Configuring the VPN tunnel
You can either create multiple VPN tunnels, one for each VPN client, or you can create one VPN tunnel with a
remote gateway address set to 0.0.0.0. This VPN tunnel accepts connections from any Internet address.
You must create complementary VPN tunnels on the VPN gateway and the clients. On both, the tunnel must
have the same name, keylife, and authentication key.
Complete the following procedure on the DFL-500 VPN gateway.
·
Go to
VPN > IPSEC > Manual Key
.
·
Select New to add a new manual key VPN tunnel.
·
Configure the VPN tunnel as described in
See Configuring the manual key VPN tunnel
.
·
In the Remote Gateway field, enter the static IP address of the VPN client.
For the example network shown in
See Example VPN between an internal network and remote clients
you would use 2.2.2.2 as the remote gateway. To accept connections from more than one client, set the
Remote Gateway address to 0.0.0.0.
·
Select OK to save the manual key VPN tunnel.
Adding internal and external addresses
Use the procedure
See Adding source and destination addresses
to configure the internal and external
addresses used by the VPN policy.
Adding an IPSec VPN policy
Use the procedure
See Adding an IPSec VPN policy
to add a VPN policy that associates the source and
destination addresses of the VPN client with the VPN tunnel.
Testing a VPN
To confirm that a VPN between two networks has been configured correctly, use the ping command from one
internal network to connect to a computer on the other internal network. The IPSec VPN tunnel starts
automatically when the first data packet destined for the VPN is intercepted by the DFL-500.
To confirm that a VPN between a network and one or more clients has been configured correctly, start a VPN
client and use the ping command to connect to a computer on the internal network. The VPN tunnel initializes
automatically when the client makes a connection attempt. You can start the tunnel and test it at the same
time by pinging from the client to an address on the internal network.
IPSec pass through
Configure IPSec pass through so that users on your internal network can connect to an IPSec VPN gateway
on the Internet. IPSec pass through allows IPSec connections to pass through your DFL-500 and connect to
the destination IPSec VPN gateway. The DFL-500 performs address translation on the connection, so that it
seems to the destination VPN gateway that the connection to its VPN is originating from the external interface
of your DFL-500.
IPSec pass through is only supported in NAT mode.
Use IPSec pass through so that:
·
A visitor using your internal network can connect through your DFL-500 to their organization's VPN
DFL-500 User Manual
69