ADW-4302v2 User Guide

Because the IKE and IPSec connections are separate, they have different SAs (secu- rity associations).

Policies

VPN configuration settings are stored in Policies.

Note that different vendors use different terms. Generally, the terms "VPN Policy", "IPSec Policy", and "IPSec Proposal" have the same meaning. However, some vendors separate IKE Policies (Phase 1 parameters) from IPSec Policies (Phase 2 parameters).

For the ADW-4302v2; each VPN policy contains both Phase 1 and Phase 2 parameters (if IKE is used). Each policy defines:

The address of the remote VPN endpoint

The traffic which is allowed to use the VPN connection.

The parameters (settings) for the IPSec SA (Security Association)

If IKE is used, the parameters (settings) for the IKE SA (Security Association)

Generally, you will need at least one (1) VPN Policy for each remote site for which you wish to establish VPN connections.

It is possible, and sometimes necessary, to have multiple Policies for the same remote site. However, you should only Enable one (1) policy at a time.

VPN Configuration

The general rule is that each endpoint must have matching Policies, as follows:

VPN Endpoint

Each VPN endpoint must be configured to initiate or accept

address

connections to the remote VPN client or Gateway.

 

Usually, this requires having a fixed Internet IP address. How-

 

ever, it is possible for a VPN Gateway to accept incoming

 

connections from a remote client where the client's IP address

 

is not known in advance.

Local & Remote

This determines which outgoing traffic will cause a VPN connec-

LAN definition

tion to be established, and which incoming traffic will be

 

accepted. Each endpoint must be configured to pass and ac-

 

cept the desired traffic from the remote endpoint.

If connecting 2 LANs, this requires that:

Each endpoint must be aware of the IP addresses used on the other endpoint.

The 2 LANs MUST use different IP address ranges.

IKE parameters If using IKE (recommended), the IKE parameters must match (except for the SA lifetime, which can be different).

IPSec parame- The IPSec parameters at each endpoint must match. ters

128