Manuals / D-Link / Computer Equipment / Network Card

D-Link DFL-500 user manual Configuring AutoIKE key IPSec VPN, See Adding a remote gateway

Models: DFL-500

1 122

Download 122 pages 7.35 Kb

Page 49

•ESP security in tunnel mode

•DES and 3DES (TripleDES) encryption

•Diffie-Hellman groups 1, 2, and 5

•HMAC MD5 authentication/data integrity or HMAC SHA1 authentication/data integrity

•Aggressive and Main Mode

•NAT Traversal

•Replay Detection

•IPSec Redundancy

•Perfect Forward Secrecy

•VPN concentrator for hub and spoke configurations

To successfully establish an IPSec VPN tunnel, the DFL-500 IPSec VPN configuration must be compatible with the third-party product IPSec VPN configuration. D-Link has tested DFL-500 VPN interoperability with the following third-party products:

•NetScreen Internet security appliances

•SonicWALL PRO firewall

•Cisco PIX firewall

•Cisco IOS router

•Check Point NG firewall

•Check Point NG-1 firewall

•Check Point FP-1 firewall

•Check Point FP-2 firewall

•Check Point FP-3 firewall

•Linksys firewall router

•SafeNet IPSec VPN client

•Secure Computing Sidewinder

•SSH Sentinel

For more information about DFL-500 VPN interoperability, contact D-Link technical support.

Configuring AutoIKE key IPSec VPN

An AutoIKE key VPN configuration consists of a remote gateway, an AutoIKE key VPN tunnel, the source and destination addresses for both ends of the tunnel, and an encrypt policy to control access to the VPN tunnel.

Normally an AutoIKE key VPN tunnel requires one remote gateway. This can be a gateway with a static IP address or a dialup gateway. For IPSec redundancy, you can add up to three remote gateways with static IP addresses to an AutoIKE key tunnel. For information about IPSec redundancy, see Configuring IPSec redundancy.

To create an AutoIKE key VPN configuration:

•Add a remote gateway.

See Adding a remote gateway.

•Add an AutoIKE key VPN tunnel that includes the remote gateway that you added in step 1. See Adding an AutoIKE key VPN tunnel.

•Add an encrypt policy that includes the tunnel, source address, and destination address for both ends of the tunnel.

DFL-500 User Manual	49

Image 49

D-Link DFL-500 user manual Configuring AutoIKE key IPSec VPN, See Adding a remote gateway

Contents

Link DFL-500 Regulatory Compliance Table of Contents Firewall configuration IPSec VPNs Logging and reporting Page NAT/Route mode NAT/Route mode and Transparent modeTransparent mode IntroductionFor more information Customer service and technical supportDFL-500 QuickStart Guide DFL-500 CLI Reference Guide Getting started Package contentsMounting Powering on Connecting to the web-based manager Initial configurationDFL-500 login Connecting to the command line interface CLIBits per second Data bits Parity Next stepsStop bits Flow control Preparing to configure NAT/Route mode NAT/Route mode installationNAT/Route mode settings Using the command line interface Using the setup wizardStarting the setup wizard Reconnecting to the web-based managerSet system route number 1 gw1 Connecting to your networksCompleting the configuration Configuring your internal networkSetting the date and time DFL-500 NPG network connectionsPreparing to configure Transparent mode Transparent mode installationChanging to Transparent mode Transparent mode settings Administrator PasswordSet system management ip 10.10.10.2 Configuring the Transparent mode management IP addressConnecting to your network Setting the date and timeConfigure the Transparent mode default gateway DFL-500 network connections Default policy Firewall configurationChanging to NAT/Route mode Adding NAT/Route mode policiesGo to Firewall Policy Authentication Source Destination Schedule Service ActionDynamic IP Pool Fixed Port VPN TunnelWeb filter Content filteringSource Destination Schedule Service Adding Transparent mode policiesAdding a NAT/Route Int -Ext policy Log Traffic Authentication Web filter Adding a Transparent mode Int -Ext policy Configuring policy listsPolicy matching in detail Changing the order of policies in a policy list AddressesEnabling and disabling policies Deleting addresses Adding addressesGo to Firewall Address Adding a firewall addressOrganizing addresses into address groups ServicesGo to Firewall Address Group Adding an internal address groupProviding access to custom services Predefined servicesGrouping services Go to Firewall Service CustomSchedules Adding a service groupCreating one-time schedules Go to Firewall Schedule One-timeCreating recurring schedules Virtual IPsAdding a schedule to a policy Go to Firewall Schedule RecurringGo to Firewall Virtual IP Adding static NAT virtual IPsStatic NAT Port Forwarding Adding a static NAT virtual IP Using port forwarding virtual IPsGo to Firewall Policy Ext Int Adding policies with virtual IPsAdding a Port Forwarding virtual IP SourceAuthentication Log Traffic Web filter Destination Schedule Service ActionIP pools IP/MAC binding Go to Firewall IP/MAC Binding SettingGo to Firewall IP/MAC Binding Static IP/MAC Adding an IP PoolAdding IP/MAC addresses Configuring IP/MAC binding for packets going to the firewallViewing the dynamic IP/MAC list IP/MAC settingsEnabling IP/MAC binding Go to Firewall IP/MAC Binding Dynamic IP/MACSetting authentication time out Users and authenticationAdding user names and configuring authentication Adding user names and configuring authenticationDeleting user names from the internal database DisableAdding a user name Example Radius configuration Configuring Radius supportAdding Radius servers Deleting Radius serversAdding user groups Configuring user groupsAdding a user group Deleting user groupsInteroperability with IPSec VPN products IPSec VPNsSee Adding a remote gateway Configuring AutoIKE key IPSec VPNConfiguring dialup VPN Configuring manual key IPSec VPNConfiguring a VPN concentrator for hub and spoke VPN Configuring the member VPNs Configuring the VPN concentratorConfiguring IPSec redundancy Go to VPN Ipsec Remote Gateway Adding a remote gatewayLocal ID Nat-traversal Keepalive Frequency About dialup VPN authenticationAdding a remote gateway Dialup User selected Main mode with no user group selected About the P1 proposal About DH groupsLocal ID Empty KeyAbout NAT traversal Adding an AutoIKE key VPN tunnelGo to VPN Ipsec AutoIKE Key About replay detection About the P2 proposalAutokey Keep Alive Concentrator Adding an AutoIKE key VPN tunnelAbout perfect forward secrecy PFS Adding a manual key VPN tunnelGo to VPN Ipsec Manual Key Adding a manual key VPN tunnel Adding a VPN concentratorAdding a VPN concentrator Adding an encrypt policyAdding an encrypt policy Go to Firewall Policy Int-ExtVPN Tunnel Allow inbound Allow outbound Inbound Viewing VPN tunnel statusViewing dialup VPN connection status Testing a VPNAutoIKE key tunnel status Page Pptp and L2TP VPNs Pptp VPN configurationGo to VPN Pptp Pptp Range Configuring the DFL-500 NPG as a Pptp gatewayPptp VPN between a Windows client and the DFL-500 NPG Source Destination Service Action Example Pptp Range configurationConfiguring the DFL-500 NPG as an L2TP gateway L2TP VPN configurationGo to VPN L2TP L2TP Range L2TP VPN between a Windows client and the DFL-500 NPGSample L2TP address range configuration Enabling web content Filtering Web content filteringBlocking web pages that contain unwanted content Configuring content filteringClearing the banned word list Changing the content block messageBacking up and restoring the banned word list Configuring URL blocking Blocking access to URLsGo to Web Filter URL Block Changing the URL block message Clearing the URL block listDownloading the URL block list Uploading a URL block listRemoving scripts from web pages Exempting URLs from content or URL blockingGo to Web Filter Script Filter Clearing the Exempt URL list Adding URLs to the Exempt URL ListDownloading the Exempt URL list Go to Web Filter Exempt URLUploading an Exempt URL list Go to Log&Report Log setting Configuring LoggingLogging and reporting Recording logs on a remote computerExample log settings Configuring alert emailSelecting what to log Go to System Network DNS Configuring alert emailSystem status AdministrationExecute ping Upgrading the DFL-500 NPG firmwareEnter Local Address Enter Tftp Server AddressEnter File Name image.out Restoring system settings Backing up system settingsRestoring system settings to factory defaults Displaying the DFL-500 NPG serial numberChanging to Transparent mode Shutting down the DFL-500 NPG Restarting the DFL-500 NPGSystem status monitor System status monitor Network configurationCPU usage Memory usage Up time Total Number of Sessions Protocol From IP From Port To IP To Port Expire ClearConfiguring the external interface Configuring the internal interfaceConfiguring the internal interface Go to System Network InterfaceConfiguring the external interface with a static IP address Configuring the external interface Configuring the external interface for PPPoEHttps Ping SSH Snmp Configuring the management interface Transparent mode Configuring routingSetting DNS server addresses Adding routing gatewaysAdding routes to the routing table Adding a default routeGo to System Network Routing Table Adding routes Transparent mode Configuring the routing tableEnabling RIP server support Go to System Network RoutingDefault Route Exclusion Range Providing Dhcp services to your internal networkGo to System Network Dhcp Starting IP Ending IP Netmask Lease Duration DomainSample Dhcp settings System configurationExample Dynamic IP list Go to System Config Time Setting system date and timeExample date and time setting Go to System Config Admin Adding and editing administrator accountsChanging web-based manager options Read Write OnlyGo to System Config Snmp Configuring Snmp100 101 Glossary102 103 104 Index105 CLI106 Dhcp107 Snmp108 PFS109 Transparent mode manual key Adding VPN tunnel IPSec VPN110 NTP111 Pptp112 Smtp113 VPN114 IPSec VPN Remote Gateway user groups Deleting115 116 Technical Support117 Registration Card118 119 Limited Warranty120 121 122 Registration