Manuals / Foundry Networks / Computer Equipment / Network Router

Foundry Networks AR1216, AR3202-CL, AR3201-CL Configure a WAN bundle of network type untrusted

Models: AR1208 AR1216 AR3202-CL AR3202 AR3201-CL AR3201 AR1204

1 293
Download 293 pages 53.56 Kb
Page 228
Image 228

Security Features

In tunnel mode, at each IKE end point, the IP traffic to be protected is completely encapsulated with another IP packet. In this, the inner IP header remains the same as seen in the original traffic to be protected. In the outer IP header, the source and destination addresses are the addresses of the tunnel end points.

Typically, for a remote user, the source address of the outer IP header is the dynamic public IP address provided by the ISP. When mode configuration is enabled, the source address of the inner IP header is the private address allocated by the VPN server to the VPN client.

As in the case of user group method, the administrator creates an IKE policy for a logical group of users such as a department in an organization. The identity information used to identify each user uniquely is configured in the IKE policy. The IKE policy is attached to a mode configuration record. The mode configuration record contains an IPSec policy template to be used for creating dynamic IPSec policy. Also, the record contains one or more pools of private IP addresses to be used for allocating the addresses to the VPN clients. Besides the private IP address, the VPN server can also provide WINS and DNS server addresses.

Upon successful IKE authentication of a VPN client, the server checks whether the IKE policy used to authenticate the VPN client is enabled for mode configuration. If so, the server allocates a private IP address from one of the IP pools in the mode configuration record to the VPN client. The destination address field in the IPSec template attached to the user group is filled in with the private IP address allocated to the VPN client and this is installed as an IPSec policy.

Example 1: Securely Managing the Foundry AR1204 Over an IPSec Tunnel

This example demonstrates how to manage a Foundry router through an IP security tunnel. Steps are presented for configuring the Router1 and Router2 routers to assist any host on the LAN side of Foundry-2 to manage the Router1 router through the IP security tunnel.

The security requirements are:

Phase 1: 3DES with SHA1

Phase 2: IPSec ESP with 128-bit AES and HMAC-SHA1

Figure 15.1 Tunnel Mode Between Two Foundry Security Gateways - Single Proposal

Step 1: Configure a WAN bundle of network type untrusted:

Router1/configure# interface bundle wan1 Configuring new bundle Router1/configure/interface/bundle wan1# link t1 1 Router1/configure/interface/bundle wan1# encapsulation ppp Router1/configure/interface/bundle wan1# ip address 172.16.0.1 24 Router1/configure/interface/bundle wan1# crypto untrusted Router1/configure/interface/bundle wan1# exit

June 2004

© 2004 Foundry Networks, Inc.

15 - 3

Page 227 Page 229
Page 228
Image 228
Foundry Networks AR1216, AR3202-CL, AR3201-CL, AR1204, AR1208 manual Configure a WAN bundle of network type untrusted
Page 227 Page 229