Eicon logo
Safepipe and security Networking with Safepipe VPN Clients
Safepipe Centre > HowTo > How to establish a VPN tunnel between two Safepipes
Documentation
Printed guides
HowTo setup guides
Questions and answers
Questions and answers
Reference
Encyclopedia
Other resources
Training
Self-test courses
Download
Software and Release notes
Administration Tool
Support
Link to Eicon Networks Support

How to establish a VPN tunnel between two Safepipes


Introduction

You establish a secure VPN connection between two networks by configuring a Safepipe-to-Safepipe tunnel. The below four HowTo guides describe the configuration procedures for the most common scenarios:

Simple automatic tunnel

Simple automatic tunnel with a Safepipe behind a NAT router

Restricted tunnel

Restricted tunnel with a Safepipe behind a NAT router


About tunnels

Tunnels are the basis of a VPN. They let data travel over the Internet and still remain confidential, protected by 128-bit strong encryption and authentication at both tunnel ends. You can configure and manage tunnels between your local Safepipe and another Safepipe, connecting two geographically separated LANs. Safepipe offers two tunnel types - automatic and restricted. Both types use IPsec, but there is a difference in their configuration and applications.

Automatic tunnels
With a simple automatic tunnel, each LAN known to Safepipe is advertised to the remote end and vice-versa. Thus, with very little effort, an automatic tunnel enables exchange of data between any LANs. When reconfiguring a LAN at one end, the routing table at the other end is automatically updated. Automatic tunnels support bridging of any protocol. Since traffic through automatic tunnels bypass Safepipe's firewall, automatic tunnels should only be used between trusted sites.

Restricted tunnels
A restricted tunnel allows you to control access between the LANs connected via the tunnel. With a restricted tunnel, the LAN subnets that are allowed to exchange data through the tunnel are chosen during tunnel configuration. To further customize the policy, firewall rules can be applied to the restricted tunnel. The result is that only particular resources on each network can be defined and accessed. There is no bridging option, only IP traffic is routed in restricted tunnels. If you have a Safepipe 1100 series, always use restricted tunnels to reduce duration and cost of ISDN/ADSL connections. The same applies if Safepipe is located behind, for example, a NAT router.


About NAT and NAT routers

NAT, Network Address Translation, is a technique that enables a business to use two sets of IP addresses, one for internal traffic on the LAN and another for external traffic to and from the LAN, thus keeping the contents of the local network hidden.

A NAT router can be used to connect two LANs, when one of the networks uses private IP addresses that need to be translated to valid, public IP addresses. NAT operates in conjunction with routing and provides functionality as if the private network had globally routable IP addresses and the NAT router was not present. NAT routers are widely used in network configurations. In the above HowTo guides, a NAT router is located between Safepipe and the Internet.

Note: It is not possible to create a tunnel when both Safepipes are located behind NAT routers.

Line
© 2001 Eicon Networks