Using An Id List - D-Link NetDefendOS User Manual

following must be true:
• The ID sent by the remote client must match one of the IDs in the ID list for the tunnel.
• The ID sent by the client must also exist as one of the IDs in the certificate the client sends.
When the client connects, NetDefendOS chooses the IPsec Tunnel object to use as follows:
• The connecting client sends its ID to NetDefendOS in the IKE negotiation.
• NetDefendOS scans its list of IPsec Tunnel objects looking for a match for the client. The
normal matching process is described in Section 9.4.7, "The IPsec Tunnel Selection Process".
• As an additional part of the matching process, NetDefendOS also checks the ID the client
sends against the ID List of the tunnel. If it does not find an ID match, it continues searching
through the IPsec Tunnel list.
Any malformed IDs will be ignored and will also generate log message warnings.
• Once the matching tunnel is found, NetDefendOS then checks that the certificate the client
sends also contains this same ID. If the certificate does, authentication is complete and the
tunnel can be established. If the ID is not in the certificate, NetDefendOS flags that there is an
authentication failure and the client connection is dropped.
This means that a particular IPsec Tunnel is only used by a particular client. The NetDefendOS
configuration's IP rules and IP policies can then be designed to control which traffic can flow
through which tunnel (the tunnel being an interface in the rule or policy)
Example 9.3. Using an ID List
This example shows how to create and use an Identification List object with an IPsec tunnel. This
list will contain one ID with the type DN (distinguished name) as the primary identifier. Note that
this example does not illustrate how to add the specific IPsec tunnel object.
Command-Line Interface
First create an Identification List:
gw-world:/> add IDList my_id_list
Then, create an ID:
gw-world:/> cc IDList my_id_list
gw-world:/my_id_list> add ID JohnDoe
gw-world:/my_id_list> cc
Finally, apply the Identification List to the IPsec tunnel:
gw-world:/> set Interface IPsecTunnel MyIPsecTunnel
Type=DistinguishedName
CommonName="John Doe"
OrganizationName=D-Link
OrganizationalUnit=Support
Country=Sweden
EmailAddress=john.doe@D-Link.com
AuthMethod=Certificate
RemoteID=my_id_list
698
Chapter 9: VPN