The step to set up user authentication is optional since this is additional security to certificates.
Note: The system time and date should be correct
The NetDefendOS date and time should be set correctly since certificates have an
expiry date and time.
Also review Section 9.6, “CA Server Access”, which describes important considerations for
certificate validation.
9.2.5. L2TP Roaming Clients with Pre-Shared Keys
Due to the inbuilt L2TP client in Microsoft Windows, L2TP is a popular choice for roaming client
VPN scenarios. L2TP is usually encapsulated in IPsec to provide encryption with IPsec running in
transport mode instead of tunnel mode. The steps for L2TP over IPsec setup are:
1.
Create an IP object (let's call it l2tp_pool) which defines the range of IP addresses which can be
handed out to clients. The range chosen could be of two types:
•
A range taken from the internal network to which clients will connect. If the internal
network is 192.168.0.0/24 then we might use the address range 192.168.0.10 to
192.168.0.20. The danger here is that an IP address might be accidentally used on the
internal network and handed out to a client.
•
Use a new address range that is totally different to any internal network. This prevents any
chance of an address in the range also being used on the internal network.
2.
Define two other IP objects:
•
ip_ext which is the external public IP address through which clients connect (let's assume
this is on the ext interface).
•
ip_int which is the internal IP address of the interface to which the internal network is
connected (let's call this interface int).
3.
Define a Pre-shared Key for the IPsec tunnel.
4.
Define an IPsec Tunnel object (let's call this object ipsec_tunnel) with the following
parameters:
•
Set Local Network to ip_ext (specify all-nets instead if NetDefendOS is behind a NATing
device).
•
Set Remote Network to all-nets.
•
Set Remote Endpoint to none.
•
For Authentication select the Pre-shared Key object defined in the first step.
•
Set Encapsulation Mode to Transport.
•
Select the IKE and IPsec algorithm proposal lists to be used.
•
Enable the IPsec tunnel routing option Dynamically add route to the remote network
when tunnel established.
•
When all-nets is the destination network, as is the case here, the advanced setting option
Add route for remote network must also be disabled. This setting is enabled by default.
5.
Define an PPTP/L2TP Server object (let's call this object l2tp_tunnel) with the following
parameters:
9.2.5. L2TP Roaming Clients with
Pre-Shared Keys
Chapter 9. VPN
393
Summary of Contents for DFL-1600 - Security Appliance
Page 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27 ...
Page 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79 ...
Page 146: ...3 9 DNS Chapter 3 Fundamentals 146 ...
Page 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227 ...
Page 241: ...5 4 IP Pools Chapter 5 DHCP Services 241 ...
Page 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339 ...
Page 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360 ...
Page 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382 ...
Page 386: ... The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386 ...
Page 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439 ...
Page 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450 ...
Page 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488 ...
Page 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503 ...
Page 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510 ...
Page 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533 ...