Proposal Lists; Using A Proposal List - D-Link NetDefend DFL-210 User Manual
Network security firewall ver. 1.05
Hide thumbs
Also See for NetDefend DFL-210:
- User manual (495 pages) ,
- Log reference manual (476 pages) ,
- Cli reference manual (213 pages)
Table of Contents
Advertisement
9.2.2. Proposal Lists
•
DNS - A DNS address can be manually entered
•
E-mail - An email address can be manually entered
9.2.2. Proposal Lists
To agree on the VPN connection parameters, a negotiation process is performed. As the result of the
negotiations, the IKE and IPsec security associations (SAs) are established. As the name implies, a
proposal is the starting point for the negotiation. A proposal defines encryption parameters, for in-
stance encryption algorithm, life times etc, that the VPN firewall supports.
There are two types of proposals, IKE proposals and IPsec proposals. IKE proposals are used during
IKE Phase-1 (IKE Security Negotiation), while IPsec proposals are using during IKE Phase-2 (IPsec
Security Negotiation).
A Proposal List is used to group several proposals. During the negotiation process, the proposals in
the proposal list are offered to the remote VPN firewall one after another until a matching proposal
is found. Several proposal lists can be defined in NetDefendOS for different VPN scenarios. Two
IKE proposal lists and two IPsec proposal lists are defined by default in NetDefendOS.
The ike-roamingclients and esp-tn-roamingclients proposal lists are suitable for VPN tunnels that
are used for roaming VPN clients. These proposal lists are compatible with the default proposal lists
in the D-Link VPN Client.
As the name implies, the ike-lantolan and esp-tn-lantolan are suitable for LAN-to-LAN VPN solu-
tions. These proposal lists are trimmed to include only AES and 3DES based proposals.
Example 9.1. Using a Proposal List
This example shows how to create and use an IPsec Proposal List for use in the VPN tunnel. It will propose 3DES
and DES as encryption algorithms. The hash function SHA1 and MD5 will both be used in order to check if the
data packet is altered while being transmitted. Note that this example does not illustrate how to add the specific
IPsec tunnel object. It will also be used in a later example.
CLI
First create a list of IPsec Algorithms:
gw-world:/> add IPsecAlgorithms esp-l2tptunnel DESEnabled=Yes DES3Enabled=Yes
Then, apply the proposal list to the IPsec tunnel:
gw-world:/> set Interface IPsecTunnel MyIPsecTunnel IPsecAlgorithms=esp-l2tptunnel
Web Interface
First create a list of IPsec Algorithms:
1.
Go to Objects > VPN Objects > IKE Algorithms > Add > IPsec Algorithms
2.
Enter a name for the list eg. esp-l2tptunnel.
3.
Now check the following:
•
DES
•
3DES
•
SHA1
•
MD5
4.
Click OK
SHA1Enabled=Yes MD5Enabled=Yes
Chapter 9. Virtual Private Networks
192
Advertisement
Table of Contents
