Home » D-Link Manuals » Network Security & Firewall Devices » D-Link DFL-260E » Manual Viewer

D-Link DFL-260E User Manual for DFL-260E - Page 419

L2TP Roaming Clients with Pre-Shared Keys

Add to My Manuals
Save this manual to your list of manuals

Page 419 highlights

9.2.5. L2TP Roaming Clients with Pre-Shared Keys Chapter 9. VPN This is done by doing the following: a. Enable the X.509 Certificate option. b. Select the Gateway Certificate. c. Add the Root Certificate to use. 3. The IPsec client software will need to be appropriately configured with the certificates and remote IP addresses. As already mentioned above, many third party IPsec client products are available and this manual will not discuss any particular client. The step to set up user authentication is optional since this is additional security to certificates. Note: The system time and date should be correct The NetDefendOS date and time should be set correctly since certificates have an expiry date and time. Also review Section 9.7, "CA Server Access", which describes important considerations for certificate validation. 9.2.5. L2TP Roaming Clients with Pre-Shared Keys Due to the inbuilt L2TP client in Microsoft Windows, L2TP is a popular choice for roaming client VPN scenarios. L2TP is usually encapsulated in IPsec to provide encryption with IPsec running in transport mode instead of tunnel mode. The steps for L2TP over IPsec setup are: 1. Create an IP object (let's call it l2tp_pool) which defines the range of IP addresses which can be handed out to clients. The range chosen could be of two types: • A range taken from the internal network to which clients will connect. If the internal network is 192.168.0.0/24 then we might use the address range 192.168.0.10 to 192.168.0.20. The danger here is that an IP address might be accidentally used on the internal network and handed out to a client. • Use a new address range that is totally different to any internal network. This prevents any chance of an address in the range also being used on the internal network. 2. Define two other IP objects: • ip_ext which is the external public IPv4 address through which clients connect (let's assume this is on the ext interface). • ip_int which is the internal IP address of the interface to which the internal network is connected (let's call this interface int). 3. Define a Pre-shared Key for the IPsec tunnel. 4. Define an IPsec Tunnel object (let's call this object ipsec_tunnel) with the following parameters: • Set Local Network to ip_ext (specify all-nets instead if NetDefendOS is behind a NATing device). • Set Remote Network to all-nets. • Set Remote Endpoint to none. • For Authentication select the Pre-shared Key object defined in the first step. 419

