Note
Group
has no meaning in
Authentication Rule
s.
•
Create a new User Authentication Rule with the Authentication Source set to
TrustedUsers
. The other parameters for the rule are:
Agent
Auth Source
Src Network
Interface
Client Source IP
XAUTH
Local
all-nets
any
all-nets (0.0.0.0/0)
2.
The IPsec Tunnel object
ipsec_tunnel
should have the following parameters:
•
Set Local Network to
lannet
.
•
Set Remote Network to
all-nets
•
Set Remote Endpoint to
all-nets
.
•
Set Encapsulation mode to
Tunnel
.
•
Set the IKE and IPsec algorithm proposal lists to match the capabilities of the clients.
•
No routes can be predefined so the option Add route dynamically should be enabled
for the tunnel object. If
all-nets
is the destination network, the option Add route
statically should be disabled.
Note
The option to dynamically add routes should not be enabled in LAN-to-LAN
tunnel scenarios.
•
Enable the option Require IKE XAuth user authentication for inbound IPsec tunnels.
This will enable a search for the first matching XAUTH rule in the authentication rules.
3.
The IP rule set should contain the single rule:
Action
Src Interface
Src Network
Dest Interface
Dest Network
Service
Allow
ipsec_tunnel
all-nets
lan
lannet
all_services
Once an
Allow
rule permits the connection to be set up, bidirectional traffic flow is allowed which
is why only one rule is used here. Instead of
all-nets
being used in the above, a more secure
defined IP object could be used which specifies the exact range of the pre-allocated IP addresses.
B. IP addresses handed out by NetDefendOS
If the client IP addresses are not known then they must be handed out by NetDefendOS. To do
this the above must be modified with the following:
1.
If a specific IP address range is to be used as a pool of available addresses then:
•
Create a Config Mode Pool object (there can only be one associated with a
NetDefendOS installation) and in it specify the address range.
Chapter 9: VPN
676
Содержание NetDefendOS
Страница 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Страница 32: ...Chapter 1 NetDefendOS Overview 32 ...
Страница 144: ...Chapter 2 Management and Maintenance 144 ...
Страница 220: ... Enable DHCP passthrough Enable L2 passthrough for non IP protocols 4 Click OK Chapter 3 Fundamentals 220 ...
Страница 267: ... SourceNetwork lannet DestinationInterface any DestinationNetwork all nets 4 Click OK Chapter 3 Fundamentals 267 ...
Страница 284: ...Chapter 3 Fundamentals 284 ...
Страница 360: ...The ospf command options are fully described in the separate NetDefendOS CLI Reference Guide Chapter 4 Routing 360 ...
Страница 392: ...Chapter 4 Routing 392 ...
Страница 396: ...Web Interface 1 Go to Network Ethernet If1 2 Select Enable DHCP 3 Click OK Chapter 5 DHCP Services 396 ...
Страница 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Страница 420: ...Chapter 5 DHCP Services 420 ...
Страница 424: ...2 Now enter Name lan_Access Action Expect Interface lan Network lannet 3 Click OK Chapter 6 Security Mechanisms 424 ...
Страница 573: ...Chapter 6 Security Mechanisms 573 ...
Страница 575: ...This section describes and provides examples of configuring NAT and SAT rules Chapter 7 Address Translation 575 ...
Страница 607: ...Chapter 7 Address Translation 607 ...
Страница 666: ...Chapter 8 User Authentication 666 ...
Страница 775: ...Chapter 9 VPN 775 ...
Страница 819: ...Chapter 10 Traffic Management 819 ...
Страница 842: ...Chapter 11 High Availability 842 ...
Страница 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Страница 879: ...Chapter 13 Advanced Settings 879 ...