•
Section 9.2.2, “IPsec LAN to LAN with Certificates”.
•
Section 9.2.3, “IPsec Roaming Clients with Pre-shared Keys”.
•
Section 9.2.4, “IPsec Roaming Clients with Certificates”.
In addition to the quick start section, more explanation of tunnel setup is given below.
9.4.2. LAN to LAN Tunnels with Pre-shared Keys
A VPN can allow geographically distributed Local Area Networks (LANs) to communicate securely
over the public Internet. In a corporate context this means LANs at geographically separate sites can
communicate with a level of security comparable to that existing if they communicated through a
dedicated, private link.
Secure communication is achieved through the use of IPsec tunneling, with the tunnel extending
from the VPN gateway at one location to the VPN gateway at another location. The NetDefend
Firewall is therefore the implementer of the VPN, while at the same time applying normal security
surveillance of traffic passing through the tunnel. This section deals specifically with setting up
LAN to LAN tunnels created with a Pre-shared Key (PSK).
A number of steps are required to set up LAN to LAN tunnels with PSK:
•
Set up the VPN tunnel properties and include the Pre-Shared key.
•
Set up the VPN tunnel properties.
•
Set up the Route in the main routing table (or another table if an alternate is being used).
•
Set up the Rules (a 2-way tunnel requires 2 rules).
9.4.3. Roaming Clients
An employee who is on the move who needs to access a central corporate server from a notebook
computer from different locations is a typical example of a roaming client. Apart from the need for
secure VPN access, the other major issue with roaming clients is that the mobile user's IP address is
often not known beforehand. To handle the unknown IP address the NetDefendOS can dynamically
add routes to the routing table as tunnels are established.
Dealing with Unknown IP addresses
If the IP address of the client is not known before hand then the NetDefend Firewall needs to create
a route in its routing table dynamically as each client connects. In the example below this is the case
and the IPsec tunnel is configured to dynamically add routes.
If clients are to be allowed to roam in from everywhere, irrespective of their IP address, then the
Remote Network needs to be set to all-nets (IP address: 0.0.0.0/0) which will allow all existing
IPv4-addresses to connect through the tunnel.
When configuring VPN tunnels for roaming clients it is usually not necessary to add to or modify
the algorithm proposal lists that are pre-configured in NetDefendOS.
PSK based client tunnels
The following example shows how a PSK based tunnel can be set up.
9.4.2. LAN to LAN Tunnels with
Pre-shared Keys
Chapter 9. VPN
414
Содержание DFL-1600 - Security Appliance
Страница 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27 ...
Страница 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79 ...
Страница 146: ...3 9 DNS Chapter 3 Fundamentals 146 ...
Страница 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227 ...
Страница 241: ...5 4 IP Pools Chapter 5 DHCP Services 241 ...
Страница 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339 ...
Страница 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360 ...
Страница 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382 ...
Страница 386: ... The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386 ...
Страница 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439 ...
Страница 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450 ...
Страница 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488 ...
Страница 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503 ...
Страница 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510 ...
Страница 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533 ...