D-Link NetDefendOS User Manual page 676

Note
Group has no meaning in Authentication Rules.
• Create a new User Authentication Rule with the Authentication Source set to
TrustedUsers. The other parameters for the rule are:
Agent Auth Source
XAUTH Local
2. The IPsec Tunnel object ipsec_tunnel should have the following parameters:
• Set Local Network to lannet.
• Set Remote Network to all-nets
• Set Remote Endpoint to all-nets.
• Set Encapsulation mode to Tunnel.
• Set the IKE and IPsec algorithm proposal lists to match the capabilities of the clients.
• No routes can be predefined so the option Add route dynamically should be enabled
for the tunnel object. If all-nets is the destination network, the option Add route
statically should be disabled.
Note
The option to dynamically add routes should not be enabled in LAN-to-LAN
tunnel scenarios.
• Enable the option Require IKE XAuth user authentication for inbound IPsec tunnels.
This will enable a search for the first matching XAUTH rule in the authentication rules.
3. The IP rule set should contain the single rule:
Action Src Interface
Allow ipsec_tunnel
Once an Allow rule permits the connection to be set up, bidirectional traffic flow is allowed which
is why only one rule is used here. Instead of all-nets being used in the above, a more secure
defined IP object could be used which specifies the exact range of the pre-allocated IP addresses.
B. IP addresses handed out by NetDefendOS
If the client IP addresses are not known then they must be handed out by NetDefendOS. To do
this the above must be modified with the following:
1. If a specific IP address range is to be used as a pool of available addresses then:
• Create a Config Mode Pool object (there can only be one associated with a
NetDefendOS installation) and in it specify the address range.
Src Network
all-nets
Src Network Dest Interface
all-nets lan
676
Chapter 9: VPN
Interface Client Source IP
any all-nets (0.0.0.0/0)
Dest Network Service
lannet all_services