Proposal Lists; Using A Proposal List - D-Link NetDefend DFL-210 User Manual

9.3.6. Proposal Lists

configuration is needed. However, for responding firewalls two points should be noted:
• On responding firewalls, the Remote Gateway field is used as a filter on the source IP of
received IKE packets. This should be set to allow the NATed IP address of the initiator.
• When individual pre-shared keys are used with multiple tunnels connecting to one remote
firewall which are then NATed out through the same address, it is important to make sure the
Local ID is unique for every tunnel. The Local ID can be one of
• Auto - The local ID is taken as the IP address of the outgoing interface. This is the
recommended setting unless, in an unlikely event, the two firewalls have the same external
IP address.
• IP - An IP address can be manually entered
• DNS - A DNS address can be manually entered
• Email - An email address can be manually entered
9.3.6. Proposal Lists
To agree on the VPN connection parameters, a negotiation process is performed. As the result of the
negotiations, the IKE and IPsec security associations (SAs) are established. As the name implies, a
proposal is the starting point for the negotiation. A proposal defines encryption parameters, for
instance encryption algorithm, life times, etc., that the VPN firewall supports.
There are two types of proposals, IKE proposals and IPsec proposals. IKE proposals are used during
IKE Phase-1 (IKE Security Negotiation), while IPsec proposals are using during IKE Phase-2 (IPsec
Security Negotiation).
A Proposal List is used to group several proposals. During the negotiation process, the proposals in
the proposal list are offered to the remote VPN firewall one after another until a matching proposal
is found. Several proposal lists can be defined in NetDefendOS for different VPN scenarios. Two
IKE proposal lists and two IPsec proposal lists are defined by default in NetDefendOS.
The ike-roamingclients and esp-tn-roamingclients proposal lists are suitable for VPN tunnels that
are used for roaming VPN clients. These proposal lists are compatible with the default proposal lists
in the D-Link VPN Client.
As the name implies, the ike-lantolan and esp-tn-lantolan are suitable for LAN-to-LAN VPN
solutions. These proposal lists are trimmed to include only AES and 3DES based proposals.
Example 9.1. Using a Proposal List
This example shows how to create and use an IPsec Proposal List for use in the VPN tunnel. It will propose 3DES
and DES as encryption algorithms. The hash function SHA1 and MD5 will both be used in order to check if the
data packet is altered while being transmitted. Note that this example does not illustrate how to add the specific
IPsec tunnel object. It will also be used in a later example.
CLI
First create a list of IPsec Algorithms:
gw-world:/> add IPsecAlgorithms esp-l2tptunnel DESEnabled=Yes DES3Enabled=Yes
Then, apply the proposal list to the IPsec tunnel:
gw-world:/> set Interface IPsecTunnel MyIPsecTunnel IPsecAlgorithms=esp-l2tptunnel
Web Interface
First create a list of IPsec Algorithms:
SHA1Enabled=Yes MD5Enabled=Yes
249
Chapter 9. VPN