D-Link DFL-860E User Manual for DFL-260E - Page 416
IPsec Roaming Clients with Pre-shared Keys, A. IP addresses already allocated
View all D-Link DFL-860E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 416 highlights
9.2.3. IPsec Roaming Clients with Pre-shared Keys Chapter 9. VPN Also review Section 9.7, "CA Server Access" below, which describes important considerations for certificate validation. Self-signed certificates instead of CA signed can be used for LAN to LAN tunnels but the Web Interface and other interfaces do not have a feature to generate them. Instead, they must be generated by another utility and imported into NetDefendOS. This means that they are not truly self-signed since they are generated outside of NetDefendOS control and it should be remembered that there is no guarantee that their private key is unique. However, the security provided can still be considered adequate for some scenarios. Two self-signed certificates are required and the same two are used at either end of the tunnel but their usage is reversed. In other words: one certificate is used as the root certificate at one end, call it Side A, and as the host certificate at the other end, call it Side B. The second certificate is used in the opposite way: as the host certificate at Side A and the root certificate at Side B. No CA server considerations are needed with self-signed certificates since CRL lookup does not occur. 9.2.3. IPsec Roaming Clients with Pre-shared Keys This section details the setup with roaming clients connecting through an IPsec tunnel using pre-shared keys to a protected Local Network which is located behind a NetDefend Firewall. There are two types of roaming clients: A. the IPv4 addresses of the clients are already allocated. B. the IPv4 addresses of clients are not known beforehand and must be handed out by NetDefendOS when the clients try to connect. A. IP addresses already allocated the IPv4 addresses may be known beforehand and have been pre-allocated to the roaming clients before they connect. The client's IP address will be manually input into the VPN client software. 1. Set up user authentication. XAuth user authentication is not required with IPsec roaming clients but is recommended (this step could initially be left out to simplify setup). The authentication source can be one of the following: • A Local User DB object which is internal to NetDefendOS. 416