SBC 1000/2000 4.1.x : Managing IPsec Tunnels
Before you can create an IPsec Tunnel Entry you must have done the following:
- A Sonus SBC Certificate and Trusted CA Certificate must be obtained and imported to the SBC when Certificate is selected Authentication Mode list box in the Authentication Parameters panel. Refer to Working with Certificates for information about configuring certificates on the SBC.
- An IPsec license is required to manage IPsec tunnels.
|Important Information for Previous SIP-TLS Users:|
- When upgrading to version 3.0 existing Sonus SBC Certificates will fail authentication due to key integrity verification errors when used to bring up the IPsec tunnel in the Certificate authentication mode.
- Before beginning to manage an IPsec tunnel for Certificate authentication, you must generate a new Certificate Signing Request (CSR), re-sign, and re-import a new Sonus SBC Certificate.
|Note: Multiple Tunnel Configuration|
- Branch Office SBC: If multiple tunnel connection entries are configured for IKE preshared key authentication on the branch office SBC, both the Remote Address and the Preshared Secret must be unique.
- Headquarters SBC: If multiple tunnel connection entries are configured for IKE Preshared key authentication on the headquarters SBC, either the Remote Address (only visible when Allow Any Remote Address is disabled) or the Remote Identifier (only visible when Allow Any Remote Address is enabled) values must be unique.
- By default, the SBC VPN gateway supports policy-based source routing. The policy-based routing entries in the routing table are created automatically when an IPsec tunnel is established. In similar fashion, the policy-based routing entries in the routing table are deleted when an IPsec tunnel is torn down.
The table entries force the source address of the IP packets leaving the SBC gateway through the outer interface to take on the IP address of the inner interface. This allows the SIP Option exchange messages and other traffic flows between the SBC VPN trunking gateways to pass thru the tunnel with the packet encapsulation and decapsulation at both SBC gateway tunnel endpoints. Adding the inner interface address (private LAN connected to the local subnet network) to the Local Subnet Address field and the external interface address (private LAN connected to the remote subnet network) to the Remote Subnet Address field on both the branch office and headquarters SBC gateways enables the IPsec source routing capabilities.
In complex topology situations involving either a third-party VPN router and/or multiple nexthop devices, the traffic flow between the tunnel subnets is not properly source routed. As a workaround, default static routes can be manually added to the SBC VPN gateway.
|Note: Restart Services after IPsec Certificate Change|
For existing tunnel entries in the IPsec Tunnel table: any changes to the certificates will take effect when a Restart Service is executed. See Creating and Modifying IPsec Tunnel Entries.
Working with IPsec Connections
To view an IPsec Connection Table entry's properties:
- In the WebUI, click the Settings tab.
In the left navigation pane, go to Protocols > IPsec > Connection Tables.
- Click the popup() icon next to the entry you want to view.
- When you are finished, close the window.
Helpful Tip: To delete an entry, simply select the checkbox next to the entry you wish delete, then click the Delete () icon located at the top of the window.