Nokia IPSO 4.0 manual Virtual Tunnel Interfaces Fwvpn for Route-Based VPN, Unnumbered VTIs, 140

2

To add nodes configured for transparent mode to a cluster using

SmartDashboard

1.Create a gateway object for each of the VRRP nodes.

2.Define the topology for each gateway object. Make sure that transparent mode is properly configured with the address ranges to the external and internal networks correctly defined.

3.Create the cluster object.

4.Add each gateway to the cluster object using the Add Gateway to Cluster button.

If you use the New Cluster Member button to add a VRRP member that uses transparent mode to a cluster, you cannot correctly configure the Topology.

Virtual Tunnel Interfaces (FWVPN) for Route-Based VPN

Virtual Tunnel Interfaces (VTI) support Check Point route-based VPN. A VTI is a virtual interface that can be used as a gateway to the encryption domain of the peer Gateway. Each VTI is associated with a single tunnel to a VPN-1 Pro peer gateway. As with domain-based VPNs, the tunnel and its properties is defined by a VPN community linking the two gateways. The peer gateway is also configured with a corresponding VTI. The native IP routing mechanism on each gateway can then direct traffic into the tunnel just as it would for any other type of interface and the traffic will be encrypted.

For more information about route-based VPN, see the Check Point Virtual Private Networks guide.

Unnumbered VTIs

Nokia IPSO supports only unnumbered VTIs. Local and remote IP addresses are not configured; instead, the interface is associated with a proxy interface from which it inherits an IP address. Traffic that is initiated by the gateway and routed through the VTI will have the proxy interface IP address as the source IP address.

If you want the source IP address to be an IP address not used on the system, you can create a loopback interface with the desired IP address and use it as the proxy interface.

Routing Traffic through the VTI

In route-based VPN, a packet is encrypted only if it is routed through the virtual tunnel interface. To make sure that the traffic is routed through the VTI, you have several options:

„You can make the VTI the default route. Make sure you also have a static or dynamic route that enables the gateway to reach the external interface of the peer gateway, and vice versa.

„You can add a specific static route to the intended network behind the peer gateway for which the next hop is the VTI.

„You can configure a dynamic routing protocol on the VTI. For example, you can enable OSPF on the VTI and redistribute the internal networks route to OSPF external. Or you can enable OSPF on both the VTI and its proxy interface.