User manual
3. Define a Pre-shared Key for the IPsec tunnel.
4. Define an IPsec Tunnel object (let's call this object ipsec_tunnel) with the following
parameters:
• Set Local Network to ip_ext (specify all-nets instead if NetDefendOS is behind a NATing
device).
• Set Remote Network to all-nets
• Set Remote Gateway to none
• For Authentication select the Pre-shared Key object defined in the first step.
• Set Encapsulation Mode to Transport.
• Select the IKE and IPsec proposal lists to be used.
• Enable the routing option Dynamically add route to the remote network when tunnel
established.
5. Define an PPTP/L2TP Server object (let's call this object l2tp_tunnel) with the following
parameters:
• Set Inner IP Address to ip_int
• Set Tunnel Protocol to L2TP
• Set Outer Interface Filter to ipsec_tunnel
• Set Outer Server IP to ip_ext
• Select the Microsoft Point-to-Point Encryption allowed. Since IPsec encryption is used
this can be set to be None only, otherwise double encryption will degrade throughput.
• Set IP Pool to l2tp_pool.
• Enable Proxy ARP on the int interface to which the internal network is connected.
• Make the interface a member of a specific routing table so that routes are automatically
added to that table. Normally the main table is selected.
6. For user authentication:
• Define a Local User DB object (let's call this object TrustedUsers).
• Add individual users to TrustedUsers. This should consist of at least a username and
password combination.
The Group string for a user can also be specified. This is explained in the same step in the
IPsec Roaming Clients section above.
• Define a User Authentication Rule:
Agent Auth Source Src Network Interface Client Source IP
PPP Local all-nets l2tp_tunnel all-nets (0.0.0.0/0)
7. To allow traffic through the L2TP tunnel the following rules should be defined in the IP rule
set:
9.2.4. L2TP Roaming Clients with
Pre-Shared Keys
Chapter 9. VPN
235