D-Link DFL-860E User Manual for DFL-260E - Page 445
Fetching CRLs from an alternate LDAP server, IP Validation
View all D-Link DFL-860E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 445 highlights
9.4.4. Fetching CRLs from an alternate LDAP server Chapter 9. VPN Example 9.7. Setting Up Config Mode In this example, the Config Mode Pool object is enabled by associating with it an already configured IP Pool object called ip_pool1. Web Interface 1. Go to: Objects > VPN Objects > IKE Config Mode Pool 2. The Config Mode Pool object properties web page now appears 3. Select Use a predefined IPPool object 4. Choose the ip_pool1 object from the IP Pool drop-down list 5. Click OK After defining the Config Mode object, the only remaining action is to enable Config Mode to be used with the IPsec Tunnel. Example 9.8. Using Config Mode with IPsec Tunnels Assuming a predefined tunnel called vpn_tunnel1 this example shows how to enable Config Mode for that tunnel. Web Interface • Go to: Interfaces > IPsec • Select the tunnel vpn_tunnel1 for editing • Select the pool in the IKE Config Mode Pool drop down list • Click OK IP Validation NetDefendOS always checks if the source IP address of each packet inside an IPsec tunnel is the same as the IP address assigned to the IPsec client with IKE config mode. If a mismatch is detected the packet is always dropped and a log message generated with a severity level of Warning. This message includes the two IP addresses as well as the client identity. Optionally, the affected SA can be automatically deleted if validation fails by enabling the advanced setting IPsecDeleteSAOnIPValidationFailure. The default value for this setting is Disabled. 9.4.4. Fetching CRLs from an alternate LDAP server A Root Certificate usually includes the IP address or hostname of the Certificate Authority to contact when certificates or CRLs need to be downloaded to the NetDefend Firewall. Lightweight Directory Access Protocol (LDAP) is used for these downloads. However, in some scenarios, this information is missing, or the administrator wishes to use another LDAP server. The LDAP configuration section can then be used to manually specify alternate LDAP servers. 445