Ipsec Tunnels; Overview; Lan To Lan Tunnels With Pre-Shared Keys - D-Link NetDefend DFL-210 User Manual

9.4. IPsec Tunnels

9.4. IPsec Tunnels

9.4.1. Overview

An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a
logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration
capabilities as regular interfaces.
When another D-Link Firewall or any IPsec compliant product tries to establish an IPsec VPN
tunnel to the D-Link Firewall, the configured IPsec Tunnels are evaluated. If a matching IPsec
Tunnel definition is found, the IKE and IPsec negotiations then take place, resulting in an IPsec
VPN tunnel being established.
Note that an established IPsec tunnel does not automatically mean that all traffic from that IPsec
tunnel is trusted. On the contrary, network traffic that has been decrypted will be transferred to the
rule set for further evaluation. The source interface of the decrypted network traffic will be the name
of the associated IPsec Tunnel. Furthermore, a Route or an Access rule, in the case of a roaming
client, has to be defined to have the NetDefendOS accept certain source IP addresses from the IPsec
tunnel.
For network traffic going in the opposite direction, that is, going into an IPsec tunnel, a reverse
process takes place. First, the unencrypted traffic is evaluated by the rule set. If a rule and route
matches, NetDefendOS tries to find an established IPsec tunnel that matches the criteria. If not
found, NetDefendOS will try to establish a tunnel to the remote firewall specified by the matching
IPsec Tunnel definition.
IPsec Tunnel Quick Start
This section covers IPsec tunnels in some detail. A quick start checklist of setup steps for these
protocols in typical scenarios can be found in the following sections:
• Section 9.2.1, "IPsec LAN to LAN with Pre-shared Keys".
• Section 9.2.2, "IPsec LAN to LAN with Certificates".
• Section 9.2.3, "IPsec Roaming Clients with Pre-shared Keys".
• Section 9.2.4, "IPsec Roaming Clients with Certificates".

9.4.2. LAN to LAN Tunnels with Pre-shared Keys

A VPN can allow geographically distributed Local Area Networks (LANs) to communicate securely
over the public Internet. In a corporate context this means LANs at geographically separate sites can
communicate with a level of security comparable to that existing if they communicated through a
dedicated, private link.
Secure communication is achieved through the use of IPsec tunneling, with the tunnel extending
from the VPN gateway at one location to the VPN gateway at another location. The D-Link Firewall
is therefore the implementer of the VPN, while at the same time applying normal security
surveillance of traffic passing through the tunnel. This section deals specifically with setting up
LAN to LAN tunnels created with a Pre-shared Key (PSK).
A number of steps are required to set up LAN to LAN tunnels with PSK:
Note
IKE and ESP/AH traffic are sent to the IPsec engine before the rule set is consulted.
Encrypted traffic to the firewall therefore does not need to be allowed in the rule set.
This behavior can be changed in the IPsec advanced settings section.
346
Chapter 9. VPN