Chapter 4: Non-Clavister Tunnel Setup

Home Prev	Clavister NetEye Cloud Getting Started Guide	Next

If the equipment that connects to a NetEye Cloud instance is not a Clavister firewall based on cOS Core, the following steps will be needed in order to send traffic through a NetEye CLoud instance:

The device must already have Internet access and be able to resolve the FQDN of the NetEye Cloud instance using a public DNS server.

A connecting LAN-to-LAN IPsec tunnel should be configured between the device and NetEye. The IPsec tunnel should have the following characteristics:
- Remote endpoint - The same FQDN specified by the NetEye parameters in MyClavister.
- Remote network - Usually this is 0.0.0.0/0 (all networks).
- Local network - 0.0.0.0/0 or the network(s) which will communicate with the Internet.
- IKE version - IKEv2.
- Authentication method - HEX based PSK (using the key specified in MyClavister).
- Encryption algorithms proposed - AES-128 and AES-256.
- Authentication algorithms proposed - SHA-128, SHA-256, SHA-512 or AES-XCBC.
- IKE DH group - 14.
- PFS - Enabled.
- PFS DH group - 14.
- IKE lifetime - 28,800 seconds.
- IPsec lifetime - 3,600 seconds.
Depending on the device, routing may need to be configured so that the relevant traffic is routed through the tunnel to NetEye. Usually, this will be HTTP/HTTPS traffic to the remote network 0.0.0.0/0 (all networks).
Depending on the device, a security policy may also need to be configured to allow traffic to flow through the tunnel.
Whitelisting of certain websites may be required if the sites are inaccessible when SSL inspection is used. Whitelisting means that HTTP/HTTPS traffic is not sent to NetEye but is instead routing straight to the Internet.

The user documentation for the particular network device should be consulted for the details of how to configure the device.