When you configure Rockhopper VPN software, the first thing to do is to
define a VPN Realm. The VPN realm is a security domain for
group members to share the same VPN configuration based on a common security policy and network settings.
For instance, you can define the VPN realm "10" for a sales team and
the other VPN realm "20" for a developing team.
Rockhopper creates a single Tunnel/TAP interface (a virtual interface) for each VPN realm such as rhpvif10 for the realm "10".
If you need multiple virtual interfaces, for example to configure dynamic routing service, you can
define multiple VPN realms. Also, you can
handle the virtual interface by system tools like ip, ifconfig, route or iptables command.
If you don't need multiple security domains and different
configurations, please define a single VPN Realm. The
following contents is for users who need to define multiple VPN Realms.
When an initiator like a Remote Access Client tries to connect VPN,
membership of the initiator is identified by a VPN responder like a
gateway in two ways:
One is by using different responder's IDs. You can define a distinct
responder's ID for each VPN realm. This uses a IKEv2's multi-hosting
feature. The initiator can choose which VPN realm it wants to connect by
specifying a responder's ID.
The other is by using roles. A role is a set of common prefixes or suffixes of
initiator's IDs. By Using them, a responder can map the
initiator's connection to the appropriate VPN Realm when it
authenticates the initiator. The advantageous point of this way is that you can
use a common responder's ID for all VPN Realms. For instance, a
single responder's certificate can be used for all VPN Realms.
Examples of Role prefixes or suffixes:
You can configure another administrator who manages a specified VPN
Realm only. By using this function, you may delegate the VPN Realm's
management to the administrator.