Prerequisites
Before you can create an IPsec Tunnel Entry you must complete the following:
- An SBC Certificate and Trusted CA Certificate must be obtained and imported to the SBC when Certificate is selected Authentication Mode list box in the Authentication Parameters panel. Refer to Working with Certificates for information about configuring certificates on the SBC.
- An IPsec license is required to manage IPsec tunnels.
| Info |
|---|
| icon | false |
|---|
| title | Important Information for Previous SIP-TLS Users |
|---|
|
- When upgrading to version 3.0 existing SBC Certificates will fail authentication due to key integrity verification errors when used to bring up the IPsec tunnel in the Certificate authentication mode.
- Before managing an IPsec tunnel for Certificate authentication, you must generate a new Certificate Signing Request (CSR), re-sign, and re-import a new SBC Certificate.
|
| Note |
|---|
| icon | false |
|---|
| title | Multiple Tunnel Configuration |
|---|
|
- Branch Office SBC: If multiple tunnel connection entries are configured for IKE preshared key authentication on the branch office SBC, both the Remote Address and the Preshared Secret must be unique.
- Headquarters SBC: If multiple tunnel connection entries are configured for IKE Preshared key authentication on the headquarters SBC, either the Remote Address (only visible when Allow Any Remote Address is disabled) or the Remote Identifier (only visible when Allow Any Remote Address is enabled) values must be unique.
- By default, the SBC VPN gateway supports policy-based source routing. The policy-based routing entries in the routing table are created automatically when an IPsec tunnel is established. In a similar fashion, the policy-based routing entries in the routing table are deleted when an IPsec tunnel is torn down.
The table entries force the source address of the IP packets leaving the SBC gateway through the outer interface to take on the IP address of the inner interface. This allows the SIP Option exchange messages and other traffic flows between the SBC VPN trunking gateways to pass through the tunnel with the packet encapsulation and decapsulation at both SBC gateway tunnel endpoints. Adding the inner interface address (private LAN connected to the local subnet network) to the Local Subnet Address field and the external interface address (private LAN connected to the remote subnet network) to the Remote Subnet Address field on both the branch office and headquarters SBC gateways enables the IPsec source routing capabilities.
In complex topology situations involving either a third-party VPN router and/or multiple next-hop devices, the traffic flow between the tunnel subnets is not properly source routed. As a workaround, default static routes can be manually added to the SBC VPN gateway.
|
Working with IPsec Connections
| Note |
|---|
| icon | false |
|---|
| title | Restart Services after IPsec Certificate Change |
|---|
|
For existing tunnel entries in the IPsec Tunnel table: any changes to the certificates will take effect when a Restart Service is executed. Refer to Creating and Modifying IPsec Tunnel Entries. |
| Excerpt |
|---|
- In the WebUI, click the Settings tab.
In the left navigation pane, go to Protocols > IPsec > Connection Tables. 
|
To view an IPsec Connection Table entry's properties:
| Include Page |
|---|
| _View_Entry_Values |
|---|
| _View_Entry_Values |
|---|
| nopanel | true |
|---|
|
| Include Page |
|---|
| _Delete_Entry_Procedure |
|---|
| _Delete_Entry_Procedure |
|---|
| nopanel | true |
|---|
|
Related article: