beautypg.com

Ipsec roaming clients with pre-shared keys – D-Link DFL-2500 User Manual

Page 232

background image

the Destination Interface. The rule's Destination Network is the remote network
remote_net.

An Allow rule for inbound traffic that has the previously defined ipsec_tunnel object as the
Source Interface. The Source Network is remote_net.

Action

Src Interface

Src Network

Dest Interface

Dest Network

Service

Allow

lan

lannet

ipsec_tunnel

remote_net

All

Allow

ipsec_tunnel

remote_net

lan

lannet

All

The Service used in these rules is All but it could be a predefined service.

6.

Define a new NetDefendOS Route which specifies that the VPN Tunnel ipsec_tunnel is the
Interface to use for routing packets bound for the remote network at the other end of the tunnel.

Interface

Network

Gateway

ipsec_tunnel

remote_net

9.2.2. IPsec Roaming Clients with Pre-shared Keys

This section details the setup with roaming clients connecting through an IPsec tunnel with
pre-shared keys. There are two types of roaming clients:

A. The IP addresses of the clients is known beforehand.

B. The IP address of clients is not known beforehand and must be handed out by NetDefendOS
as they connect.

A. IP addresses already allocated

The IP addresses may be known beforehand and pre-allocated to the roaming clients before they
connect. The client's IP address will be will be manually input into the VPN client software.

1.

Set up user authentication. XAuth user authentication is not required with IPsec roaming clients
but is recommended (this step could initially be left out to simplify setup). The authentication
source can be one of the following:

A Local User DB object which is internal to NetDefendOS.

An external authentication server.

An internal user database is easier to set up and is assumed here. Changing this to an external
server is simple to do later.

To implement user authentication with an internal database:

Define a Local User DB object (let's call this object TrustedUsers).

Add individual users to TrustedUsers. This should consist of at least a username and
password combination.

The Group string for a user can be specified if its group's access is to be restricted to
certain source networks. Group can be specified (with the same text string) in the

9.2.2. IPsec Roaming Clients with
Pre-shared Keys

Chapter 9. VPN

232