L2Tp Roaming Clients With Certificates; Pptp Roaming Clients - D-Link NetDefend DFL-210 User Manual

9.2.5. L2TP Roaming Clients with
Certificates
Action
Allow
NAT
The second rule would be included to allow clients to surf the Internet via the ext interface on the
D-Link Firewall. The client will be allocated a private internal IP address which must be NATed if
connections are then made out to the public Internet via the D-Link Firewall.
8. Set up the client. Assuming Windows XP, the Create new connection option in Network
Connections should be selected to start the New Connection Wizard. The key information to
enter in this wizard is: the resolvable URL of the D-Link Firewall or alternatively its ip_ext IP
address.
Then choose Network > Properties. In the dialog that opens choose the L2TP Tunnel and
select Properties. In the new dialog that opens select the Networking tab and choose Force to
L2TP. Now go back to the L2TP Tunnel properties, select the Security tab and click on the
IPsec Settings button. Now enter the pre-shared key.

9.2.5. L2TP Roaming Clients with Certificates

If certificates are used with L2TP roaming clients instead of pre-shared keys then the differences in
the setup described above are:
1. Load a Gateway Certificate and Root Certificate into NetDefendOS.
2. When setting up the IPsec Tunnel object, specify the certificates to use under Authentication.
This is done by:
a. Enable the X.509 Certificate option.
b. Select the Gateway Certificate.
c. Add the Root Certificate to use.
3. If using the Windows XP L2TP client, the appropriate certificates need to be imported into
Windows before setting up the connection with the New Connection Wizard.
The step to set up user authentication is optional since this is additional security to certificates.

9.2.6. PPTP Roaming Clients

PPTP is simpler to set up than L2TP since IPsec is not used and instead relies on its own, less
strong, encryption.
A major secondary disadvantage is not being able to NAT PPTP connections through a tunnel so
multiple clients can use a single connection to the D-Link Firewall. If NATing is tried then only the
first client that tries to connect will succeed.
The steps for PPTP setup are as follows:
1. In Hosts & Networks define the following IP objects:
• A pptp_pool IP object which is the range of internal IP addresses that will be handed out
from an internal network.
Src Interface Src Network
l2tp_tunnel l2tp_pool
ipsec_tunnel l2tp_pool
Dest Interface
any
ext
236
Chapter 9. VPN
Dest Network Service
int_net All
all-nets All