•
Create a Config Mode Pool object (there can only be one associated with a NetDefendOS
installation) and in it specify the address range.
•
Enable the IKE Config Mode Pool option in the IPsec Tunnel object ipsec_tunnel.
2.
If client IP addresses are to be retrieved through DHCP:
•
Create an IP Pool object and in it specify the DHCP server to use. The DHCP server can be
specified as a simple IP address or alternatively as being accessible on a specific interface.
If an internal DHCP server is to be used then specify the loopback address 127.0.0.1 as the
DHCP server IP address.
•
Create a Config Mode Pool object (there can only be one associated with a NetDefendOS
installation) and associate with it the IP Pool object defined in the previous step.
•
Enable the IKE Config Mode Pool option in the IPsec Tunnel object ipsec_tunnel so the
created pool is selected.
Configuring IPsec Clients
In both cases (A) and (B) above, the IPsec client will need to be correctly configured. The client
configuration will require the following:
•
Define the URL or IP address of the NetDefend Firewall. The client needs to locate the tunnel
endpoint.
•
Define the pre-shared key that is used for IPsec security.
•
Define the IPsec algorithms that will be used and which are supported by NetDefendOS.
•
Specify if the client will use config mode.
There are a variety of IPsec client software products available from a number of suppliers and this
manual will not focus on any specific one. The network administrator should use the client that is
best suited to their budget and needs.
9.2.4. IPsec Roaming Clients with Certificates
If certificates are used with IPsec roaming clients instead of pre-shared keys then no Pre-shared
Key object is needed and the other differences in the setup described above are:
1.
Load a Root Certificate and a Gateway Certificate into NetDefendOS. The root certificate
needs to have 2 parts added: a certificate file and a private key file. The gateway certificate
needs just the certificate file added.
2.
When setting up the IPsec Tunnel object, specify the certificates to use under Authentication.
This is done by doing the following:
a.
Enable the X.509 Certificate option.
b.
Select the Gateway Certificate.
c.
Add the Root Certificate to use.
3.
The IPsec client software will need to be appropriately configured with the certificates and
remote IP addresses. As already mentioned above, many third party IPsec client products are
available and this manual will not discuss any particular client.
9.2.4. IPsec Roaming Clients with
Certificates
Chapter 9. VPN
392
Summary of Contents for NetDefend DFL-260E
Page 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27...
Page 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79...
Page 146: ...3 9 DNS Chapter 3 Fundamentals 146...
Page 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227...
Page 241: ...5 4 IP Pools Chapter 5 DHCP Services 241...
Page 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339...
Page 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360...
Page 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382...
Page 386: ...The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386...
Page 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439...
Page 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450...
Page 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488...
Page 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503...
Page 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510...
Page 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533...