Section	Page
User Manual	3
Table of Contents	4
Preface	15
Chapter 1. NetDefendOS Overview	17
1.1. Features	17
1.2. NetDefendOS Architecture	20
1.2.1. State-based Architecture	20
1.2.2. NetDefendOS Building Blocks	20
1.2.3. Basic Packet Flow	21
1.3. NetDefendOS State Engine Packet Flow	24
Chapter 2. Management and Maintenance	29
2.1. Managing NetDefendOS	29
2.1.1. Overview	29
2.1.2. The Default Administrator Account	30
2.1.3. The Web Interface	30
2.1.4. The CLI	36
2.1.5. CLI Scripts	44
2.1.6. Secure Copy	48
2.1.7. The Console Boot Menu	50
2.1.8. Management Advanced Settings	52
2.1.9. Working with Configurations	53
2.2. Events and Logging	59
2.2.1. Overview	59
2.2.2. Log Messages	59
2.2.3. Creating Log Receivers	60
2.2.4. Logging to MemoryLogReceiver	60
2.2.5. Logging to Syslog Hosts	60
2.2.6. Severity Filter and Message Exceptions	62
2.2.7. SNMP Traps	62
2.2.8. Advanced Log Settings	64
2.3. RADIUS Accounting	65
2.3.1. Overview	65
2.3.2. RADIUS Accounting Messages	65
2.3.3. Interim Accounting Messages	67
2.3.4. Activating RADIUS Accounting	67
2.3.5. RADIUS Accounting Security	68
2.3.6. RADIUS Accounting and High Availability	68
2.3.7. Handling Unresponsive RADIUS Servers	68
2.3.8. Accounting and System Shutdowns	69
2.3.9. Limitations with NAT	69
2.3.10. RADIUS Advanced Settings	69
2.4. Monitoring	71
2.4.1. The Link Monitor	71
2.4.2. SNMP Monitoring	73
2.4.3. Hardware Monitoring	76
2.4.4. Memory Monitoring Settings	78
2.5. The pcapdump Command	80
2.6. Maintenance	83
2.6.1. Auto-Update Mechanism	83
2.6.2. Backing Up Configurations	83
2.6.3. Restore to Factory Defaults	85
Chapter 3. Fundamentals	88
3.1. The Address Book	88
3.1.1. Overview	88
3.1.2. IP Addresses	88
3.1.3. Ethernet Addresses	90
3.1.4. Address Groups	91
3.1.5. Auto-Generated Address Objects	92
3.1.6. Address Book Folders	92
3.2. IPv6 Support	93
3.3. Services	98
3.3.1. Overview	98
3.3.2. Creating Custom Services	99
3.3.3. ICMP Services	102
3.3.4. Custom IP Protocol Services	104
3.3.5. Service Groups	104
3.3.6. Custom Service Timeouts	105
3.4. Interfaces	106
3.4.1. Overview	106
3.4.2. Ethernet Interfaces	108
3.4.2.1. Useful CLI Commands for Ethernet Interfaces	112
3.4.3. VLAN	115
3.4.4. PPPoE	118
3.4.5. GRE Tunnels	120
3.4.6. Interface Groups	124
3.5. ARP	126
3.5.1. Overview	126
3.5.2. The NetDefendOS ARP Cache	126
3.5.3. Creating ARP Objects	128
3.5.4. Using ARP Advanced Settings	130
3.5.5. ARP Advanced Settings Summary	131
3.6. IP Rules	135
3.6.1. Security Policies	135
3.6.2. IP Rule Evaluation	138
3.6.3. IP Rule Actions	139
3.6.4. Editing IP rule set Entries	140
3.6.5. IP Rule Set Folders	141
3.6.6. Configuration Object Groups	142
3.7. Schedules	146
3.8. Certificates	148
3.8.1. Overview	148
3.8.2. Certificates in NetDefendOS	150
3.8.3. CA Certificate Requests	151
3.9. Date and Time	153
3.9.1. Overview	153
3.9.2. Setting Date and Time	153
3.9.3. Time Servers	154
3.9.4. Settings Summary for Date and Time	157
3.10. DNS	160
Chapter 4. Routing	164
4.1. Overview	164
4.2. Static Routing	165
4.2.1. The Principles of Routing	165
4.2.2. Static Routing	169
4.2.3. Route Failover	174
4.2.4. Host Monitoring for Route Failover	177
4.2.5. Advanced Settings for Route Failover	179
4.2.6. Proxy ARP	180
4.3. Policy-based Routing	183
4.4. Route Load Balancing	190
4.5. OSPF	196
4.5.1. Dynamic Routing	196
4.5.2. OSPF Concepts	199
4.5.3. OSPF Components	204
4.5.3.1. OSPF Router Process	204
4.5.3.2. OSPF Area	206
4.5.3.3. OSPF Interface	207
4.5.3.4. OSPF Neighbors	209
4.5.3.5. OSPF Aggregates	209
4.5.3.6. OSPF VLinks	209
4.5.4. Dynamic Routing Rules	210
4.5.4.1. Overview	210
4.5.4.2. Dynamic Routing Rule	212
