|
8.5.2.1.
|
What if I have a Dynamic DNS name? |
|
Some users have an IP address that changes regularly, The changing IP address can
be on either the SmallWall device or the remote IPSec VPN client. For example a dialup
account, DSL Internet modem or simply moving a laptop computer from one wireless
hotspot to another all can cause IP addresses that change. While the changing IP
address does not affect normal Internet usage, it will break IPSec tunnels that are
configured to use a specific DNS name or IP address.
A dynamic DNS name will allow you to keep the same name and can be used with
SmallWall. SmallWall supports domain names on both sides.
|
|
8.5.2.2.
|
What happens when I change my IPSec configuration? |
|
Any changes to your IPSec configuration will cause all IPSec
tunnels to be closed when the changes are applied. |
|
8.5.2.3.
|
Can a single IPsec tunnel support non-contiguous
subnets? |
|
Not at this time. The only way to achieve this would be to
have multiple IPsec connections for each subnet. |
|
8.5.2.4.
|
Can I use NAT on a subnet that is on the other side of an
IPsec connection? |
|
Not at this time. This would be useful if 2 or more networks
use the same subnet and are trying to communicate with each
other over an IPsec connection. |
|
8.5.2.5.
|
Can fragmented packets pass through an IPsec
connection? |
|
By default, fragmented packets are not allowed to be encrypted. This default can
be changed in the System > Advanced > Miscellaneous menu by checking the "Allow
fragmented IPsec packets" box. When activated, this will cause SmallWall to allow
fragmented IP packets that are encapsulated in IPsec ESP packets. |
|
8.5.2.6.
|
What happens when an IPsec connection is restarted with a
new IP address? |
|
By default, if several Security Associations (SAs) match,
the newest one is preferred if it's at least 30 seconds old.
This default can be changed in the System > Advanced >
Miscellaneous menu by checking the "Prefer old IPsec SAs" When
activated, this option always prefers old SAs over new
ones. |
|
8.5.2.7.
|
When are IPsec connections opened? |
|
When traffic is attempting to reach a network or IP address that is configured to
be on a remote IPsec connection, SmallWall will attempt to build the
connection. |
|
8.5.2.8.
|
Can I use the Cisco IPsec client to connect to SmallWall? |
|
It won't work. It's not the same kind of IPsec client required by SmallWall.
However some users have reported success when using the NAT-T feature. (i..
encapsulating encrypted traffic in UDP packets) |
|
8.5.2.9.
|
Can I route any traffic over my IPsec connection? |
|
Part of the IPsec configuration identifies local and remote networks. IP addresses
that are outside of those networks are not authorized to travel through an IPsec
connection. This means that if you have additional routed networks connected to your
LAN, they may not be able to traverse the IPsec connection because they do not
originate from the LAN itself.
If you have an additional network or subnet that you want to
travel through IPsec you can make additional tunnels or
optionally put a NAT device between the LAN network and the
other subnets so that traffic from the additional network will
appear to be coming from the authorized network.
|
|
8.5.2.10.
|
Can I forward IP broadcasts over an IPsec VPN? |
|
Not with IPsec. Broadcasts don't cross broadcast domains. In
the case of a VPN link, each network is its own broadcast
domain. Normally you don't want to connect broadcast domains
because most networks have more broadcast traffic than you
want to push over a VPN connection. |
