beautypg.com

Amer Networks E5Web GUI User Manual

Page 573

background image

A. IP addresses already allocated

the IPv4 addresses may be known beforehand and have been pre-allocated to the roaming
clients before they connect. The client's IP address will be manually input into the VPN client
software.

1.

Set up user authentication. XAuth user authentication is not required with IPsec roaming
clients but is recommended (this step could initially be left out to simplify setup). The
authentication source can be one of the following:

A Local User DB object which is internal to cOS Core.

An external authentication server.

An internal user database is easier to set up and is assumed here. Changing this to an
external server is simple to do later.

To implement user authentication with an internal database:

Define a Local User DB object (let's call this object TrustedUsers).

Add individual users to TrustedUsers. This should consist of at least a username and
password combination.

The Group string for a user can be specified if its group's access is to be restricted to
certain source networks. Group can be specified (with the same text string) in the
Authentication section of an IP object. If that IP object is then used as the Source
Network of a rule in the IP rule set, that rule will only apply to a user if their Group string
matches the Group string of the IP object.

Note

Group has no meaning in Authentication Rules.

Create a new User Authentication Rule with the Authentication Source set to
TrustedUsers. The other parameters for the rule are:

Agent

Auth Source

Src Network

Interface

Client Source IP

XAUTH

Local

all-nets

any

all-nets (0.0.0.0/0)

2.

The IPsec Tunnel object ipsec_tunnel should have the following parameters:

Set Local Network to lan_net.

Set Remote Network to all-nets

Set Remote Endpoint to all-nets.

Set Encapsulation mode to Tunnel.

Set the IKE and IPsec algorithm proposal lists to match the capabilities of the clients.

No routes can be predefined so the option Dynamically add route to the remote
network when tunnel established should be enabled for the tunnel object. If all-nets is
the destination network, the option Add route for remote network should be disabled.

Chapter 9: VPN

573

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: