A Simplified mode rulebase has a new column, If Via, which allows you to restrict certain types of traffic to be within the context of a VPN (e.g., site-a can talk to site-b only in an encrypted manner). The community also defines which encryption methods will be used between the gateways, which simplifies configuration dramatically. It contains all the firewalls and encryption domains that will participate in a VPN. Traditional mode means defining VPNs the way it was always done in FireWall-1 4.1 and earlier versions, namely, with rules that use the action "encrypt." Simplified mode uses a VPN Community, which is similar to a group. Now that you know the necessary information about the different sides of the VPN, let's talk about how to set this up?in Traditional mode or Simplified mode. If a different management station manages one or more of the gateways, you will have to exchange CA keys so that your certificates can be validated. See the next subsection for details.įor certificates, the decision is very easy if the same management station manages all gateways in the VPN and they all run NG: Use certificates, which will be basically automatic. The version of FireWall-1 and how you define the VPN will determine which method(s) you can use. Should you use certificates or pre-shared secrets? The only time to consider using a pre-shared secret is when you are interoperating with either a pre-NG version of FireWall-1 or a third-party VPN. The security policy determines which hosts can actually be accessed. The encryption domain simply contains every network and host that could potentially be accessed through the VPN. It is possible to restrict which hosts are accessible via the security policy. Note that it may not be desirable for every host within the various networks to be accessible. The encryption domain for Site B should include these networks along with any translated IP addresses for hosts on this network. Likewise, Site B has the network 172.17.0.0/16 behind its gateway. The encryption domain for Site A should include these networks along with any translated IP addresses for hosts on these networks. Whether certificates or pre-shared secrets will be used Which hosts and/or networks will be accessible at the remote site (the partner's encryption domain)
Which hosts and/or networks the remote site will be able to access through the VPN (your encryption domain)
You need the following information when planning a VPN based in FireWall-1: As noted previously in the book, I treat .x as routable address space even though it is generally not considered routable per RFC1918.
0 kommentar(er)
