User`s guide

Page 18 of 30 Rel. 3.5 Release Notes

Using Network Extension Mode for ANG-1100 Tunnels Release Notes

Release 3.5 Enhanced Support for VPN Clients

10. Create an IPSec rule. Type ./ipsecRule -a -n ezipsec -s ezipsec

-w process -b spd -e tunnel -p ezipsec and press

ENTER.

11. Type ./ipsecRule -L and press

ENTER to display and verify the rule was

added.

12. Type ./ipsecSpd -n external -r 'gre;ike;ezipsec;pptpIn;

pptpOut;irppIn;irppOut;https;l2tpIntout’ and press

ENTER.

This adds the previously created rule to the IPSec Security Policy Database on

the external interface of the central ANG-3000/7000.

NOTE

If you issue the ipsecDefault command later, these changes will disappear.

13. Type ./ipsecSpd -L and press

ENTER to display and verify the changes

were made to the IPSec Security Policy Database.

14. Type SU - root and press

ENTER.

15. Type the default password welcome.

16. Change directory to /usr/indus/irc and press

ENTER.

17. Issue the ircreboot command to enable the security policy changes and

press

ENTER.

Caveats

A central ANG-3000/7000 using Aurorean 3.5 firmware must manage a considerable

amount of “overhead” for all tunnel traffic to an ANG-1100 using NEM. The

performance impact of tunnels between these devices may be appreciable if a large

number of ANG-1100s enable NEM. You should conform to the following guidelines

to mitigate the impact of this linear search:

! Limit the number of ANG-1100s using NEM to a maximum of 64, or,

! Group remote sites into blocks of 64 (or less) which share a common SPD rule

on the ANG-3000/7000.