1. Manuals
  2. Brands
  3. D-Link Manuals
  4. Firewall
  5. DFL-210 - NetDefend - Security Appliance
  6. User manual

Ipsec Roaming Clients With Certificates; L2Tp Roaming Clients With Pre-Shared Keys - D-Link NetDefend DFL-210 User Manual

Network security firewall
Hide thumbs Also See for NetDefend DFL-210:
Table of Contents

Advertisement

9.2.3. IPsec Roaming Clients with
Certificates
Create a Config Mode Pool object (there can only be one associated with a NetDefendOS
installation) and associate with it the IP Pool object defined in the previous step.
Enable the IKE Config Mode option in the IPsec Tunnel object ipsec_tunnel.
Configuring the IPsec Client
In both cases (A) and (B) above the IPsec client will need to configured with the URL of the D-Link
Firewall as well as the pre-shared key.

9.2.3. IPsec Roaming Clients with Certificates

If certificates are used with IPsec roaming clients instead of pre-shared keys then no Pre-shared
Key object is needed and the other differences in the setup described above are:
1.
Load a Gateway Certificate and Root Certificate into NetDefendOS.
2.
When setting up the IPsec Tunnel object, specify the certificates to use under Authentication.
This is done by:
a.
Enable the X.509 Certificate option.
b.
Select the Gateway Certificate.
c.
Add the Root Certificate to use.
3.
The IPsec client software will need to appropriately configured with the certificates and remote
IP addresses.
The step to set up user authentication is optional since this is additional security to certificates.

9.2.4. L2TP Roaming Clients with Pre-Shared Keys

Due to the inbuilt L2TP client in Microsoft Windows, L2TP is a popular choice for roaming client
VPN scenarios. L2TP is usually encapsulated in IPsec to provide encryption with IPsec running in
transport mode instead of tunnel mode. The steps for L2TP over IPsec setup are:
1.
Create an IP object (let's call it l2tp_pool) which defines the range of IP addresses which can be
handed out to clients. The range chosen could be of two types:
A range taken from the internal network to which clients will connect. If the internal
network is 192.168.0.0/24 then we might use the address range 192.168.0.10 to
192.168.0.20. The danger here is that an IP address might be accidentally used on the
internal network and handed out to a client.
Use a new address range that is totally different to any internal network. This prevents any
chance of an address in the range also being used on the internal network.
2.
Define two other IP objects:
ip_ext which is the external public IP address through which clients connect (let's assume
this is on the ext interface).
ip_int which is the internal IP address of the interface to which the internal network is
connected (let's call this interface int).
234
Chapter 9. VPN

Advertisement

Table of Contents
loading

Related Manuals for D-Link NetDefend DFL-210

Related Content for D-Link NetDefend DFL-210

This manual is also suitable for:

Dfl-800Netdefend dfl-2500Dfl-1600Netdefend dfl-860Netdefend dfl-260Netdefend dfl-800 ... Show all

Table of Contents