D-Link DFL-260E User Manual page 400
Network security firewall netdefendos version 2.27.03
Hide thumbs
Also See for DFL-260E:
- Reference manual (948 pages) ,
- Log reference manual (652 pages) ,
- User manual (589 pages)
Table of Contents
Advertisement
9.3.2. Internet Key Exchange (IKE)
Remote Endpoint
Main/Aggressive Mode
IPsec Protocols
remote device, which will decrypt/authenticate the data,
extract it from its tunnel and pass it on to its final destination.
This way, an eavesdropper will only see encrypted traffic
going from one of VPN endpoint to another.
In transport mode, the traffic will not be tunneled, and is
hence not applicable to VPN tunnels. It can be used to secure
a connection from a VPN client directly to the NetDefend
Firewall,
for
example
configuration.
This setting will typically be set to "tunnel" in most
configurations.
The remote endpoint (sometimes also referred to as the
remote gateway) is the device that does the VPN
decryption/authentication and that passes the unencrypted
data on to its final destination. This field can also be set to
None, forcing the NetDefend Firewall to treat the remote
address as the remote endpoint. This is particularly useful in
cases of roaming access, where the IP addresses of the remote
VPN clients are not known beforehand. Setting this to "none"
will allow anyone coming from an IP address conforming to
the "remote network" address discussed above to open a VPN
connection, provided they can authenticate properly.
The remote endpoint can be specified as a URL string such as
vpn.company.com. If this is done, the prefix dns: must be
used. The string above should therefore be specified as
dns:vpn.company.com.
The remote endpoint is not used in transport mode.
The IKE negotiation has two modes of operation, main mode
and aggressive mode.
The difference between these two is that aggressive mode will
pass more information in fewer packets, with the benefit of
slightly faster connection establishment, at the cost of
transmitting the identities of the security firewalls in the clear.
When using aggressive mode, some configuration parameters,
such as Diffie-Hellman groups and PFS, cannot be negotiated
and this mean it is important to have "compatible"
configurations at both ends.
The IPsec protocols describe how the data will be processed.
The two protocols to choose from are AH, Authentication
Header, and ESP, Encapsulating Security Payload.
ESP provides encryption, authentication, or both. However, it
is not recommended to use encryption only, since it will
dramatically decrease security.
Note that AH only provides authentication. The difference
from ESP with authentication only is that AH also
authenticates parts of the outer IP header, for instance source
and destination addresses, making certain that the packet
really came from who the IP header claims it is from.
400
Chapter 9. VPN
for
IPsec
protected
remote
- Quick Links:
- The Web Interface
- The Cli
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
