Examples of Protecting a VPN
With IPsec by Using Tunnels in Tunnel Mode
Figure 19–1 IPsec Tunnel Diagram
The following examples assume that the tunnel is configured for all
subnets of the LANs:
## Tunnel configuration ##
ifconfig ip.tun0 10.1.2.1 10.2.3.1 tsrc 192.168.1.10 tdst 192.168.2.10
|
Example 19–5 Creating a Tunnel That All Subnets Can
Use
In this example, all traffic from the local
LANs of the Central LAN in Figure 19–1 can be tunneled through Router 1 to Router 2, and then delivered
to all local LANs of the Overseas LAN. The traffic is encrypted with AES.
## IPsec policy ##
{tunnel ip.tun0 negotiate tunnel}
ipsec {encr_algs aes encr_auth_algs md5 sa shared}
|
Example 19–6 Creating a Tunnel That Connects Two
Subnets Only
In this example, only traffic between subnet 10.1.2.0/24 of
the Central LAN and subnet 10.2.3.0/24 of the Overseas
LAN is tunneled and encrypted. In the absence of other IPsec policies for
Central, if the Central LAN attempts to route any traffic for other LANs over
this tunnel, the traffic is dropped at Router 1.
## IPsec policy ##
{tunnel ip.tun0 negotiate tunnel laddr 10.1.2.0/24 raddr 10.2.3.0/24}
ipsec {encr_algs aes encr_auth_algs md5 sa shared}
|
Example 19–7 Creating a Tunnel for Email Traffic
Only Between Two Subnets
In this example, a tunnel is created for email traffic only. The traffic
is delivered from subnet 10.1.2.0/24 of the Central LAN
to the email server on the 10.2.3.0/24 subnet of the Overseas
LAN. The email is encrypted with Blowfish. The policies apply to the remote
and local email ports. The rport policy protects email
that Central sends to the remote email port of Overseas. The lport policy
protects email that Central receives from Overseas on local port 25.
## IPsec policy for email from Central to Overseas ##
{tunnel ip.tun0 negotiate tunnel ulp tcp rport 25
laddr 10.1.2.0/24 raddr 10.2.3.0/24}
ipsec {encr_algs blowfish encr_auth_algs md5 sa shared}
|
## IPsec policy for email from Overseas to Central ##
{tunnel ip.tun0 negotiate tunnel ulp tcp lport 25
laddr 10.1.2.0/24 raddr 10.2.3.0/24}
ipsec {encr_algs blowfish encr_auth_algs md5 sa shared}
|
Example 19–8 Creating a Tunnel for FTP Traffic for
All Subnets
In this example, IPsec policy protects the FTP ports in Figure 19–1 with
3DES for all subnets of the Central LAN to all subnets of the Overseas LAN.
This configuration works for the active mode of FTP.
## IPsec policy for outbound FTP from Central to Overseas ##
{tunnel ip.tun0 negotiate tunnel ulp tcp rport 21}
ipsec {encr_algs 3des encr_auth_algs md5 sa shared}
{tunnel ip.tun0 negotiate tunnel ulp tcp lport 20}
ipsec {encr_algs 3des encr_auth_algs md5 sa shared}
|
## IPsec policy for inbound FTP from Central to Overseas ##
{tunnel ip.tun0 negotiate tunnel ulp tcp lport 21}
ipsec {encr_algs 3des encr_auth_algs md5 sa shared}
{tunnel ip.tun0 negotiate tunnel ulp tcp rport 20}
ipsec {encr_algs 3des encr_auth_algs md5 sa shared}
|