Ipsec tunnels, Overview, Lan to lan tunnels with pre-shared keys – D-Link DFL-2500 User Manual
Page 253: Roaming clients
9.4. IPsec Tunnels
9.4.1. Overview
An IPsec Tunnel defines an endpoint of an encrypted tunnel. Each IPsec Tunnel is interpreted as a
logical interface by NetDefendOS, with the same filtering, traffic shaping and configuration
capabilities as regular interfaces.
When another D-Link Firewall or D-Link VPN Client (or any IPsec compliant product) tries to
establish a IPsec VPN tunnel to the D-Link Firewall, the configured IPsec Tunnels are evaluated. If
a matching IPsec Tunnel definition is found, the IKE and IPsec negotiations then take place,
resulting in a IPsec VPN tunnel being established.
Note that an established IPsec tunnel does not automatically mean that all traffic from that IPsec
tunnel is trusted. On the contrary, network traffic that has been decrypted will be transferred to the
rule set for further evaluation. The source interface of the decrypted network traffic will be the name
of the associated IPsec Tunnel. Furthermore, a Route or an Access rule, in the case of a roaming
client, has to be defined to have the NetDefendOS accept certain source IP addresses from the IPsec
tunnel.
For network traffic going in the opposite direction, that is, going into a IPsec tunnel, a reverse
process takes place. First, the unencrypted traffic is evaluated by the rule set. If a rule and route
matches, NetDefendOS tries to find an established IPsec tunnel that matches the criteria. If not
found, NetDefendOS will try to establish a tunnel to the remote firewall specified by the matching
IPsec Tunnel definition.
Note
IKE and ESP/AH traffic are sent to the IPsec engine before the rule set is consulted.
Encrypted traffic to the firewall therefore does not need to be allowed in the rule set.
This behaviour can be changed in the IPsec Advanced Settings section.
9.4.2. LAN to LAN Tunnels with Pre-shared Keys
A VPN can allow geographically distributed Local Area Networks (LANs) to communicate securely
over the public Internet. In a corporate context this means LANs at geographically separate sites can
communicate with a level of security comparable to that existing if they communicated through a
dedicated, private link.
Secure communication is achieved through the use of IPsec tunneling, with the tunnel extending
from the VPN gateway at one location to the VPN gateway at another location. The D-Link Firewall
is therefore the implementor of the VPN, while at the same time applying normal security
surveillance of traffic passing through the tunnel. This section deals specifically with setting up Lan
to Lan tunnels created with a Pre-shared Key (PSK).
A number of steps are required to set up LAN to LAN tunnels with PSK:
•
Set up a Pre-shared Key or secret for the VPN tunnel.
•
Set up the VPN tunnel properties.
•
Set up the Route .
•
Set up the Rules (2-way tunnel requires 2 rules).
9.4.3. Roaming Clients
An employee who is on the move who needs to access a central corporate server from a notebook
9.4. IPsec Tunnels
Chapter 9. VPN
253