Ipsec Lan To Lan With Certificates - D-Link NetDefend DFL-210 User Manual
Network security firewall
Hide thumbs
Also See for NetDefend DFL-210:
- User manual (495 pages) ,
- Log reference manual (476 pages) ,
- Cli reference manual (213 pages)
Table of Contents
Advertisement
9.2.2. IPsec LAN to LAN with
Certificates
•
Set Remote Endpoint to remote_gw.
•
Set Encapsulation mode to Tunnel.
•
Choose the IKE and IPsec algorithm proposal lists to be used.
•
For Authentication select the Pre-shared Key object defined in step (1) above.
The IPsec Tunnel object can be treated exactly like any NetDefendOS Interface object in later
steps.
5.
Set up two IP rules in the IP rule set for the tunnel:
•
An Allow rule for outbound traffic that has the previously defined ipsec_tunnel object as
the Destination Interface. The rule's Destination Network is the remote network
remote_net.
•
An Allow rule for inbound traffic that has the previously defined ipsec_tunnel object as the
Source Interface. The Source Network is remote_net.
Action
Allow
Allow
The Service used in these rules is All but it could be a predefined service.
6.
Define a new NetDefendOS Route which specifies that the VPN Tunnel ipsec_tunnel is the
Interface to use for routing packets bound for the remote network at the other end of the tunnel.
Interface
ipsec_tunnel
9.2.2. IPsec LAN to LAN with Certificates
LAN to LAN security is usually provided with pre-shared keys but sometimes it may be desirable to
use X.509 certificates instead. If this is the case, Certificate Authority (CA) signed certificates may
be used and these come from an internal CA server or from a commercial supplier of certificates.
Alternatively, self-signed certificates can be used and these can be generated from a number of
utilities downloadable from the Internet.
Creating a LAN to LAN tunnel with certificates follows exactly the same procedures as the previous
section except that certificates replace pre-shared keys for authentication.
Two certificates are required for a LAN to LAN tunnel and both should be signed by the same CA.
The same two are used at either end of an IPsec tunnel but their use is reversed at either end. In
other words: one certificate is used as the root certificate at one tunnel end, call it Side A, and as the
host certificate at the other end, call it Side B. The second certificate is used in the opposite way: it
is the host certificate at Side A and the root certificate at Side B.
The certificate setup steps are:
1.
The NetDefendOS date and time must be set correctly since certificates can expire.
2.
Open the WebUI management interface for the D-Link Firewall at one end of the tunnel.
3.
Under Authentication Objects, add the Root Certificate and Host Certificate into
NetDefendOS. The root certificate needs to have 2 parts added: a certificate file and a private
Src Interface
Src Network
lan
lannet
ipsec_tunnel
remote_net
Network
remote_net
Dest Interface
ipsec_tunnel
lan
324
Chapter 9. VPN
Dest Network
Service
remote_net
All
lannet
All
Gateway
<empty>
- Quick Links:
- The Cli
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
