D-Link DFL-260 Product Manual - Page 385
B. IP addresses handed out by NetDefendOS, IPsec Tunnel
UPC - 790069296802
View all D-Link DFL-260 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 385 highlights
9.2.3. IPsec Roaming Clients with Pre-shared Keys Chapter 9. VPN The Group string for a user can be specified if its group's access is to be restricted to certain source networks. Group can be specified (with the same text string) in the Authentication section of an IP object. If that IP object is then used as the Source Network of a rule in the IP rule set, that rule will only apply to a user if their Group string matches the Group string of the IP object. Note Group has no meaning in Authentication Rules. • Create a new User Authentication Rule with the Authentication Source set to TrustedUsers. The other parameters for the rule are: Agent XAUTH Auth Source Local Src Network all-nets Interface any Client Source IP all-nets (0.0.0.0/0) 2. The IPsec Tunnel object ipsec_tunnel should have the following parameters: • Set Local Network to lannet. • Set Remote Network to all-nets • Set Remote Endpoint to all-nets. • Set Encapsulation mode to Tunnel. • Set the IKE and IPsec algorithm proposal lists to match the capabilities of the clients. • No routes can be predefined so the option Dynamically add route to the remote network when tunnel established should be enabled for the tunnel object. If all-nets is the destination network, the option Add route for remote network should be disabled. Note The option to dynamically add routes should not be enabled in LAN to LAN tunnel scenarios. • Enable the option Require IKE XAuth user authentication for inbound IPsec tunnels. This will enable a search for the first matching XAUTH rule in the authentication rules. 3. The IP rule set should contain the single rule: Action Allow Src Interface ipsec_tunnel Src Network all-nets Dest Interface lan Dest Network lannet Service All Once an Allow rule permits the connection to be set up, bidirectional traffic flow is allowed which is why only one rule is used here. Instead of all-nets being used in the above, a more secure defined IP object could be used which specifies the exact range of the pre-allocated IP addresses. B. IP addresses handed out by NetDefendOS If the client IP addresses are not known then they must be handed out by NetDefendOS. To do this the above must be modified with the following: 1. If a specific IP address range is to be used as a pool of available addresses then: 385