Configuring IPSec redundancy | D-Link DFL-500 specification

See Adding an AutoIKE key VPN tunnel.

Or, add a manual key VPN tunnel.

See Adding a manual key VPN tunnel.

•Add one encrypt policy between the member VPN and the VPN concentrator. Use the following configuration:

Source Destination Action VPN Tunnel Allow inbound Allow outbound Inbound NAT Outbound NAT

Member VPN address. VPN concentrator address.

ENCRYPT

The VPN tunnel added in step 2. Select allow inbound.

Select allow outbound.

Select inbound NAT if required. Select outbound NAT if required.

See Adding an encrypt policy.

•Add additional encrypt policies between the member VPNs. Use the following configuration:

Source Destination Action VPN Tunnel Allow inbound Allow outbound Inbound NAT Outbound NAT

Local member VPN address. Remote member VPN address

ENCRYPT

The VPN tunnel added in step 2. Select allow inbound.

Select allow outbound.

Select inbound NAT if required. Select outbound NAT if required.

Configuring IPSec redundancy

IPSec redundancy allows you to create a redundant AutoIKE key IPSec VPN configuration to two remote VPN gateway addresses.

For IPSec redundancy to work, both Internet connections must have static IP addresses.

To configure IPSec redundancy:

•Add two remote gateways with the same settings (including the same authentication key) but with different remote gateway addresses.

See Adding a remote gateway.

•Add two AutoIKE key tunnels with the same settings and add one of the remote gateways to each tunnel.

See Adding an AutoIKE key VPN tunnel.

•Add two outgoing encrypt policies.

