beautypg.com

L2tp roaming clients with certificates – Amer Networks E5Web GUI User Manual

Page 577

background image

Add individual users to TrustedUsers. This should consist of at least a username and
password combination.

The Group string for a user can also be specified. This is explained in the same step in
the IPsec Roaming Clients section above.

Define a User Authentication Rule:

Agent

Auth Source

Src Network

Interface

Client Source IP

PPP

Local

all-nets

l2tp_tunnel

all-nets (0.0.0.0/0)

7.

To allow traffic through the L2TP tunnel the following rules should be defined in the IP rule
set:

Action

Src Interface

Src Network

Dest Interface

Dest Network

Service

Allow

l2tp_tunnel

l2tp_pool

any

int_net

all_services

NAT

ipsec_tunnel

l2tp_pool

ext

all-nets

all_services

The second rule would be included to allow clients to surf the Internet via the lan interface on
the Clavister Security Gateway. The client will be allocated a private internal IP address which
must be NATed if connections are then made out to the public Internet via the Clavister Security
Gateway.

8.

Set up the client. Assuming Windows XP, the Create new connection option in Network
Connections should be selected to start the New Connection Wizard. The key information to
enter in this wizard is the resolvable URL of the Clavister Security Gateway or alternatively its
wan_ip IP address.

Then choose Network > Properties. In the dialog that opens choose the L2TP Tunnel and
select Properties. In the new dialog that opens select the Networking tab and choose
Force to L2TP. Now go back to the L2TP Tunnel properties, select the Security tab and click
on the IPsec Settings button. Now enter the pre-shared key.

9.2.6. L2TP Roaming Clients with Certificates

If certificates are used with L2TP roaming clients instead of pre-shared keys then the differences
in the setup described above are as follows:

The cOS Core date and time must be set correctly since certificates can expire.

Load a Gateway Certificate and Root Certificate into cOS Core.

When setting up the IPsec Tunnel object, specify the certificates to use under
Authentication. This is done by:

i.

Enable the X.509 Certificate option.

ii.

Select the Gateway Certificate.

iii.

Add the Root Certificate to use.

If using the Windows XP L2TP client, the appropriate certificates need to be imported into
Windows before setting up the connection with the New Connection Wizard.

Chapter 9: VPN

577

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: