Table of Contents
Advertisement
•
For Authentication select the Pre-shared Key object defined in step (1) above.
The IPsec Tunnel object can be treated exactly like any NetDefendOS Interface object in
later steps.
5.
Set up two IP rules in the IP rule set for the tunnel:
•
An Allow rule for outbound traffic that has the previously defined ipsec_tunnel object as
the Destination Interface. The rule's Destination Network is the remote network
remote_net.
•
An Allow rule for inbound traffic that has the previously defined ipsec_tunnel object as
the Source Interface. The Source Network is remote_net.
Action
Allow
Allow
The Service object used in these rules is all_services but it could be any predefined or custom
service.
6.
Define a new NetDefendOS Route which specifies that the VPN Tunnel ipsec_tunnel is the
Interface to use for routing packets bound for the remote network at the other end of the
tunnel.
Interface
ipsec_tunnel
For a LAN-to-LAN example showing the actual configuration steps, go to Example 9.4, "PSK Based
LAN-to-LAN IPsec Tunnel Setup".
9.2.2. IPsec LAN-to-LAN with Certificates
LAN-to-LAN security is usually provided with pre-shared keys but sometimes it may be desirable
to use X.509 certificates instead. If this is the case, Certificate Authority (CA) signed certificates
may be used and these come from an internal CA server or from a commercial supplier of
certificates.
Creating a LAN-to-LAN tunnel with certificates follows exactly the same procedures as the
previous section where a pre-shared key was used. The difference is that certificates now replace
pre-shared keys for authentication.
Two unique sets of two CA signed certificates (two for either end, a root certificate and a gateway
certificate) are required for a LAN-to-LAN tunnel authentication.
The setup steps are as follows:
1.
Open the management Web Interface for the NetDefend Firewall at one end of the tunnel.
2.
Under Key Ring, upload the Root Certificate and Gateway Certificate into NetDefendOS. The
root certificate needs just a single certificate file for the public key. The gateway certificate
needs to 2 parts: a certificate file for the public key as well as a private key file. Any
intermediate certificates required for a certificate chain between the root and gateway
certificate should also have the certificate files for their public key uploaded.
Src Interface
Src Network
lan
lannet
ipsec_tunnel
remote_net
Network
remote_net
Dest Interface
ipsec_tunnel
lan
673
Chapter 9: VPN
Dest Network
Service
remote_net
all_services
lannet
all_services
Gateway
<empty>
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
