User manual

ManualsBrandsD-Link ManualsNetworkingDFL- 860

231

232

233

234

235

236

237

238

239

240

the Destination Interface. The rule's Destination Network is the remote network

remote_net.

• An Allow rule for inbound traffic that has the previously defined ipsec_tunnel object as the

Source Interface. The Source Network is remote_net.

Action Src Interface Src Network Dest Interface Dest Network Service

Allow lan lannet ipsec_tunnel remote_net All

Allow ipsec_tunnel remote_net lan lannet All

The Service used in these rules is All but it could be a predefined service.

6. Define a new NetDefendOS Route which specifies that the VPN Tunnel ipsec_tunnel is the

Interface to use for routing packets bound for the remote network at the other end of the tunnel.

Interface Network Gateway

ipsec_tunnel remote_net

9.2.2. IPsec Roaming Clients with Pre-shared Keys

This section details the setup with roaming clients connecting through an IPsec tunnel with

pre-shared keys. There are two types of roaming clients:

• A. The IP addresses of the clients is known beforehand.

• B. The IP address of clients is not known beforehand and must be handed out by NetDefendOS

as they connect.

A. IP addresses already allocated

The IP addresses may be known beforehand and pre-allocated to the roaming clients before they

connect. The client's IP address will be will be manually input into the VPN client software.

1. Set up user authentication. XAuth user authentication is not required with IPsec roaming clients

but is recommended (this step could initially be left out to simplify setup). The authentication

source can be one of the following:

• A Local User DB object which is internal to NetDefendOS.

• An external authentication server.

An internal user database is easier to set up and is assumed here. Changing this to an external

server is simple to do later.

To implement user authentication with an internal database:

• Define a Local User DB object (let's call this object TrustedUsers).

• Add individual users to TrustedUsers. This should consist of at least a username and

password combination.

The Group string for a user can be specified if its group's access is to be restricted to

certain source networks. Group can be specified (with the same text string) in the

9.2.2. IPsec Roaming Clients with

Pre-shared Keys

Chapter 9. VPN

232