Routing (tunneling, interface) patterns and policy patterns for VPN sites

It's common knowledge that all the Cisco devices currently using the IPSec protocol to establish a VPN site is not the use of routing, or the use of GRE technology, GRE over IPSec can achieve routing, but that configuration complex does not say that, due to 2 of the package, the payload of each packet is much smaller, efficiency is not good. Also can only say at present, see the evolution direction of ASA, probably do not know when to import.

and currently using the strategy model is the majority of manufacturers of equipment, Cisco does not need to say, such as Microsoft's Isa, SonicWALL, D-link, etc. i currently find that there are only two support routes, Juniper SSG and FortiGate, To speak of these two products in fact from the root said is a family, is the original NetScreen, and then the concept of different, separated. In the fortigate is called the interface mode, and is indeed used by the interface routing.

I take NetScreen's 5gt,5.4.0r11.0 version as an example, even if the current version of the SSG 6.4, from the configuration method is similar to, at most, select more items, the position slightly changed.

Let's start with the graphical interface.

Open the left VPNs "AutoKey Advanced" Gateway click the New button.

The following screen appears

Gateway name is only for good memory and resolution, can be set according to their own circumstances, not required.

The security level selection standard, which is the standard configuration of NetScreen, is the way to set the IKE negotiation phase encryption. If the end is also NetScreen alive SSG election Standard the most convenient, but if there is a special encryption requirements, you can choose to engage in more level.

Remote Gateway type selected fixed ip,static IP address, the following column fill in the other side of the public network IP addresses.

The preshared key is a shared secret, and the two sides must be exactly the same.

There are other uses for the local ID, which will be used in other cases later, and will not be filled out here.

More Wonderful content: http://www.bianceng.cnhttp://www.bianceng.cn/Network/lyjs/

Outgoing interface This must choose to continue the external network interface, this is the binding interface, this is not reflected in ASA. Be sure to choose carefully, the wrong is not access, because its default configuration is often wrong.

Then click Advanced advanced to confirm.

Mode select Main, in fixed IP configuration, basically choose Main mode, security is better than aggressive.

The Enable nat-traversal is used to configure NAT traversing, which is not optional for both sides of the public address.

Peer Status detection is used to detect the other side of the dead and alive, we do not choose here, in the back of the place for a higher level of surveillance.

Preferred certificate is to enable the digital certificate for IKE negotiation, we do not use this method, the main configuration is very cumbersome.

Use the distinguished Name for Peer ID also need not match, too troublesome.

This is the first phase of IKE configuration complete.

This part is in fact similar to other manufacturers, but the key to the following routing mode is reflected.

There is a zone concept, is a security zone, the following we do a VPN-specific zone, in fact, not zone is also possible, but some complex security applications need to be involved in the zone, so do a better job.

Network > Zones Click New

Zone name write VPN, easy to remember

Virtual Router The name of the Select Trust TRUST-VR router, if you choose not to trust the virtual router, it is much more complicated.

Block Intra-zone traffic of course do not choose, you think all is run private IP, how can choose

If TCP non SYN, send RESET back and TCP/IP reassembly for ALG bucket, the security level is too high, you later use the trouble.

Asymmetric VPN selection, if there are multiple tunnels, and there is redundancy, this election is very important.

Then open Network > Interfaces click New

Tunnel Interface name is not specifically required, remember your choice of 1 or 2 or 3.

Zone, of course, chose the VPN zone you just made.

Here are 2 choose one, there are different uses here, we choose unnumbered here, and hang on the intranet interface. This is also a fastidious, and related to other uses.

The rest is the default.