Specifications

ManualsBrandsSiemens ManualsIP PhoneHIPATH V1.2.33

391

392

393

394

395

396

397

398

399

400

Technical Concepts Nur für den internen Gebrauch

A31003-H3580-M103-2-76A9, 01-2009

9-34 HiPath 3000/5000 V8 - HG 1500 V8, Administrator Documentation

hg-09.fm

SSL and VPN

9.6.4 Services

Services may optionally be defined for the rules set out in the following section. You can use

the rules to define how a specific service should treat IP packets ("pass", "deny", encryption).

You can define services via the fields Source Port, Destination Port and IP Protocol.

For example, you can define the HTTP service as follows:

● Name: HTTP

● Source Port: 0 (Unknown or Any)

● Destination Port: 80

● IP Protocol: TCP

9.6.5 Rules

Rules are the superior instrument for configuring concrete VPN connections on the basis of IP-

sec tunnels and services.

A rule specifies if IP packets are allowed (pass) or rejected (deny) on a gateway between spe-

cific fixed IP addresses or IP address ranges with VPN. Pass or deny are the possible actions

of the rule in this case.

A rule with pass action also determines if data encryption is necessary and which IPsec tunnels

and services are needed for this. IPsec tunnels and services therefore have to be set up before

you create rules.

The IP packet’s transmission direction between the IP addresses or IP address ranges is also

important (see also Figure 9-1). A rule is always defined for a particular transmission direction,

and there is thus a distinction between Source Address and Destination Address. If a con-

nection is initiated in this direction and permitted in accordance with the defined rule, then the

return direction for this connection is automatically opened for a set period of time. The desti-

nation address can therefore respond to the source address, without the need for a rule. This

is guaranteed using the "Stateful Inspection" function of the IPsec stack. Once a rule has been

configured for one direction, a rule must always be defined for the return direction to facilitate

the setup of connections in both directions (which can be initiated from both sides).

The source and destination port 500 cannot be configured here. This port is used for

the IKE (Internet Key Exchange) protocol. In conjunction with the IPSec protocol, the

IKE protocol controls the automatic selection of the methods used for packet encryp-

tion and for packet integrity, as well as the lifetime of keys.

A pre-defined, invisible default rule already exists for IKE in the IPSec stack on the

HiPath 3000/5000 V8 - HG 1500 V8; this rule always passes IKE service packets. It

is not necessary for the user to configure the IKE service because it is preconfigured

by default.