 5.
RAS Tunnel
Site-to-Site Tunnels
In an S2S scenario, the remote peer sets up a child SA to the SecGW. The source of the traffic inside the child SA can
be from multiple IP addresses on the remote peer's side. As in the remote access scenario, the addresses on the trusted
network behind the SecGW can be a single IP or a network.
be from multiple IP addresses on the remote peer's side. As in the remote access scenario, the addresses on the trusted
network behind the SecGW can be a single IP or a network.
In this scenario also, the remote peer can setup multiple child SAs to the SecGW.
For S2S tunnels established using the WSG service, the TSi and TSr contain protocol as well as source and destination
IP ranges.
IP ranges.
Figure 6.
S2S Tunnel