D-Link NetDefendOS User Manual page 686

i. Local ID - this property of an IPsec Tunnel object represents the identity of the local VPN
tunnel endpoint and this is the value presented to the remote peer during the IKE
negotiation.
The property is set to only a single value but can be left blank when using certificates
since the ID will be contained within the host certificate sent. If the certificate sent
contains multiple IDs, this property can be set to specify which ID in the certificate to
use.
The Enforce Local ID property can be enabled so that when NetDefendOS is acting as
responder, the ID proposed by the initiator must match the Local ID value. The default
behavior is to ignore the proposed ID.
ii. Remote ID - This property can be used to specify an ID list object. An ID list object
contains one or more IDs. When using certificates, the certificate sent sent by a remote
peer must contain an ID which matches one of the IDs in the list in order for the peer to
be authenticated. Using the Remote ID property with certificates is explained further in
Section 9.3.8, "Using ID Lists with Certificates".
NetDefendOS applies sanity checks on all remote IDs to ensure they are acceptable.
Usually malformed IDs have a problem in the DN name. For example, a faulty remote ID
name might be the following:
DN=D-Link, OU=One,Two,Three, DC=SE
If specified by the administrator, there will be an error message when the NetDefendOS
configuration is committed. The corrected remote ID form is the following:
DN=D-Link, OU=One\,Two\,Three, DC=SE
• Encapsulation Mode
IPsec can be used in one two modes:
• Tunnel Mode
Tunnel mode indicates that the traffic will be tunneled to a remote device, which will
decrypt/authenticate the data, extract it from its tunnel and pass it on to its final
destination. This way, an eavesdropper will only see encrypted traffic going from one of
VPN endpoint to another.
• Transport Mode
In transport mode, the traffic will not be tunneled, and is hence not applicable to VPN
tunnels. It can be used to secure a connection from a VPN client directly to the NetDefend
Firewall, for example for IPsec protected remote configuration.
This setting will typically be set to Tunnel in most configurations. With IKv2, only Tunnel
should be used.
• Remote Endpoint
The remote endpoint (sometimes also referred to as the remote gateway) is the device that
does the VPN decryption/authentication and that passes the unencrypted data on to its final
destination. This field can also be set to None, forcing the NetDefend Firewall to treat the
remote address as the remote endpoint. This is particularly useful in cases of roaming access,
where the IP addresses of the remote VPN clients are not known beforehand. Setting this to
"none" will allow anyone coming from an IP address conforming to the "remote network"
address discussed above to open a VPN connection, provided they can authenticate properly.
686
Chapter 9: VPN