8 one peer - multiple connections, Multiple tunnels, One peer - multiple connections – Nortel Networks 608(WL) User Manual

Chapter 6

Advanced Features

E-DOC-CTC-20051017-0169 v0.1

200

6.8 One Peer - Multiple Connections

Multiple tunnels

In order to setup a Phase 2 tunnel, a Phase 1 IKE tunnel is required first. Via this
Phase 1 tunnel the signalling messages, negotiating the Phase 2 tunnel, are
transferred.

The SpeedTouch™ allows setting up several Phase 2 tunnels, all using a common
Phase 1 tunnel. In the configuration example below, it is shown how a single peer
has various connection attached to it. Traffic originating from network 10.0.0.0/8 will
be sent in one of the Phase 2 tunnels, depending on the destination IP address. If no
IPSec policy match is found, the packet is sent unencrypted.

[ipsec connection]=>network
[ipsec connection network]=>list
[n1] : range 10.60.11.[20-30]
[n2] : address 10.50.2.22
[n3] : subnet 10.50.2.128/25

[ipsec connection network]=>..
[ipsec connection]=>list
[connect1]

Peer

: rempeer2

Local network

: n1

Remote network : n2
Always on

: disabled

Descriptors

: AES_HMAC-MD5_TUNNEL

Options

: <unset>

State

: enabled

[connect2]

Peer

: rempeer2

Local network

: n1

Remote network : n3
Always on

: disabled

Descriptors

: NullEnc_HMAC-SHA1_TUNNEL

Options

: <unset>

State

: enabled

[ipsec connection]=>

The IPSec descriptors of the two Phase 2 configurations may be different.

SpeedTouch620 [1]

SpeedTouch620 [2]

Phase 1 (IKE) tunnel (IKE1)

Phase 2 tunnel (conn1)

Phase 2 tunnel (conn2)