4.5.4.3. OSPF Action	212
4.5.4.4. Routing Action	213
4.5.5. Setting Up OSPF	213
4.5.6. An OSPF Example	217
4.6. Multicast Routing	220
4.6.1. Overview	220
4.6.2. Multicast Forwarding with SAT Multiplex Rules	221
4.6.2.1. Multicast Forwarding - No Address Translation	221
4.6.2.2. Multicast Forwarding - Address Translation Scenario	224
4.6.3. IGMP Configuration	225
4.6.3.1. IGMP Rules Configuration - No Address Translation	227
4.6.3.2. IGMP Rules Configuration - Address Translation	228
4.6.4. Advanced IGMP Settings	230
4.7. Transparent Mode	233
4.7.1. Overview	233
4.7.2. Enabling Internet Access	238
4.7.3. Transparent Mode Scenarios	239
4.7.4. Spanning Tree BPDU Support	243
4.7.5. Advanced Settings for Transparent Mode	244
Chapter 5. DHCP Services	249
5.1. Overview	249
5.2. DHCP Servers	250
5.2.1. Static DHCP Hosts	253
5.2.2. Custom Options	255
5.3. DHCP Relaying	256
5.3.1. DHCP Relay Advanced Settings	257
5.4. IP Pools	259
Chapter 6. Security Mechanisms	263
6.1. Access Rules	263
6.1.1. Overview	263
6.1.2. IP Spoofing	264
6.1.3. Access Rule Settings	264
6.2. ALGs	266
6.2.1. Overview	266
6.2.2. The HTTP ALG	267
6.2.3. The FTP ALG	270
6.2.4. The TFTP ALG	279
6.2.5. The SMTP ALG	280
6.2.5.1. Anti-Spam Filtering	283
6.2.6. The POP3 ALG	289
6.2.7. The PPTP ALG	290
6.2.8. The SIP ALG	291
6.2.9. The H.323 ALG	302
6.2.10. The TLS ALG	316
6.3. Web Content Filtering	319
6.3.1. Overview	319
6.3.2. Active Content Handling	319
6.3.3. Static Content Filtering	320
6.3.4. Dynamic Web Content Filtering	322
6.3.4.1. Overview	322
6.3.4.2. Setting Up WCF	323
6.3.4.3. Content Filtering Categories	327
6.3.4.4. Customizing WCF HTML Pages	334
6.4. Anti-Virus Scanning	337
6.4.1. Overview	337
6.4.2. Implementation	337
6.4.3. Activating Anti-Virus Scanning	338
6.4.4. The Signature Database	338
6.4.5. Subscribing to the D-Link Anti-Virus Service	339
6.4.6. Anti-Virus Options	339
6.5. Intrusion Detection and Prevention	343
6.5.1. Overview	343
6.5.2. IDP Availability for D-Link Models	343
6.5.3. IDP Rules	345
6.5.4. Insertion/Evasion Attack Prevention	347
6.5.5. IDP Pattern Matching	348
6.5.6. IDP Signature Groups	349
6.5.7. IDP Actions	350
6.5.8. SMTP Log Receiver for IDP Events	351
6.6. Denial-of-Service Attack Prevention	355
6.6.1. Overview	355
6.6.2. DoS Attack Mechanisms	355
6.6.3. Ping of Death and Jolt Attacks	355
6.6.4. Fragmentation overlap attacks: Teardrop, Bonk, Boink and Nestea	356
6.6.5. The Land and LaTierra attacks	356
6.6.6. The WinNuke attack	356
6.6.7. Amplification attacks: Smurf, Papasmurf, Fraggle	357
6.6.8. TCP SYN Flood Attacks	358
6.6.9. The Jolt2 Attack	358
6.6.10. Distributed DoS Attacks	358
6.7. Blacklisting Hosts and Networks	360
Chapter 7. Address Translation	363
7.1. Overview	363
7.2. NAT	364
7.3. NAT Pools	369
7.4. SAT	372
7.4.1. Translation of a Single IP Address (1:1)	372
7.4.2. Translation of Multiple IP Addresses (M:N)	377
7.4.3. All-to-One Mappings (N:1)	379
7.4.4. Port Translation	381
7.4.5. Protocols Handled by SAT	381
7.4.6. Multiple SAT Rule Matches	381
7.4.7. SAT and FwdFast Rules	382
Chapter 8. User Authentication	385
8.1. Overview	385
8.2. Authentication Setup	387
8.2.1. Setup Summary	387
8.2.2. The Local Database	387
8.2.3. External RADIUS Servers	389
8.2.4. External LDAP Servers	389
8.2.5. Authentication Rules	396
8.2.6. Authentication Processing	398
8.2.7. A Group Usage Example	399
8.2.8. HTTP Authentication	399
8.3. Customizing Authentication HTML Pages	404
Chapter 9. VPN	409
9.1. Overview	409
9.1.1. VPN Usage	409
9.1.2. VPN Encryption	410
9.1.3. VPN Planning	411
9.1.4. Key Distribution	411
9.1.5. The TLS Alternative for VPN	412
