Nortel Networks 620, 608(WL) manual Keyword retrievefromserver, Keyword allocatedvirtualip

Chapter 3

Configuration via Local Pages

Local network This parameter is used in the proposal presented to the remote Security Gateway during the Phase 2 negotiation. It determines which messages have access to the IPSec connection at the local side of the tunnel. This is the basic parameter for the dynamic IPSec policy capabilities of the SpeedTouch™. As an outcome of the Phase 2 negotiations, a static IPSec policy is derived.

The valid settings are:

the keyword: retrieve_from_server

This setting can be used in an IPSec client/server configuration. It is only relevant at the client side of the connection where the SpeedTouch™ acts as an initiator for the IPSec Security Association.

the keyword: black_ip

This setting is used only for remote management scenarios where the IPSec tunnel is used exclusively for information generated or terminated by the SpeedTouch™.

a symbolic name of a network descriptor

This is the most common selection in a LAN-to-LAN application. In this case the Local network field holds the symbolic name of the network descriptor that refers to the local private network having access to the IPSec connection.

Remote network This parameter describes the remote network that may use the IPSec connection. This parameter expresses a dynamic policy, which during the Phase 2 negotiation results in a static policy.

The valid settings are:

the keyword: retrieve_from_server

This setting can be used in an IPSec client/server configuration. It is only relevant at the client side of the connection where the SpeedTouch™ acts as an initiator for the IPSec Security Association.

the keyword: allocated_virtual_ip

This setting can be used in an IPSec client/server configuration. It is only relevant at the server side of the connection.

the keyword: black_ip

Designates the public IP address of the remote Security Gateway as the end user of the secure connection. This setting is useful for a connection that serves secure remote management of the remote Security Gateway.

a symbolic name of a network descriptor

This setting is used when the network environment at the remote side is completely known. This is often the case in a site-to-site application where the VPN structure and the use of specific ranges of IP addresses are under the control of a network manager.

Always on Select this check box when you want a VPN connection that automatically starts negotiations when the SpeedTouch™ is operational.

Connection Descriptor Select from the list the symbolic name of a Connection Security Descriptor to be used for the IPSec connection. Up to four Descriptors can be selected in the Profiles page. These Descriptors are presented as alternative proposals during the Phase 2 negotiations. Connection Security Descriptors are managed on the Connection Descriptors sub-page. See “3.5.10 Connection Descriptors Page” on page 96.