D-Link DFL-260E User Manual for DFL-260E - Page 419
L2TP Roaming Clients with Pre-Shared Keys
View all D-Link DFL-260E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 419 highlights
9.2.5. L2TP Roaming Clients with Pre-Shared Keys Chapter 9. VPN This is done by doing the following: a. Enable the X.509 Certificate option. b. Select the Gateway Certificate. c. Add the Root Certificate to use. 3. The IPsec client software will need to be appropriately configured with the certificates and remote IP addresses. As already mentioned above, many third party IPsec client products are available and this manual will not discuss any particular client. The step to set up user authentication is optional since this is additional security to certificates. Note: The system time and date should be correct The NetDefendOS date and time should be set correctly since certificates have an expiry date and time. Also review Section 9.7, "CA Server Access", which describes important considerations for certificate validation. 9.2.5. L2TP Roaming Clients with Pre-Shared Keys Due to the inbuilt L2TP client in Microsoft Windows, L2TP is a popular choice for roaming client VPN scenarios. L2TP is usually encapsulated in IPsec to provide encryption with IPsec running in transport mode instead of tunnel mode. The steps for L2TP over IPsec setup are: 1. Create an IP object (let's call it l2tp_pool) which defines the range of IP addresses which can be handed out to clients. The range chosen could be of two types: • A range taken from the internal network to which clients will connect. If the internal network is 192.168.0.0/24 then we might use the address range 192.168.0.10 to 192.168.0.20. The danger here is that an IP address might be accidentally used on the internal network and handed out to a client. • Use a new address range that is totally different to any internal network. This prevents any chance of an address in the range also being used on the internal network. 2. Define two other IP objects: • ip_ext which is the external public IPv4 address through which clients connect (let's assume this is on the ext interface). • ip_int which is the internal IP address of the interface to which the internal network is connected (let's call this interface int). 3. Define a Pre-shared Key for the IPsec tunnel. 4. Define an IPsec Tunnel object (let's call this object ipsec_tunnel) with the following parameters: • Set Local Network to ip_ext (specify all-nets instead if NetDefendOS is behind a NATing device). • Set Remote Network to all-nets. • Set Remote Endpoint to none. • For Authentication select the Pre-shared Key object defined in the first step. 419