Eicon logo
Safepipe and security Networking with Safepipe VPN Clients
Safepipe Centre > Questions and Answers
Documentation
Printed guides
HowTo setup guides
Questions and answers
Questions and answers
Reference
Encyclopedia
Other resources
Training
Self-test courses
Download
Software and Release notes
Administration Tool
Support
Link to Eicon Networks Support



What is the difference between Safepipe´s automatic and restricted tunnels?

Safepipe offers two types of tunnels - automatic and restricted. Both tunnel types use IPsec, the security standard for the Internet developed by the IETF (Internet Engineering Task Force). But there is a difference in their setup and applications.

Automatic Tunnels
With an automatic tunnel, each network known to Safepipe is advertised to the remote end and vice-versa via the routing protocol RIP2. This means that with very little setup, an automatic tunnel will be able to forward data between any local network at either end. When reconfiguring a network at one end, the routing table at the other end is updated without user intervention.

Automatic tunnels support bridging of all protocols. Even IP can be bridged if the network address used for the local network at each end is the same, although it is better to route IP for maximum performance. A proprietary protocol similar to RIP is used to keep track of MAC addresses across the VPN, minimizing overhead.

Since automatic tunnels dynamically update the routing tables, they are not suited to use with firewall rules. To maximize throughput, automatic tunnel traffic bypasses the firewall altogether. Automatic tunnels should therefore only be used between trusted sites.

The advantages of the automatic tunnel compared to the restricted tunnel are:

  • Simpler configuration
  • Routing information is passed through the tunnel
  • The bridging option is available

Restricted tunnels
A restricted tunnel controls access between the local networks connected via the tunnel. With a restricted tunnel the networks or network subnets that can exchange data through the tunnel are chosen during tunnel setup. To further customize the policy, firewall rules can be applied to the restricted tunnel on the firewall configuration pages. The result is that only particular resources on each network can be defined and accessed.

Restricted tunnels should always be used with the Safepipe 1100 series to reduce the duration and cost of ISDN/ADSL connections. With an automatic tunnel it is probable that constant non-productive data will prevent the ISDN line from becoming idle and being disconnected.

Only IP traffic is routed in restricted tunnels - there is no bridging option available.

The advantages of the restricted tunnel compared to the automatic tunnel are:
  • Increased security through greater control over access to remote resources
  • The networks to and from which traffic should be routed, are explicitly configured for increased control
  • The traffic passes through the firewall in the Safepipe, thus increasing security and control even further
  • Routing updates are not transmitted so available bandwidth is used more efficiently
Line
© 2001 Eicon Networks