VPN
∙Phase I is the negotiation and establishment up of the IKE connection.
∙Phase II is the negotiation and establishment up of the IPsec connection.
Because the IKE and IPsec connections are separate, they have different SAs (secu- rity associations).
Policies
VPN configuration settings are stored in Policies.
Each policy defines:
∙The address of the remote VPN endpoint
∙The traffic which is allowed to use the VPN connection.
∙The parameters (settings) for the IPsec SA (Security Association)
∙If IKE is used, the parameters (settings) for the IKE SA (Security Association)
Generally, you will need at least one (1) VPN Policy for each remote site for which you wish to establish VPN connections.
It is possible, and sometimes necessary, to have multiple Policies for the same remote site. In this case, the order (sequence) of the policies is important. The policies are examined in turn, and the first matching policy will be used.
VPN Configuration
The general rule is that each endpoint must have matching Policies, as follows:
Remote VPN ad- dress
Traffic Selector
IKE parameters
IPsec parameters
Each VPN endpoint must be configured to initiate or accept connections to the remote VPN client or Gateway.
Usually, this requires having a fixed Internet IP address. However, it is possible for a VPN Gateway to accept incom- ing connections from a remote client where the client's IP address is not known in advance.
This determines which outgoing traffic will cause a VPN connection to be established, and which incoming traffic will be accepted. Each endpoint must be configured to pass and accept the desired traffic from the remote endpoint.
If connecting 2 LANs, this requires that:
∙Each endpoint must be aware of the IP addresses used on the other endpoint.
∙The 2 LANs MUST use different IP address ranges.
If using IKE (recommended), the IKE parameters must match (except for the SA lifetime, which can be different).
The IPsec parameters at each endpoint must match.
71