9.4. IPsec Tunnels
9.4.1. Overview
An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a
logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration
capabilities as regular interfaces.
When another D-Link Firewall or any IPsec compliant product tries to establish an IPsec VPN
tunnel to the D-Link Firewall, the configured IPsec Tunnels are evaluated. If a matching IPsec
Tunnel definition is found, the IKE and IPsec negotiations then take place, resulting in an IPsec
VPN tunnel being established.
Note that an established IPsec tunnel does not automatically mean that all traffic from that IPsec
tunnel is trusted. On the contrary, network traffic that has been decrypted will be transferred to the
rule set for further evaluation. The source interface of the decrypted network traffic will be the name
of the associated IPsec Tunnel. Furthermore, a Route or an Access rule, in the case of a roaming
client, has to be defined to have the NetDefendOS accept certain source IP addresses from the IPsec
tunnel.
For network traffic going in the opposite direction, that is, going into an IPsec tunnel, a reverse
process takes place. First, the unencrypted traffic is evaluated by the rule set. If a rule and route
matches, NetDefendOS tries to find an established IPsec tunnel that matches the criteria. If not
found, NetDefendOS will try to establish a tunnel to the remote firewall specified by the matching
IPsec Tunnel definition.
Note
IKE and ESP/AH traffic are sent to the IPsec engine before the rule set is consulted.
Encrypted traffic to the firewall therefore does not need to be allowed in the rule set.
This behavior can be changed in the IPsec advanced settings section.
IPsec Tunnel Quick Start
This section covers IPsec tunnels in some detail. A quick start checklist of setup steps for these
protocols in typical scenarios can be found in the following sections:
•
Section 9.2.1, “IPsec LAN to LAN with Pre-shared Keys”.
•
Section 9.2.2, “IPsec LAN to LAN with Certificates”.
•
Section 9.2.3, “IPsec Roaming Clients with Pre-shared Keys”.
•
Section 9.2.4, “IPsec Roaming Clients with Certificates”.
9.4.2. LAN to LAN Tunnels with Pre-shared Keys
A VPN can allow geographically distributed Local Area Networks (LANs) to communicate securely
over the public Internet. In a corporate context this means LANs at geographically separate sites can
communicate with a level of security comparable to that existing if they communicated through a
dedicated, private link.
Secure communication is achieved through the use of IPsec tunneling, with the tunnel extending
from the VPN gateway at one location to the VPN gateway at another location. The D-Link Firewall
is therefore the implementer of the VPN, while at the same time applying normal security
surveillance of traffic passing through the tunnel. This section deals specifically with setting up
LAN to LAN tunnels created with a Pre-shared Key (PSK).
A number of steps are required to set up LAN to LAN tunnels with PSK:
9.4. IPsec Tunnels
Chapter 9. VPN
346
Содержание 800 - DFL 800 - Security Appliance
Страница 24: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24 ...
Страница 69: ...2 6 4 Restore to Factory Defaults Chapter 2 Management and Maintenance 69 ...
Страница 121: ...3 9 DNS Chapter 3 Fundamentals 121 ...
Страница 166: ...interfaces without an overriding IGMP Setting Default 1 000 4 6 4 Advanced IGMP Settings Chapter 4 Routing 166 ...
Страница 181: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 181 ...
Страница 192: ...5 5 IP Pools Chapter 5 DHCP Services 192 ...
Страница 282: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 282 ...
Страница 300: ...mechanism 7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 300 ...
Страница 301: ...7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 301 ...
Страница 303: ... Changed on a regular basis such as every three months 8 1 Overview Chapter 8 User Authentication 303 ...
Страница 318: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 318 ...
Страница 322: ...ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 322 ...
Страница 377: ...Management Interface Failure with VPN Chapter 9 VPN 377 ...
Страница 408: ...10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 408 ...
Страница 419: ...11 5 HA Advanced Settings Chapter 11 High Availability 419 ...
Страница 426: ...12 3 5 Limitations Chapter 12 ZoneDefense 426 ...
Страница 449: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 449 ...