Chapter 6

Advanced Features

Local network [localnetwork]

Remote network [remotenetwork]

This parameter is used in the proposal presented to the remote Security Gateway during the Phase 2 negotiation. It determines which messages have access to the IPSec connection at the local side of the tunnel. This is basic parameter for the dynamic IPSec policy capabilities of the SpeedTouch™. As an outcome of the Phase2 negotiations, a static IPSec policy is derived. This results in a cloned connection, where the parameters localmatch, remotematch, localselector, remoteselector are automatically filled in by the SpeedTouch™.

The valid settings are:

the keyword: retrieve_from_server

This setting can be used in an IPSec client/server configuration. It is only relevant at the client side of the connection where the SpeedTouch™ acts as an initiator for the IPSec Security Association.

the keyword: black_ip

This setting is used only for remote management scenarios where the IPSec tunnel is used exclusively for information generated or terminated by the SpeedTouch™.

a symbolic name of a network descriptor

This is the most common selection in a site-to-site application. In this case the localnetwork parameter holds the symbolic name of the network descriptor that refers to the local private network having access to the IPSec connection. As mentioned above, the access can be restricted to a single protocol and port number.

This parameter describes the remote network that may use the IPSec connection. This parameter expresses a dynamic policy, which during the Phase 2 negotiation results in a static policy expressed by the localmatch, remotematch, and localselector and remoteselector parameters.

The valid settings are:

the keyword: retrieve_from_server

This setting can be used in an IPSec client/server configuration. It is only relevant at the client side of the connection where the SpeedTouch™ acts as an initiator for the IPSec Security Association.

the keyword: allocated_virtual_ip

This setting can be used in an IPSec client/server configuration. It is only relevant at the server side of the connection.

the keyword: black_ip

Designates the public IP address of the remote Security Gateway as the end user of the secure connection. This setting is useful for a connection that serves secure remote management of the remote Security Gateway.

a symbolic name of a network descriptor

This setting is used when the network environment at the remote side is completely known. This is often the case in a site-to-site application where the VPN structure and the use of specific ranges of IP addresses are under the control of a network manager.

214

E-DOC-CTC-20051017-0169 v0.1

 

Page 216
Image 216
Nortel Networks 620, 608(WL) manual 214