Identification Lists; Using An Identity List - D-Link NetDefend DFL-210 User Manual

9.3.8. Identification Lists

9.3.8. Identification Lists
When certificates are used as authentication method for IPsec tunnels, the D-Link Firewall will
accept all remote devices or VPN clients that are capable of presenting a certificate signed by any of
the trusted Certificate Authorities. This can be a potential problem, especially when using roaming
clients.
Consider the scenario of travelling employees being given access to the internal corporate networks
using VPN clients. The organization administers their own Certificate Authority, and certificates
have been issued to the employees. Different groups of employees are likely to have access to
different parts of the internal networks. For example, members of the sales force need access to
servers running the order system, while technical engineers need access to technical databases.
Since the IP addresses of the travelling employees VPN clients cannot be known beforehand, the
incoming VPN connections from the clients cannot be differentiated. This means that the firewall is
unable to control the access to various parts of the internal networks.
The concept of Identification Lists presents a solution to this problem. An identification list contains
one or more identities (IDs), where each identity corresponds to the subject field in a certificate.
Identification lists can thus be used to regulate what certificates that are given access to what IPsec
tunnels.
Example 9.3. Using an Identity List
This example shows how to create and use an Identification List for use in the VPN tunnel. This Identification List
will contain one ID with the type DN, distinguished name, as the primary identifier. Note that this example does
not illustrate how to add the specific IPsec tunnel object.
CLI
First create an Identification List:
gw-world:/> add IDList MyIDList
Then, create an ID:
gw-world:/> cc IDList MyIDList
gw-world:/MyIDList> add ID JohnDoe Type=DistinguishedName
gw-world:/MyIDList> cc
Finally, apply the Identification List to the IPsec tunnel:
gw-world:/> set Interface IPsecTunnel MyIPsecTunnel AuthMethod=Certificate
Web Interface
First create an Identification List:
1. Go to Objects > VPN Objects > ID List > Add > ID List
2. Enter a name for the list, for example MyIDList
3. Click OK
Then, create an ID:
1. Go to Objects > VPN Objects > IKE ID List > Add > ID List
2. In the grid control, click on MyIDList
CommonName="John Doe" OrganizationName=D-Link
OrganizationalUnit=Support Country=Sweden
EmailAddress=john.doe@D-Link.com
IDList=MyIDList RootCertificates=AdminCert GatewayCertificate=AdminCert
344
Chapter 9. VPN