Directional VPN Enforcement

In This Section: Overview of Directional VPN Directional Enforcement within a Community Configurable Objects in a Direction Directional Enforcement between Communities Configuring Directional VPN Within a Community Configuring Directional VPN Between Communities

Overview of Directional VPN

When a VPN community is selected in the VPN column of the Security Policy Rule Base, the source and destination IP addresses can belong to any of the Security Gateways in the community. In other words, the traffic is bidirectional; any of the Security Gateways can be the source of a connection, any of the Security Gateways can be the destination endpoint. But what if the administrator (in line with the company's security policy) wished to enforce traffic in one direction only? Or to allow encrypted traffic to or from Security Gateways not included in the VPN community? To enable enforcement within VPN communities, VPN implements Directional VPN.

Directional VPN specifies where the source address must be, and where the destination address must be. In this way, enforcement can take place:

• Within a single VPN community
• Between VPN communities

Directional Enforcement within a Community

The figure shows a simple meshed VPN community called MyIntranet. VPN traffic within the MyIntranet Mesh is bidirectional; that is, either of the Security Gateways (or the hosts behind the Security Gateways in the VPN domains) can be the source or destination address for a connection.

Source	Destination	VPN	Service	Action	Track
Any	Any	MyIntranet => MyIntranet MyIntranet =>internal_clear internal_clear => MyIntranet	telnet	accept	log
Any	Any	MyIntranet	telnet	accept	log

The match conditions are represented by a series of compound objects. The match conditions enforce traffic in the following directions:

• To and from the VPN Community via VPN routing (MyIntranet => MyIntranet)
• From the Community to the local VPN domains (MyIntranet =>internal_clear)
• From the local VPN domains to the VPN community (internal_clear => MyIntranet)

Configurable Objects in a Direction

The table shows all the objects that can be configured in a direction, including three new objects created for Directional VPN:

Name of Object	Description
Remote Access Site2SiteVPN	Remote Access community Regular Star/Mesh community
Any Traffic	Any traffic
All_GwToGw	All Site2Site communities
All_Communities	All Site2Site and RemoteAccess communities
External_clear	For traffic outside the VPN community
Internal_clear	For traffic between local domains within the community

Note - Clear text connections originating from the following objects are not subject to enforcement:

• Any Traffic
• External_clear
• Internal_clear

There is no limit to the number of VPN directions that can be configured on a single rule. In general, if you have many directional enforcements, consider replacing them with a standard bidirectional condition.

Directional Enforcement between Communities

VPN Directional Enforcement can take place between two VPN communities. In this case, one gateway must be configured as a member of both communities and the enforcement point between them. Every other peer gateway in both communities must have a route entry to the enforcement point gateway in its vpn_route.conf file.

To add a route entry to the enforcement point gateway:

On the management module of each gateway in the community (except for the enforcement point gateway), add an entry in the $FWDIR/conf/vpn_route.conf file:

Destination	Next hop router interface	Install on
<destination_community_obj>	<enforcement_point_gw>	<managed_FW_object>

These are the variable in the entry:

• destination_community_obj - a network object for the combined encryption domain of the community
• enforcement_point_gw - the gateway that is a member of both communities and transfers the encrypted traffic between them
• managed_FW_object - all community members that are managed by the management module

In the example below, Washington is a Mesh community, and London is a VPN Star.

The directional VPN rule below must be configured for the enforcement point gateway in the Access Control Policy Rule Base:

Source	Destination	VPN	Services & Applications	Action
Any	Any	Washington => London	Any	accept

The rule is applied to all VPN traffic that passes through the enforcement point gateway between the Washington and London communities. If a connection is opened from a source in the Washington Mesh, and the destination is in the London Star, the connection is allowed. Otherwise, the connection is denied.

Note - The Directional Enforcement applies only to the first packet of a connection. If the connection is permitted, the following packets of this connection are also permitted, including the packets in the opposite direction.

Configuring Directional VPN Within a Community

To configure Directional VPN within a community:

1. In the Global Properties > VPN > Advanced page, select Enable VPN Directional Match in VPN Column.
2. In the VPN column of the appropriate rule, select Directional Match Condition.

   The New Directional Match Condition window opens.

3. In the Traffic reaching from drop-down box, select the object for Internal_clear (the source).
4. In the Traffic leaving to drop-down box, select the relevant community object (the destination).
5. Add another directional match in which the relevant community object is both the source and destination.

   This allows traffic from the local domain to the community, and within the community.

6. Click OK.

Configuring Directional VPN Between Communities

To configure Directional VPN between communities:

1. In the Global Properties > VPN > Advanced page, select Enable VPN Directional Match in VPN Column.
2. In the VPN column of the appropriate rule, select Directional Match Condition.

   The New Directional Match Condition window opens.

3. In the Traffic reaching from drop-down box, select the source of the connection.
4. In the Traffic leaving to drop-down box, select the destination of the connection
5. Click OK.