9.2. VPN Quick Start	413
9.2.1. IPsec LAN to LAN with Pre-shared Keys	414
9.2.2. IPsec LAN to LAN with Certificates	415
9.2.3. IPsec Roaming Clients with Pre-shared Keys	416
9.2.4. IPsec Roaming Clients with Certificates	418
9.2.5. L2TP Roaming Clients with Pre-Shared Keys	419
9.2.6. L2TP Roaming Clients with Certificates	421
9.2.7. PPTP Roaming Clients	421
9.3. IPsec Components	423
9.3.1. Overview	423
9.3.2. Internet Key Exchange (IKE)	423
9.3.3. IKE Authentication	429
9.3.4. IPsec Protocols (ESP/AH)	430
9.3.5. NAT Traversal	431
9.3.6. Algorithm Proposal Lists	433
9.3.7. Pre-shared Keys	434
9.3.8. Identification Lists	435
9.4. IPsec Tunnels	438
9.4.1. Overview	438
9.4.2. LAN to LAN Tunnels with Pre-shared Keys	440
9.4.3. Roaming Clients	440
9.4.4. Fetching CRLs from an alternate LDAP server	445
9.4.5. Troubleshooting with ikesnoop	446
9.4.6. IPsec Advanced Settings	453
9.5. PPTP/L2TP	457
9.5.1. PPTP Servers	457
9.5.2. L2TP Servers	458
9.5.3. L2TP/PPTP Server advanced settings	463
9.5.4. PPTP/L2TP Clients	463
9.6. SSL VPN	466
9.6.1. Overview	466
9.6.2. Configuring SSL VPN in NetDefendOS	467
9.6.3. Installing the SSL VPN Client	469
9.6.4. Setup Example	472
9.7. CA Server Access	474
9.8. VPN Troubleshooting	477
9.8.1. General Troubleshooting	477
9.8.2. Troubleshooting Certificates	478
9.8.3. IPsec Troubleshooting Commands	478
9.8.4. Management Interface Failure with VPN	479
9.8.5. Specific Error Messages	479
9.8.6. Specific Symptoms	482
Chapter 10. Traffic Management	485
10.1. Traffic Shaping	485
10.1.1. Overview	485
10.1.2. Traffic Shaping in NetDefendOS	486
10.1.3. Simple Bandwidth Limiting	488
10.1.4. Limiting Bandwidth in Both Directions	489
10.1.5. Creating Differentiated Limits Using Chains	490
10.1.6. Precedences	492
10.1.7. Pipe Groups	496
10.1.8. Traffic Shaping Recommendations	499
10.1.9. A Summary of Traffic Shaping	500
10.1.10. More Pipe Examples	501
10.2. IDP Traffic Shaping	506
10.2.1. Overview	506
10.2.2. Setting Up IDP Traffic Shaping	506
10.2.3. Processing Flow	507
10.2.4. The Importance of Specifying a Network	507
10.2.5. A P2P Scenario	508
10.2.6. Viewing Traffic Shaping Objects	509
10.2.7. Guaranteeing Instead of Limiting Bandwidth	510
10.2.8. Logging	510
10.3. Threshold Rules	511
10.4. Server Load Balancing	514
10.4.1. Overview	514
10.4.2. SLB Distribution Algorithms	515
10.4.3. Selecting Stickiness	516
10.4.4. SLB Algorithms and Stickiness	517
10.4.5. Server Health Monitoring	518
10.4.6. Setting Up SLB_SAT Rules	519
Chapter 11. High Availability	523
11.1. Overview	523
11.2. HA Mechanisms	525
11.3. Setting Up HA	528
11.3.1. HA Hardware Setup	528
11.3.2. NetDefendOS Manual HA Setup	529
11.3.3. Verifying the Cluster Functions	530
11.3.4. Unique Shared Mac Addresses	531
11.4. HA Issues	532
11.5. Upgrading an HA Cluster	534
11.6. Link Monitoring and HA	536
11.7. HA Advanced Settings	537
Chapter 12. ZoneDefense	539
12.1. Overview	539
12.2. ZoneDefense Switches	540
12.3. ZoneDefense Operation	541
12.3.1. SNMP	541
12.3.2. Threshold Rules	541
12.3.3. Manual Blocking and Exclude Lists	541
12.3.4. ZoneDefense with Anti-Virus Scanning	543
12.3.5. Limitations	543
Chapter 13. Advanced Settings	546
13.1. IP Level Settings	546
13.2. TCP Level Settings	550
13.3. ICMP Level Settings	555
13.4. State Settings	556
13.5. Connection Timeout Settings	558
13.6. Length Limit Settings	560
13.7. Fragmentation Settings	562
13.8. Local Fragment Reassembly Settings	566
13.9. Miscellaneous Settings	567
Appendix A. Subscribing to Updates	570
Appendix B. IDP Signature Groups	572
Appendix C. Verified MIME filetypes	576
Appendix D. The OSI Framework	580

