L2Tp Roaming Clients With Certificates - D-Link NetDefend DFL-210 User Manual

9.2.6. L2TP Roaming Clients with
Certificates
• Set Outer Interface Filter to ipsec_tunnel.
• Set Outer Server IP to ip_ext.
• Select the Microsoft Point-to-Point Encryption allowed. Since IPsec encryption is used
this can be set to be None only, otherwise double encryption will degrade throughput.
• Set IP Pool to l2tp_pool.
• Enable Proxy ARP on the int interface to which the internal network is connected.
• Make the interface a member of a specific routing table so that routes are automatically
added to that table. Normally the main table is selected.
6. For user authentication:
• Define a Local User DB object (let's call this object TrustedUsers).
• Add individual users to TrustedUsers. This should consist of at least a username and
password combination.
The Group string for a user can also be specified. This is explained in the same step in the
IPsec Roaming Clients section above.
• Define a User Authentication Rule:
Agent
PPP
7. To allow traffic through the L2TP tunnel the following rules should be defined in the IP rule
set:
Action
Allow
NAT
The second rule would be included to allow clients to surf the Internet via the ext interface on the
NetDefend Firewall. The client will be allocated a private internal IP address which must be NATed
if connections are then made out to the public Internet via the NetDefend Firewall.
8. Set up the client. Assuming Windows XP, the Create new connection option in Network
Connections should be selected to start the New Connection Wizard. The key information to
enter in this wizard is: the resolvable URL of the NetDefend Firewall or alternatively its ip_ext
IP address.
Then choose Network > Properties. In the dialog that opens choose the L2TP Tunnel and
select Properties. In the new dialog that opens select the Networking tab and choose Force to
L2TP. Now go back to the L2TP Tunnel properties, select the Security tab and click on the
IPsec Settings button. Now enter the pre-shared key.

9.2.6. L2TP Roaming Clients with Certificates

If certificates are used with L2TP roaming clients instead of pre-shared keys then the differences in
the setup described above are:
1. The NetDefendOS date and time must be set correctly since certificates can expire.
Auth Source
Local
Src Interface Src Network
l2tp_tunnel l2tp_pool
ipsec_tunnel l2tp_pool
348
Src Network Interface
all-nets l2tp_tunnel
Dest Interface Dest Network
any
ext
Chapter 9. VPN
Client Source IP
all-nets (0.0.0.0/0)
Service
int_net All
all-nets All