Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SAROU237
Explorer

vpn community

Hello,

Can you explain me something about VPN COMMUNITIES :

1)

Does this rules mean that ALL trafic between LOCAL_VPN_Domain and PEER_VPN_Domain will be encrypted ?

NameLa source SourceDestination DestinationVPN VPNServices et applications Services & Applications

VPN Site2site Site2site VPN

Local_VPN_Domain Local_VPN_Domain

Peer_VPN_Domain Peer_VPN_Domain

Local_VPN_Domain Local_VPN_Domain

Peer_VPN_Domain Peer_VPN_Domain

 

 

Site2Site Site2Site

* Tout * Any

 

2)If the "accept all encrypted traffic" command is not selected on a gateway, does this mean that the gateway will not accept encrypted traffic?

3) VPN ROUTING TYPES :

To center only. No VPN routing actually occurs. Only connections between the satellite gateways and central gateway go through the VPN tunnel. Other connections are routed in the normal way

a) In this configuration, does sattelite LAN_A and Sattelite LAN_B can communicate ?

b) Other connections are routed in the normal way" for example which connections ?

 

To center and to other satellites through center. Use VPN routing for connection between satellites. Every packet passing from a satellite gateway to another satellite gateway is routed through the central gateway. Connection between satellite gateways and gateways that do not belong to the community are routed in the normal way.

a) "Every packet passing from a satellite gateway to another satellite gateway is routed through the central gateway" every traffic is crypted ?

 

To center, or through the center to other satellites, to internet and other VPN targets. Use VPN routing for every connection a satellite gateway handles. Packets sent by a satellite gateway pass through the VPN tunnel to the central gateway before being routed to the destination address

a)"Use VPN routing for every connection a satellite gateway handles" : does "every connection" means encrypted and not encrypted ?

 

Thank you.

 

 

 

 

 

 

 

 

0 Kudos
Reply
4 Replies
PhoneBoy
Admin
Admin

1. The VPN column should list the VPN Community for encryption to occur (or more specifically to require encryption to be permitted).

2. If this option is not selected then there must be an explicit rule permitting the traffic.

3. With “To Center Only” any communication between satellites is routed unencrypted.

4. With this option, satellites can talk to each other encrypted by routing traffic through a center gateway.

5. With this option, it’s similar to above but also allows routing to the Internet and other VPN peers in other communities.

0 Kudos
Reply
SAROU237
Explorer

  • 3) with "To Center only" configuration can 2 satellites communicate with each other directly without going through the central gateway?
  • 4)with this situation " To Center go through the satellite", is the flow from another satellite to another satellite in the community is mandatory encrypted?
0 Kudos
Reply
PhoneBoy
Admin
Admin

3. Communication between satellites would not occur over the VPN in this case (ie be unencrypted).

4. When satellites communicate with this option enabled, yes, it is encrypted with the traffic flow going through the center gateway.

0 Kudos
Reply
Maarten_Sjouw
Champion
Champion

  1. This is just allowing the traffic, has nothing to do with the encryption itself, the VPN column just says that ONLY encrypted based on that specific VPN is allowed.
    1. The definition for what is allowed to be encrypted is done on the gateway, in the topology you find the VPN Domain setting, this defines the networks on both sides that need to be encrypted.
  2. This overrules the normal rules and says all traffic defined in the VPN domain will be allowed, no rules will be applied, it is a open tunnel between the participating gateways for the defined VPN domains.
  3. In a normal situation you have some sites with RFC1918 addresses and you have your main sit, also with RFC1918 addresses, to allow them to talk to each other over the internet you need encrypted traffic, or a lot of available NAT addresses. In a Star topology with only routing to center only that traffic is encrypted, traffic between satellites will not be encrypted and dropped by most internet routers.
  4. In this situation all traffic from satellites to other sites (center and other satellites) is sent encrypted to the center gateway, a better option could be to use a meshed topology instead as it allows encrypted traffic between all sites directly.
  5. In this situation all traffic from the satellites is sent encrypted to the center gateway, there it is forwards to the final destination, Internet, center site or a satellite.
Regards, Maarten
0 Kudos
Reply