D-Link DFL-800-AV-12 User Manual - Page 253
IPsec Tunnels, 9.4.1. Overview, 9.4.2. LAN to LAN Tunnels with Pre-shared Keys
View all D-Link DFL-800-AV-12 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 253 highlights
9.4. IPsec Tunnels Chapter 9. VPN 9.4. IPsec Tunnels 9.4.1. Overview An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration capabilities as regular interfaces. When another D-Link Firewall or D-Link VPN Client (or any IPsec compliant product) tries to establish a IPsec VPN tunnel to the D-Link Firewall, the configured IPsec Tunnels are evaluated. If a matching IPsec Tunnel definition is found, the IKE and IPsec negotiations then take place, resulting in a IPsec VPN tunnel being established. Note that an established IPsec tunnel does not automatically mean that all traffic from that IPsec tunnel is trusted. On the contrary, network traffic that has been decrypted will be transferred to the rule set for further evaluation. The source interface of the decrypted network traffic will be the name of the associated IPsec Tunnel. Furthermore, a Route or an Access rule, in the case of a roaming client, has to be defined to have the NetDefendOS accept certain source IP addresses from the IPsec tunnel. For network traffic going in the opposite direction, that is, going into a IPsec tunnel, a reverse process takes place. First, the unencrypted traffic is evaluated by the rule set. If a rule and route matches, NetDefendOS tries to find an established IPsec tunnel that matches the criteria. If not found, NetDefendOS will try to establish a tunnel to the remote firewall specified by the matching IPsec Tunnel definition. Note IKE and ESP/AH traffic are sent to the IPsec engine before the rule set is consulted. Encrypted traffic to the firewall therefore does not need to be allowed in the rule set. This behaviour can be changed in the IPsec Advanced Settings section. 9.4.2. LAN to LAN Tunnels with Pre-shared Keys A VPN can allow geographically distributed Local Area Networks (LANs) to communicate securely over the public Internet. In a corporate context this means LANs at geographically separate sites can communicate with a level of security comparable to that existing if they communicated through a dedicated, private link. Secure communication is achieved through the use of IPsec tunneling, with the tunnel extending from the VPN gateway at one location to the VPN gateway at another location. The D-Link Firewall is therefore the implementor of the VPN, while at the same time applying normal security surveillance of traffic passing through the tunnel. This section deals specifically with setting up Lan to Lan tunnels created with a Pre-shared Key (PSK). A number of steps are required to set up LAN to LAN tunnels with PSK: • Set up a Pre-shared Key or secret for the VPN tunnel. • Set up the VPN tunnel properties. • Set up the Route . • Set up the Rules (2-way tunnel requires 2 rules). 9.4.3. Roaming Clients An employee who is on the move who needs to access a central corporate server from a notebook 253