Also review Section 9.7, “CA Server Access” below, which describes important considerations for
certificate validation.
Self-signed certificates instead of CA signed can be used for LAN to LAN tunnels but the Web
Interface and other interfaces do not have a feature to generate them. Instead, they must be
generated by another utility and imported into NetDefendOS. This means that they are not truly
self-signed since they are generated outside of NetDefendOS control and it should be remembered
that there is no guarantee that their private key is unique. However, the security provided can still be
considered adequate for some scenarios.
Two self-signed certificates are required and the same two are used at either end of the tunnel but
their usage is reversed. In other words: one certificate is used as the root certificate at one end, call
it Side A, and as the host certificate at the other end, call it Side B. The second certificate is used in
the opposite way: as the host certificate at Side A and the root certificate at Side B.
No CA server considerations are needed with self-signed certificates since CRL lookup does not
occur.
9.2.3. IPsec Roaming Clients with Pre-shared Keys
This section details the setup with roaming clients connecting through an IPsec tunnel using
pre-shared keys to a protected Local Network which is located behind a NetDefend Firewall.
There are two types of roaming clients:
A. the IPv4 addresses of the clients are already allocated.
B. the IPv4 addresses of clients are not known beforehand and must be handed out by NetDefendOS
when the clients try to connect.
A. IP addresses already allocated
the IPv4 addresses may be known beforehand and have been pre-allocated to the roaming clients
before they connect. The client's IP address will be manually input into the VPN client software.
1.
Set up user authentication. XAuth user authentication is not required with IPsec roaming clients
but is recommended (this step could initially be left out to simplify setup). The authentication
source can be one of the following:
•
A Local User DB object which is internal to NetDefendOS.
9.2.3. IPsec Roaming Clients with
Pre-shared Keys
Chapter 9. VPN
422
Содержание NetDefend DFL-1660
Страница 28: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 28 ...
Страница 88: ...2 6 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 88 ...
Страница 166: ...3 10 DNS Chapter 3 Fundamentals 166 ...
Страница 254: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 254 ...
Страница 268: ...5 4 IP Pools Chapter 5 DHCP Services 268 ...
Страница 368: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 368 ...
Страница 390: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 390 ...
Страница 414: ...8 3 Customizing Authentication HTML Pages Chapter 8 User Authentication 414 ...
Страница 490: ...9 8 6 Specific Symptoms Chapter 9 VPN 490 ...
Страница 528: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 528 ...
Страница 544: ...11 7 HA Advanced Settings Chapter 11 High Availability 544 ...
Страница 551: ...12 3 5 Limitations Chapter 12 ZoneDefense 551 ...
Страница 574: ...Default 512 13 9 Miscellaneous Settings Chapter 13 Advanced Settings 574 ...
Страница 575: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 575 ...