D-Link DFL-260E User Manual for DFL-260E - Page 418
IPsec Roaming Clients with Certificates, B. IP addresses handed out by NetDefendOS
View all D-Link DFL-260E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 418 highlights
9.2.4. IPsec Roaming Clients with Certificates Chapter 9. VPN Once an Allow rule permits the connection to be set up, bidirectional traffic flow is allowed which is why only one rule is used here. Instead of all-nets being used in the above, a more secure defined IP object could be used which specifies the exact range of the pre-allocated IP addresses. B. IP addresses handed out by NetDefendOS If the client IP addresses are not known then they must be handed out by NetDefendOS. To do this the above must be modified with the following: 1. If a specific IP address range is to be used as a pool of available addresses then: • Create a Config Mode Pool object (there can only be one associated with a NetDefendOS installation) and in it specify the address range. • Enable the IKE Config Mode Pool option in the IPsec Tunnel object ipsec_tunnel. 2. If client IP addresses are to be retrieved through DHCP: • Create an IP Pool object and in it specify the DHCP server to use. The DHCP server can be specified as a simple IP address or alternatively as being accessible on a specific interface. If an internal DHCP server is to be used then specify the loopback address 127.0.0.1 as the DHCP server IP address. • Create a Config Mode Pool object (there can only be one associated with a NetDefendOS installation) and associate with it the IP Pool object defined in the previous step. • Enable the IKE Config Mode Pool option in the IPsec Tunnel object ipsec_tunnel so the created pool is selected. Configuring IPsec Clients In both cases (A) and (B) above, the IPsec client will need to be correctly configured. The client configuration will require the following: • Define the URL or IP address of the NetDefend Firewall. The client needs to locate the tunnel endpoint. • Define the pre-shared key that is used for IPsec security. • Define the IPsec algorithms that will be used and which are supported by NetDefendOS. • Specify if the client will use config mode. There are a variety of IPsec client software products available from a number of suppliers and this manual will not focus on any specific one. The network administrator should use the client that is best suited to their budget and needs. 9.2.4. IPsec Roaming Clients with Certificates If certificates are used with IPsec roaming clients instead of pre-shared keys then no Pre-shared Key object is needed and the other differences in the setup described above are: 1. Load a Root Certificate and a Gateway Certificate into NetDefendOS. The root certificate needs to have 2 parts added: a certificate file and a private key file. The gateway certificate needs just the certificate file added. 2. When setting up the IPsec Tunnel object, specify the certificates to use under Authentication. 418