•
An external authentication server.
An internal user database is easier to set up and is assumed here. Changing this to an external
server is simple to do later.
To implement user authentication with an internal database:
•
Define a Local User DB object (let's call this object TrustedUsers).
•
Add individual users to TrustedUsers. This should consist of at least a username and
password combination.
The Group string for a user can be specified if its group's access is to be restricted to
certain source networks. Group can be specified (with the same text string) in the
Authentication section of an IP object. If that IP object is then used as the Source
Network of a rule in the IP rule set, that rule will only apply to a user if their Group string
matches the Group string of the IP object.
Note
Group has no meaning in Authentication Rules.
•
Create a new User Authentication Rule with the Authentication Source set to
TrustedUsers. The other parameters for the rule are:
Agent
Auth Source
Src Network
Interface
Client Source IP
XAUTH
Local
all-nets
any
all-nets (0.0.0.0/0)
2.
The IPsec Tunnel object ipsec_tunnel should have the following parameters:
•
Set Local Network to lannet.
•
Set Remote Network to all-nets
•
Set Remote Endpoint to all-nets.
•
Set Encapsulation mode to Tunnel.
•
Set the IKE and IPsec algorithm proposal lists to match the capabilities of the clients.
•
No routes can be predefined so the option Dynamically add route to the remote network
when tunnel established should be enabled for the tunnel object. If all-nets is the
destination network, the option Add route for remote network should be disabled.
Note
The option to dynamically add routes should not be enabled in LAN to LAN
tunnel scenarios.
•
Enable the option Require IKE XAuth user authentication for inbound IPsec tunnels.
This will enable a search for the first matching XAUTH rule in the authentication rules.
3.
The IP rule set should contain the single rule:
Action
Src Interface
Src Network
Dest Interface
Dest Network
Service
Allow
ipsec_tunnel
all-nets
lan
lannet
All
Once an Allow rule permits the connection to be set up, bidirectional traffic flow is allowed which is
why only one rule is used here. Instead of all-nets being used in the above, a more secure defined IP
9.2.3. IPsec Roaming Clients with
Pre-shared Keys
Chapter 9. VPN
326
Summary of Contents for 800 - DFL 800 - Security Appliance
Page 24: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24 ...
Page 69: ...2 6 4 Restore to Factory Defaults Chapter 2 Management and Maintenance 69 ...
Page 121: ...3 9 DNS Chapter 3 Fundamentals 121 ...
Page 181: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 181 ...
Page 192: ...5 5 IP Pools Chapter 5 DHCP Services 192 ...
Page 282: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 282 ...
Page 300: ...mechanism 7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 300 ...
Page 301: ...7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 301 ...
Page 318: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 318 ...
Page 322: ...ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 322 ...
Page 377: ...Management Interface Failure with VPN Chapter 9 VPN 377 ...
Page 408: ...10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 408 ...
Page 419: ...11 5 HA Advanced Settings Chapter 11 High Availability 419 ...
Page 426: ...12 3 5 Limitations Chapter 12 ZoneDefense 426 ...
Page 449: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 449 ...