Lancom Systems LCOS 3.50 User Manual
Page 313
̈
Chapter 14: Virtual Private Networks—VPN
LANCOM Reference Manual LCOS 3.50
313
V
irt
ua
l Pri
vat
e Ne
two
rks—
VP
N
The firewall rules for generating VPN rules are active even when the
actual firewall function in the LANCOM device is not required and is
switched off!
̈
Make sure that the firewall action is set to “Transfer”.
̈
Sources and targets for the connection can be entered as individual
stations, certain IP address ranges, or whole IP networks.
It is vital that target networks are defined in the IP routing table so
that the router in the LANCOM devices can forward the appropriate
data packets to the other network. You can make use of the entries
that already exist there and simply enter a higher-level network as the
target. The intersecting portion of the target network defined by the
firewall and the subordinate entries in the IP routing table is
integrated into the network relationships for the VPN rules.
Example: The target networks 10.2.1.0/24, 10.2.2.0/24 and
10.2.3.0/24 are entered into the IP routing table and can be accessed
via the router VPN-GW 2. An entry for the target network 10.2.0.0/16
is sufficient for these three subnets to be included in the VPN rules.
The definition of source and target networks must agree at both ends
of the VPN connection. It is not possible, for example, to map a larger
target address range to a smaller source address range at the opposite
end. Decisive here are the IP address ranges allowed by the VPN rules
and not the networks defined in the firewall rules. These can be very
different from the network relationships in the VPN rules because of
the intersecting ranges.
̈
VPN connections can also be limited to certain services or protocols
according to your requirements. This means that the VPN connection can
be limited to use only with a Windows network, for example.
These limitation should be defined by a separate set of rules that
applies only to the firewall and that will not be used in generating
VPN rules. Combined firewall/VPN rules can very quickly become
highly complex and difficult to comprehend.