i.
Local ID - this property of an
IPsec Tunnel
object represents the identity of the local VPN
tunnel endpoint and this is the value presented to the remote peer during the IKE
negotiation.
The property is set to only a single value but can be left blank when using certificates
since the ID will be contained within the host certificate sent. If the certificate sent
contains multiple IDs, this property can be set to specify which ID in the certificate to
use.
The Enforce Local ID property can be enabled so that when NetDefendOS is acting as
responder, the ID proposed by the initiator must match the Local ID value. The default
behavior is to ignore the proposed ID.
ii.
Remote ID - This property can be used to specify an
ID list
object. An ID list object
contains one or more IDs. When using certificates, the certificate sent sent by a remote
peer must contain an ID which matches one of the IDs in the list in order for the peer to
be authenticated. Using the
Remote ID
property with certificates is explained further in
Section 9.3.8, “Using ID Lists with Certificates”
NetDefendOS applies sanity checks on all remote IDs to ensure they are acceptable.
Usually malformed IDs have a problem in the DN name. For example, a faulty remote ID
name might be the following:
DN=D-Link, OU=One,Two,Three, DC=SE
If specified by the administrator, there will be an error message when the NetDefendOS
configuration is committed. The corrected remote ID form is the following:
DN=D-Link, OU=One\,Two\,Three, DC=SE
•
Encapsulation Mode
IPsec can be used in one two modes:
•
Tunnel Mode
Tunnel mode indicates that the traffic will be tunneled to a remote device, which will
decrypt/authenticate the data, extract it from its tunnel and pass it on to its final
destination. This way, an eavesdropper will only see encrypted traffic going from one of
VPN endpoint to another.
•
Transport Mode
In transport mode, the traffic will not be tunneled, and is hence not applicable to VPN
tunnels. It can be used to secure a connection from a VPN client directly to the NetDefend
Firewall, for example for IPsec protected remote configuration.
This setting will typically be set to
Tunnel
in most configurations. With IKv2, only
Tunnel
should be used.
•
Remote Endpoint
The remote endpoint (sometimes also referred to as the
remote gateway
) is the device that
does the VPN decryption/authentication and that passes the unencrypted data on to its final
destination. This field can also be set to
None
, forcing the NetDefend Firewall to treat the
remote address as the remote endpoint. This is particularly useful in cases of roaming access,
where the IP addresses of the remote VPN clients are not known beforehand. Setting this to
"none" will allow anyone coming from an IP address conforming to the "remote network"
address discussed above to open a VPN connection, provided they can authenticate properly.
Chapter 9: VPN
686
Содержание NetDefendOS
Страница 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Страница 32: ...Chapter 1 NetDefendOS Overview 32 ...
Страница 144: ...Chapter 2 Management and Maintenance 144 ...
Страница 220: ... Enable DHCP passthrough Enable L2 passthrough for non IP protocols 4 Click OK Chapter 3 Fundamentals 220 ...
Страница 267: ... SourceNetwork lannet DestinationInterface any DestinationNetwork all nets 4 Click OK Chapter 3 Fundamentals 267 ...
Страница 284: ...Chapter 3 Fundamentals 284 ...
Страница 360: ...The ospf command options are fully described in the separate NetDefendOS CLI Reference Guide Chapter 4 Routing 360 ...
Страница 392: ...Chapter 4 Routing 392 ...
Страница 396: ...Web Interface 1 Go to Network Ethernet If1 2 Select Enable DHCP 3 Click OK Chapter 5 DHCP Services 396 ...
Страница 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Страница 420: ...Chapter 5 DHCP Services 420 ...
Страница 424: ...2 Now enter Name lan_Access Action Expect Interface lan Network lannet 3 Click OK Chapter 6 Security Mechanisms 424 ...
Страница 573: ...Chapter 6 Security Mechanisms 573 ...
Страница 575: ...This section describes and provides examples of configuring NAT and SAT rules Chapter 7 Address Translation 575 ...
Страница 607: ...Chapter 7 Address Translation 607 ...
Страница 666: ...Chapter 8 User Authentication 666 ...
Страница 775: ...Chapter 9 VPN 775 ...
Страница 819: ...Chapter 10 Traffic Management 819 ...
Страница 842: ...Chapter 11 High Availability 842 ...
Страница 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Страница 879: ...Chapter 13 Advanced Settings 879 ...