D-Link DFL-260E User Manual for DFL-260E - Page 415
IPsec LAN to LAN with Certificates, Note: The system time and date should be correct
View all D-Link DFL-260E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 415 highlights
9.2.2. IPsec LAN to LAN with Certificates Chapter 9. VPN remote_net. • An Allow rule for inbound traffic that has the previously defined ipsec_tunnel object as the Source Interface. The Source Network is remote_net. Action Allow Allow Src Interface lan ipsec_tunnel Src Network lannet remote_net Dest Interface ipsec_tunnel lan Dest Network remote_net lannet Service all_services all_services The Service used in these rules is All but it could be a predefined service. 6. Define a new NetDefendOS Route which specifies that the VPN Tunnel ipsec_tunnel is the Interface to use for routing packets bound for the remote network at the other end of the tunnel. Interface ipsec_tunnel Network remote_net Gateway 9.2.2. IPsec LAN to LAN with Certificates LAN to LAN security is usually provided with pre-shared keys but sometimes it may be desirable to use X.509 certificates instead. If this is the case, Certificate Authority (CA) signed certificates may be used and these come from an internal CA server or from a commercial supplier of certificates. Creating a LAN to LAN tunnel with certificates follows exactly the same procedures as the previous section where a pre-shared key was used. The difference is that certificates now replace pre-shared keys for authentication. Two unique sets of two CA signed certificates (two for either end, a root certificate and a gateway certificate) are required for a LAN to LAN tunnel authentication. The setup steps are as follows: 1. Open the WebUI management interface for the NetDefend Firewall at one end of the tunnel. 2. Under Authentication Objects, add the Root Certificate and Host Certificate into NetDefendOS. The root certificate needs to have 2 parts added: a certificate file and a private key file. The gateway certificate needs just the certificate file added. 3. Set up the IPsec Tunnel object as for pre-shared keys, but specify the certificates to use under Authentication. Do this with the following steps: a. Enable the X.509 Certificate option. b. Add the Root Certificate to use. c. Select the Gateway Certificate. 4. Open the WebUI management interface for the NetDefend Firewall at the other side of the tunnel and repeat the above steps with a different set of certificates. Note: The system time and date should be correct The NetDefendOS date and time should be set correctly since certificates have an expiry date and time. 415