Defining VPN Rules

To make sure that your security rules work correctly with Route Based VPN traffic, you must add directional matching conditions and allow OSPF traffic. This section includes procedures for configuring security rules to do this.

Defining Directional Matching VPN Rules

This section contains the procedure for defining directional matching rules. Directional matching is necessary for Route Based VPN when a VPN community is included in the VPN column in the rule. This is because without bi-directional matching, the rule only applies to connections between a community and an encryption domain (Domain Based Routing).

Name	Source	Destination	VPN	Service	Action
VPN Tunnel	`Any`	`Any`	`MyIntranet`	`Any`	`Accept`

The directional rule must contain these directional matching conditions:

Community > Community
Community > Internal_Clear
Internal_Clear > Community

MyIntranet is the name of a VPN Community.

Internal_Clear refers to all traffic from IP addresses to and from the specified VPN community.

Name	Source	Destination	VPN	Service	Action
VPN Tunnel	`Any`	`Any`	`MyIntranet > MyIntranet` `MyIntranet > Internal_Clear` `Internal_Clear > MyIntranet`	`Any`	`Accept`

Note - It is not necessary to define bidirectional matching rules if the VPN column contains the Any value.

To enable VPN directional matching:

Step	Description
1	In SmartConsole, click Menu > Global properties > expand VPN > Advanced.
2	Select the Enable VPN Directional Match in VPN Column option.
3	In SmartConsole, double-click each member gateway and click the Topology page. Click Get > Interfaces with Topology to update the topology to include the newly defined VTIs. Click Accept.

Step

Description

In SmartConsole, click Menu > Global properties > expand VPN > Advanced.

Select the Enable VPN Directional Match in VPN Column option.

In SmartConsole, double-click each member gateway and click the Topology page.

Click Get > Interfaces with Topology to update the topology to include the newly defined VTIs.
Click Accept.

To define a VPN directional matching rule:

Step	Description
1	Double-click the VPN cell in the applicable rule.
2	In the VPN Match Conditions window, select Match traffic in this direction only.
3	Click Add to define sets of matching conditions.
4	In the Direction VPN Match Condition window, select the source and destination matching conditions. Do this step for each set of matching conditions.

Defining Rules to Allow OSPF Traffic

One advantage of Route Based VPN is the fact that you can use dynamic routing protocols to distribute routing information between Security Gateways. The OSPF (Open Shortest Path First) protocol is commonly used with VTIs. This section shows you how to allow OSPF traffic in a VPN community.

To learn about configuring OSPF, see the R80.20 Gaia Advanced Routing Administration Guide.

To allow OSPF traffic for a VPN Community:

Step	Description
1	In the Gaia Portal or Gaia Clish, add the applicable VPN Tunnel Interfaces to the OSPF configuration page.
2	In SmartConsole, add an Access Control rule that allows traffic to the VPN community (or all communities) that uses the OSPF service: Name = Allow OSPF Source = `Any` Destination = `Any` VPN = `MyIntranet` Service = `ospf` Action = `Accept`

Step

Description

In the Gaia Portal or Gaia Clish, add the applicable VPN Tunnel Interfaces to the OSPF configuration page.

In SmartConsole, add an Access Control rule that allows traffic to the VPN community (or all communities) that uses the OSPF service:

Name = Allow OSPF

Source = Any

Destination = Any

VPN = MyIntranet

Service = ospf

Action = Accept

Completing the VTI Configuration

You must save your configuration to the database and install policies to the Security Gateways before the VPN can be fully functional.

To complete the VTI configuration:

Step	Description
1	Save the configuration to the database.
2	Install the policy on the Security Gateways.
3	Make sure that the VTI tunnel and the rules are working correctly.