DFL-500 User Manual	52

Image 52

D-Link DFL-500 user manual Configuring IPSec redundancy

Contents

Link DFL-500 Regulatory Compliance Table of Contents Firewall configuration IPSec VPNs Logging and reporting Page NAT/Route mode and Transparent mode NAT/Route modeTransparent mode Introduction For more information Customer service and technical supportDFL-500 QuickStart Guide DFL-500 CLI Reference Guide Getting started Package contentsMounting Powering on Initial configuration Connecting to the web-based manager DFL-500 login Connecting to the command line interface CLIBits per second Data bits Parity Next stepsStop bits Flow control Preparing to configure NAT/Route mode NAT/Route mode installationNAT/Route mode settings Using the setup wizard Using the command line interfaceStarting the setup wizard Reconnecting to the web-based manager Connecting to your networks Set system route number 1 gw1 Configuring your internal network Completing the configurationSetting the date and time DFL-500 NPG network connections Transparent mode installation Preparing to configure Transparent modeChanging to Transparent mode Transparent mode settings Administrator Password Configuring the Transparent mode management IP address Set system management ip 10.10.10.2 Connecting to your network Setting the date and timeConfigure the Transparent mode default gateway DFL-500 network connections Firewall configuration Default policy Changing to NAT/Route mode Adding NAT/Route mode policiesGo to Firewall Policy Source Destination Schedule Service Action AuthenticationDynamic IP Pool Fixed Port VPN Tunnel Content filtering Web filter Source Destination Schedule Service Adding Transparent mode policiesAdding a NAT/Route Int -Ext policy Log Traffic Authentication Web filter Adding a Transparent mode Int -Ext policy Configuring policy listsPolicy matching in detail Changing the order of policies in a policy list AddressesEnabling and disabling policies Adding addresses Deleting addressesGo to Firewall Address Adding a firewall address Services Organizing addresses into address groupsGo to Firewall Address Group Adding an internal address group Predefined services Providing access to custom servicesGrouping services Go to Firewall Service Custom Adding a service group SchedulesCreating one-time schedules Go to Firewall Schedule One-time Virtual IPs Creating recurring schedulesAdding a schedule to a policy Go to Firewall Schedule Recurring Go to Firewall Virtual IP Adding static NAT virtual IPsStatic NAT Port Forwarding Using port forwarding virtual IPs Adding a static NAT virtual IP Adding policies with virtual IPs Go to Firewall Policy Ext IntAdding a Port Forwarding virtual IP Source Authentication Log Traffic Web filter Destination Schedule Service ActionIP pools Go to Firewall IP/MAC Binding Setting IP/MAC bindingGo to Firewall IP/MAC Binding Static IP/MAC Adding an IP Pool Configuring IP/MAC binding for packets going to the firewall Adding IP/MAC addresses IP/MAC settings Viewing the dynamic IP/MAC listEnabling IP/MAC binding Go to Firewall IP/MAC Binding Dynamic IP/MAC Users and authentication Setting authentication time outAdding user names and configuring authentication Adding user names and configuring authentication Deleting user names from the internal database DisableAdding a user name Configuring Radius support Example Radius configurationAdding Radius servers Deleting Radius servers Configuring user groups Adding user groups Deleting user groups Adding a user group IPSec VPNs Interoperability with IPSec VPN products Configuring AutoIKE key IPSec VPN See Adding a remote gateway Configuring dialup VPN Configuring manual key IPSec VPNConfiguring a VPN concentrator for hub and spoke VPN Configuring the VPN concentrator Configuring the member VPNs Configuring IPSec redundancy Go to VPN Ipsec Remote Gateway Adding a remote gatewayLocal ID Nat-traversal Keepalive Frequency About dialup VPN authenticationAdding a remote gateway Dialup User selected Main mode with no user group selected About DH groups About the P1 proposalLocal ID Empty Key About NAT traversal Adding an AutoIKE key VPN tunnelGo to VPN Ipsec AutoIKE Key About the P2 proposal About replay detectionAutokey Keep Alive Concentrator Adding an AutoIKE key VPN tunnel About perfect forward secrecy PFS Adding a manual key VPN tunnelGo to VPN Ipsec Manual Key Adding a VPN concentrator Adding a manual key VPN tunnel Adding an encrypt policy Adding a VPN concentrator Adding an encrypt policy Go to Firewall Policy Int-ExtVPN Tunnel Allow inbound Viewing VPN tunnel status Allow outbound Inbound Viewing dialup VPN connection status Testing a VPNAutoIKE key tunnel status Page Pptp VPN configuration Pptp and L2TP VPNs Go to VPN Pptp Pptp Range Configuring the DFL-500 NPG as a Pptp gatewayPptp VPN between a Windows client and the DFL-500 NPG Example Pptp Range configuration Source Destination Service Action L2TP VPN configuration Configuring the DFL-500 NPG as an L2TP gatewayGo to VPN L2TP L2TP Range L2TP VPN between a Windows client and the DFL-500 NPG Sample L2TP address range configuration Web content filtering Enabling web content FilteringBlocking web pages that contain unwanted content Configuring content filtering Clearing the banned word list Changing the content block messageBacking up and restoring the banned word list Configuring URL blocking Blocking access to URLsGo to Web Filter URL Block Clearing the URL block list Changing the URL block messageDownloading the URL block list Uploading a URL block list Removing scripts from web pages Exempting URLs from content or URL blockingGo to Web Filter Script Filter Adding URLs to the Exempt URL List Clearing the Exempt URL listDownloading the Exempt URL list Go to Web Filter Exempt URL Uploading an Exempt URL list Configuring Logging Go to Log&Report Log settingLogging and reporting Recording logs on a remote computer Example log settings Configuring alert emailSelecting what to log Configuring alert email Go to System Network DNS Administration System status Upgrading the DFL-500 NPG firmware Execute ping Enter Local Address Enter Tftp Server AddressEnter File Name image.out Backing up system settings Restoring system settingsRestoring system settings to factory defaults Displaying the DFL-500 NPG serial number Changing to Transparent mode Shutting down the DFL-500 NPG Restarting the DFL-500 NPGSystem status monitor Network configuration System status monitorCPU usage Memory usage Up time Total Number of Sessions Protocol From IP From Port To IP To Port Expire Clear Configuring the internal interface Configuring the external interfaceConfiguring the internal interface Go to System Network Interface Configuring the external interface with a static IP address Configuring the external interface for PPPoE Configuring the external interface Https Ping SSH Snmp Configuring routing Configuring the management interface Transparent modeSetting DNS server addresses Adding routing gateways Adding routes to the routing table Adding a default routeGo to System Network Routing Table Configuring the routing table Adding routes Transparent modeEnabling RIP server support Go to System Network Routing Providing Dhcp services to your internal network Default Route Exclusion RangeGo to System Network Dhcp Starting IP Ending IP Netmask Lease Duration Domain Sample Dhcp settings System configurationExample Dynamic IP list Go to System Config Time Setting system date and timeExample date and time setting Adding and editing administrator accounts Go to System Config AdminChanging web-based manager options Read Write Only Configuring Snmp Go to System Config Snmp 100 Glossary 101 102 103 Index 104 CLI 105 Dhcp 106 Snmp 107 PFS 108 Transparent mode manual key Adding VPN tunnel IPSec VPN 109 NTP 110 Pptp 111 Smtp 112 VPN 113 IPSec VPN Remote Gateway user groups Deleting 114 115 Technical Support 116 Registration Card 117 118 Limited Warranty 119 120 121 Registration 122