Match case Limit results 1 per page

This is done by doing the following:

Enable the

X.509 Certificate

option.

Select the

Gateway Certificate

Add the

Root Certificate

to use.

The IPsec client software will need to be appropriately configured with the certificates and

remote IP addresses. As already mentioned above, many third party IPsec client products are

available and this manual will not discuss any particular client.

The step to set up user authentication is optional since this is additional security to certificates.

Note: The system time and date should be correct

The NetDefendOS date and time should be set correctly since certificates have an

expiry date and time.

Also review

Section 9.7, “CA Server Access”

, which describes important considerations for

certificate validation.

9.2.5. L2TP Roaming Clients with Pre-Shared Keys

Due to the inbuilt L2TP client in Microsoft Windows, L2TP is a popular choice for roaming client

VPN scenarios. L2TP is usually encapsulated in IPsec to provide encryption with IPsec running in

transport mode

instead of

tunnel mode

. The steps for L2TP over IPsec setup are:

Create an IP object (let's call it

l2tp_pool

) which defines the range of IP addresses which can be

handed out to clients. The range chosen could be of two types:

•

A range taken from the internal network to which clients will connect. If the internal

network

192.168.0.0/24

then

might

use

the

address

range

192.168.0.10

192.168.0.20. The danger here is that an IP address might be accidentally used on the

internal network and handed out to a client.

•

Use a new address range that is totally different to any internal network. This prevents any

chance of an address in the range also being used on the internal network.

Define two other IP objects:

•

ip_ext

which is the external public IPv4 address through which clients connect (let's assume

this is on the

ext

interface).

•

ip_int

which is the internal IP address of the interface to which the internal network is

connected (let's call this interface

int

Define a

Pre-shared Key

for the IPsec tunnel.

Define an

IPsec Tunnel

object (let's call this object

ipsec_tunnel

) with the following

parameters:

•

Set

Local Network

ip_ext

(specify

all-nets

instead if NetDefendOS is behind a NATing

device).

•

Set

Remote Network

all-nets

•

Set

Remote Endpoint

none

•

For

Authentication

select the

Pre-shared Key

object defined in the first step.

9.2.5. L2TP Roaming Clients with

Pre-Shared Keys

Chapter 9. VPN

419