2
140 Nokia Network Voyager for IPSO 4.0 Reference Guide
To add nodes configured for transparent mode to a cluster using
SmartDashboard
1. Create a gateway object for each of the VRRP nodes.
2. Define the topology for each gateway object. Make sure that transparent mode is properly
configured with the address ranges to the external and internal networks correctly defined.
3. Create the cluster object.
4. Add each gateway to the cluster object using the Add Gateway to Cluster button.
If you use the New Cluster Member button to add a VRRP member that uses transparent mode to
a cluster, you cannot correctly configure the Topology.
Virtual Tunnel Interfaces (FWVPN) for Route-Based VPN
Virtual Tunnel Interfaces (VTI) support Check Point route-based VPN. A VTI is a virtual
interface that can be used as a gateway to the encryption domain of the peer Gateway. Each VTI
is associated with a single tunnel to a VPN-1 Pro peer gateway. As with domain-based VPNs,
the tunnel and its properties is defined by a VPN community linking the two gateways. The peer
gateway is also configured with a corresponding VTI. The native IP routing mechanism on each
gateway can then direct traffic into the tunnel just as it would for any other type of interface and
the traffic will be encrypted.
For more information about route-based VPN, see the Check Point Virtual Private Networks
guide.
Unnumbered VTIs
Nokia IPSO supports only unnumbered VTIs. Local and remote IP addresses are not configured;
instead, the interface is associated with a proxy interface from which it inherits an IP address.
Traffic that is initiated by the gateway and routed through the VTI will have the proxy interface
IP address as the source IP address.
If you want the source IP address to be an IP address not used on the system, you can create a
loopback interface with the desired IP address and use it as the proxy interface.
Routing Traffic through the VTI
In route-based VPN, a packet is encrypted only if it is routed through the virtual tunnel interface.
To make sure that the traffic is routed through the VTI, you have several options:
You can make the VTI the default route. Make sure you also have a static or dynamic route
that enables the gateway to reach the external interface of the peer gateway, and vice versa.
You can add a specific static route to the intended network behind the peer gateway for
which the next hop is the VTI.
You can configure a dynamic routing protocol on the VTI. For example, you can enable
OSPF on the VTI and redistribute the internal networks route to OSPF external. Or you can
enable OSPF on both the VTI and its proxy interface.