i.
Local ID - this property of an
IPsec Tunnel
object represents the identity of the local VPN
tunnel endpoint and this is the value presented to the remote peer during the IKE
negotiation.
The property is set to only a single value but can be left blank when using certificates
since the ID will be contained within the host certificate sent. If the certificate sent
contains multiple IDs, this property can be set to specify which ID in the certificate to
use.
The Enforce Local ID property can be enabled so that when NetDefendOS is acting as
responder, the ID proposed by the initiator must match the Local ID value. The default
behavior is to ignore the proposed ID.
ii.
Remote ID - This property can be used to specify an
ID list
object. An ID list object
contains one or more IDs. When using certificates, the certificate sent sent by a remote
peer must contain an ID which matches one of the IDs in the list in order for the peer to
be authenticated. Using the
Remote ID
property with certificates is explained further in
Section 9.3.8, “Using ID Lists with Certificates”
NetDefendOS applies sanity checks on all remote IDs to ensure they are acceptable.
Usually malformed IDs have a problem in the DN name. For example, a faulty remote ID
name might be the following:
DN=D-Link, OU=One,Two,Three, DC=SE
If specified by the administrator, there will be an error message when the NetDefendOS
configuration is committed. The corrected remote ID form is the following:
DN=D-Link, OU=One\,Two\,Three, DC=SE
•
Encapsulation Mode
IPsec can be used in one two modes:
•
Tunnel Mode
Tunnel mode indicates that the traffic will be tunneled to a remote device, which will
decrypt/authenticate the data, extract it from its tunnel and pass it on to its final
destination. This way, an eavesdropper will only see encrypted traffic going from one of
VPN endpoint to another.
•
Transport Mode
In transport mode, the traffic will not be tunneled, and is hence not applicable to VPN
tunnels. It can be used to secure a connection from a VPN client directly to the NetDefend
Firewall, for example for IPsec protected remote configuration.
This setting will typically be set to
Tunnel
in most configurations. With IKv2, only
Tunnel
should be used.
•
Remote Endpoint
The remote endpoint (sometimes also referred to as the
remote gateway
) is the device that
does the VPN decryption/authentication and that passes the unencrypted data on to its final
destination. This field can also be set to
None
, forcing the NetDefend Firewall to treat the
remote address as the remote endpoint. This is particularly useful in cases of roaming access,
where the IP addresses of the remote VPN clients are not known beforehand. Setting this to
"none" will allow anyone coming from an IP address conforming to the "remote network"
address discussed above to open a VPN connection, provided they can authenticate properly.
Chapter 9: VPN
686
Summary of Contents for NetDefendOS
Page 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Page 32: ...Chapter 1 NetDefendOS Overview 32 ...
Page 144: ...Chapter 2 Management and Maintenance 144 ...
Page 284: ...Chapter 3 Fundamentals 284 ...
Page 392: ...Chapter 4 Routing 392 ...
Page 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Page 420: ...Chapter 5 DHCP Services 420 ...
Page 573: ...Chapter 6 Security Mechanisms 573 ...
Page 607: ...Chapter 7 Address Translation 607 ...
Page 666: ...Chapter 8 User Authentication 666 ...
Page 775: ...Chapter 9 VPN 775 ...
Page 819: ...Chapter 10 Traffic Management 819 ...
Page 842: ...Chapter 11 High Availability 842 ...
Page 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Page 879: ...Chapter 13 Advanced Settings 879 ...