Specifications
hg-09.fm
A31003-H3580-M103-2-76A9, 01-2009
HiPath 3000/5000 V8 - HG 1500 V8, Administrator Documentation
9-35
Nur für den internen Gebrauch
Technical Concepts
SSL and VPN
Every rule is also assigned a priority. A rule for a transmission direction and the matching rule
for the opposite direction always have the same priority. Priorities are assigned in the form of
random numbers. Higher numbers indicate a lower priority. In other words, a rule marked pri-
ority 1 is evaluated first because it has the highest priority.
A rule could, for example, define the following:
IPsec-tunneled data transmissions from the host with the IP address 192.168.1.50 (source ad-
dress) to the host with the IP address 192.168.4.50 (destination address) should be allowed.
The data must be encrypted. The IPsec tunnel named "Tunnel1" should be used at the source
address, and the IPsec tunnel named "Tunnel2" should be used at the destination address. The
rule should have priority 2.
Multiple rules therefore contain multiple conditions. The rules are processed according to pri-
ority. Consequently, the condition of the rule with the highest priority is checked first and the
one with the lowest priority is checked last. The system browses this processing sequence and
implements the first rule found that matches a concrete connection request. Lower-priority
rules that also match are not applied. In practice this means:
● General rules should have a lower priority than restrictive rules. Otherwise, the general
rules would eclipse the restrictive rules because processing ends when the first matching
rule is found.
● Undefined or general rules should have a lower priority than defined rules. An undefined
rule defines entire subnets or the address 0.0.0.0 (=unknown) as the source or destination.
An undefined rule with a higher priority "eclipses" a defined rule with lower priority because
processing ends when the first matching rule is found.
9.6.6 Authentication
SSL Authentication
Client/server communication in SSL-based WBM administration.
The client, i.e. the browser which you used to start the WBM, uses a user account (user name
and password) for server authentication. This must have already been created.
The server uses the certificates generated or imported by the SSL function for authentication
at the client. Such certificates can be imported into the browser as trusted certificates to avoid
warning messages in the browser when connecting to the SSL server (HiPath 3000/5000 V8 -
HG 1500 V8).
VPN Authentication
Peer-to-peer communication in VPN. The following two types of authentication are possible for
VPN peers: