Disable or Enable the Built-in IPSec Policy Otherwise, it sends traffic over the encrypted IPSec BOVPN tunnel on the Eth0 interface.įor more information about how to use this setting, go toee Configure a Branch Office VPN for Failover from a Leased Line. If they select the Enable the use of non-default (static or dynamic) routes to determine if IPSec is used check box in the Global VPN Settings, the Firebox sends traffic over the private network if a dynamic route to that network is present over the Eth1 interface. They want to send traffic over the BOVPN tunnel only if the private network connection is not available. They have also configured a BOVPN tunnel between the two sites to send BOVPN traffic over the local Internet connection, over the Eth0 interface of each device. The private network is connected to the Eth1 interface of each device. They use a dynamic routing protocol to send traffic between the two sites over a private network connection, with no VPN required. You can use this feature in conjunction with dynamic routing to enable dynamic network failover from a private network route to an encrypted IPSec VPN tunnel.įor example, consider an organization that sends traffic between two networks, Site A and Site B. This feature works with any non-default route (static or dynamic). However, if the matched non-default route uses Eth0 as the interface, the packet is sent through the BOVPN tunnel. For example, if the BOVPN gateway interface is set to Eth0, and the matched non-default route uses Eth1 as the interface, the packet is not sent through the BOVPN tunnel. If the interface in the non-default route matches the interface in the BOVPN gateway, the packet goes through the BOVPN tunnel configured for that interface. When a non-default route is used, the decision about whether to send the packet through the IPSec VPN tunnel depends on the interface specified in the routing table. The packet is routed to the interface specified in the non-default route in the routing table. If a non-default route is used to route a packet The packet is encrypted and sent through the VPN tunnel, to the interface specified in the VPN gateway configuration. If a default route is used to route a packet If this option is enabled, the Firebox uses the routing table to determine whether to send the packet through the IPSec VPN tunnel. When this option is not enabled, all packets that match the tunnel route specified in the IPSec gateway are sent through the IPSec branch office VPN. This option applies only to traffic through a BOVPN that is not a BOVPN virtual interface. Enable the Use of Non-Default (Static or Dynamic) Routes to Determine if IPSec is Used For more information on QoS marking, go to About QoS Marking. QoS marking can change the setting of the TOS flag. Make sure to carefully consider whether to select this check box if you want to apply QoS marking to IPSec traffic. If the original packet does not have the TOS flags set, Fireware does not set the TOS flag when it encapsulates the packet in an IPSec header. When the Enable TOS for IPSec check box is selected and the original packet has TOS flags, Fireware keeps the TOS flags set when it encapsulates the packet in an IPSec header. If the TOS flags were set before, they are removed when Fireware encapsulates the packet in an IPSec header. If you do not select the Enable TOS for IPSec check box, all IPSec packets do not have the TOS flags. Some ISPs drop all packets that have TOS flags. Fireware gives you the option to allow IPSec tunnels to clear or maintain the settings on packets that have TOS flags. Type of Service (TOS) is a set of four-bit flags in the IP header that can tell routing devices to give an IP datagram more or less priority than other datagrams. For more information, go to Configure Inbound IPSec Pass-through with SNAT. To enable inbound IPSec pass through, you must clear the Enable built-in IPSec policy check box, and create IPSec policies to handle inbound VPN traffic to the Firebox and any other VPN endpoints. When you disable IPSec pass-through, the WatchGuard IPSec policy is automatically deleted. The policy allows traffic from any trusted or optional network to any destination. When you enable IPSec pass-through, a policy called WatchGuard IPSec is automatically added to the configuration. For the Firebox at the customer location to allow the outgoing IPSec connection, you must add an IPSec policy to the configuration. For example, if mobile employees are at a customer location that has a Firebox, they can use IPSec to make a VPN connection to their network. Configure the settings for your VPN tunnels as explained in the next sections.įor a Mobile VPN with IPSec user on the trusted or optional network to make outbound IPSec connections to a Firebox located behind a different Firebox, you must select the Add a policy to enable outbound IPSec pass-through check box.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |