Handling VP N Traffic

VPN traffic consists of IPsec packets, but not normal IP traffic, including routing updates. This chapter describes how to use a VPN-only port, set an IPsec gateway, and configure a firewall to allow VPN traffic.

Using a VP N-Only Port

Ethernet ports in odd-numbered slots (1, 3, 5, and 7) are always VPN-only ports. A VPN-only port can accept and send only VPN traffic. Because it only accepts VPN traffic, you can safely put the port in front of your firewall, and connect it directly to the Internet gateway router network.

Note The VPN-only port can respond to certain ICMP requests, such as ping and traceroute.

The following figure shows a VPN 5002 concentrator with a VPN-only port in front of the firewall, and a regular port behind the firewall:

Figure 5-1: Using a VPN-Only Port in a Network

To balance the VPN traffic equally between the Internet side and the corporate side, use equal numbers of VPN-only ports and internal ports. The following example shows four internal ports and four VPN-only ports. The VPN-only ports are on the same Ethernet network as the Internet gateway. Each VPN-only 100BaseT Ethernet port connects to a switch that connects to a 1000BaseT Ethernet network. Configure the corporate DNS to randomly or sequentially select one of the four internal IP addresses for outgoing traffic, and to randomly or sequentially select one of the four external IP addresses when resolving a domain name entered in the VPN 5000 Client.

Figure 5-2: Multiple VPN-Only Ports

Use a VPN-only port in conjunction with the IPsec gateway, as described in the next section, to provide a route for all VPN traffic exiting the VPN 5002 or 5008 concentrator.

Identifying an IPsec Gate way for a VPN-Only Port

Identify the Internet gateway address where you want the concentrator to send all VPN traffic from the VPN-only port. This router IP address is called the IPsec gateway and must be on the same subnet as the VPN-only port. You can only specify one IPsec gateway for the concentrator.

Follow these steps to identify the IPsec gateway:

Command Purpose

Step 1

configure General
Allows you to configure the General section.

Step 2

IPsecGateway = IP_Address
Where the IP_Address is the router address where you want to send all VPN traffic.

	Command	Purpose
Step 1	configure General	Allows you to configure the General section.
Step 2	IPsecGateway = IP_Address	Where the IP_Address is the router address where you want to send all VPN traffic.

Configuring the Firewal l to Allow VPN Packets

If all VPN 5002 or 5008 interfaces are behind your firewall, configure the firewall to allow VPN packets for the following tunnel types:

IPsec:
- Allow packets to the concentrator with a destination UDP port of 500 (ISAKMP), and allow packets from the concentrator with a source port of 500.
- If you are using the default Encapsulating Security Payload (ESP) protocol, allow packets with IP protocol 50 to and from the concentrator.
- If you are using the Authentication Header (AH) protocol, allow packets with IP protocol 51 to and from the concentrator.
GRE:
- If you are using manually keyed LAN-to-LAN tunnels with no encryption and no authentication, allow packets with IP protocol 47 (GRE) to and from the concentrator. See the "Configuring a GRE Tunnel Partner" section for more information.

See the guide that came with your firewall for configuration information.

Table of Contents