About the P2 proposal, About replay detection | D-Link DFL-500

Autokey Keep Alive

Concentrator

Enable Autokey Keep Alive to keep the VPN tunnel running even if no data is being processed.

Select a concentrator if you want the tunnel to be part of a hub and spoke VPN configuration. If you use the procedure, Adding a VPN concentrator to add the tunnel to a concentrator, the next time you open the tunnel, the Concentrator field displays the name of the concentrator to which you have added the tunnel.

•Select OK to save the AutoIKE key VPN tunnel.

Adding an AutoIKE key VPN tunnel

About the P2 proposal

During tunnel negotiation, the VPN gateways negotiate to select a common algorithm for data communication. When you select algorithms for the P2 proposal, you are selecting the algorithms that the DFL-500 NPG proposes during phase 2 negotiation. For phase 2 to be completed successfully, each VPN gateway must have at least one encryption and one authentication algorithm in common.

•Select DES to propose to encrypt packets using DES encryption.

•Select 3DES to propose to encrypt packets using triple-DES encryption.

•Select MD5 to propose to use MD5 authentication.

•Select SHA1 to propose to use SHA1 authentication.

•Select NULL to propose that the VPN packets not be encrypted or that a hash is not made for authentication.

About replay detection

IPSec tunnels can be vulnerable to replay attacks. A replay attack occurs when an unauthorized party intercepts a series of IPSec packets and replays them back into the tunnel. An attacker can use this technique to cause a denial of service (DoS) attack by flooding the tunnel with packets. An attacker could also change and then replay intercepted packets to attempt to gain entry to a trusted network.

Enable replay detection to check the sequence number of every IPSec packet to see if it has previously been received. If packets arrive out of sequence, the DFL-500 NPG discards them.

DFL-500 User Manual	58

Image 58

D-Link DFL-500 user manual About the P2 proposal, About replay detection, Autokey Keep Alive Concentrator

Contents

Link DFL-500 Regulatory Compliance Table of Contents Firewall configuration IPSec VPNs Logging and reporting Page Transparent mode NAT/Route mode and Transparent modeNAT/Route mode Introduction For more information Customer service and technical supportDFL-500 QuickStart Guide DFL-500 CLI Reference Guide Getting started Package contentsMounting Powering on Initial configuration Connecting to the web-based manager DFL-500 login Connecting to the command line interface CLIBits per second Data bits Parity Next stepsStop bits Flow control Preparing to configure NAT/Route mode NAT/Route mode installationNAT/Route mode settings Starting the setup wizard Using the setup wizardUsing the command line interface Reconnecting to the web-based manager Connecting to your networks Set system route number 1 gw1 Setting the date and time Configuring your internal networkCompleting the configuration DFL-500 NPG network connections Changing to Transparent mode Transparent mode installationPreparing to configure Transparent mode Transparent mode settings Administrator Password Configuring the Transparent mode management IP address Set system management ip 10.10.10.2 Connecting to your network Setting the date and timeConfigure the Transparent mode default gateway DFL-500 network connections Firewall configuration Default policy Changing to NAT/Route mode Adding NAT/Route mode policiesGo to Firewall Policy Dynamic IP Pool Fixed Port Source Destination Schedule Service ActionAuthentication VPN Tunnel Content filtering Web filter Source Destination Schedule Service Adding Transparent mode policiesAdding a NAT/Route Int -Ext policy Log Traffic Authentication Web filter Adding a Transparent mode Int -Ext policy Configuring policy listsPolicy matching in detail Changing the order of policies in a policy list AddressesEnabling and disabling policies Go to Firewall Address Adding addressesDeleting addresses Adding a firewall address Go to Firewall Address Group ServicesOrganizing addresses into address groups Adding an internal address group Grouping services Predefined servicesProviding access to custom services Go to Firewall Service Custom Creating one-time schedules Adding a service groupSchedules Go to Firewall Schedule One-time Adding a schedule to a policy Virtual IPsCreating recurring schedules Go to Firewall Schedule Recurring Go to Firewall Virtual IP Adding static NAT virtual IPsStatic NAT Port Forwarding Using port forwarding virtual IPs Adding a static NAT virtual IP Adding a Port Forwarding virtual IP Adding policies with virtual IPsGo to Firewall Policy Ext Int Source Authentication Log Traffic Web filter Destination Schedule Service ActionIP pools Go to Firewall IP/MAC Binding Static IP/MAC Go to Firewall IP/MAC Binding SettingIP/MAC binding Adding an IP Pool Configuring IP/MAC binding for packets going to the firewall Adding IP/MAC addresses Enabling IP/MAC binding IP/MAC settingsViewing the dynamic IP/MAC list Go to Firewall IP/MAC Binding Dynamic IP/MAC Adding user names and configuring authentication Users and authenticationSetting authentication time out Adding user names and configuring authentication Deleting user names from the internal database DisableAdding a user name Adding Radius servers Configuring Radius supportExample Radius configuration Deleting Radius servers Configuring user groups Adding user groups Deleting user groups Adding a user group IPSec VPNs Interoperability with IPSec VPN products Configuring AutoIKE key IPSec VPN See Adding a remote gateway Configuring dialup VPN Configuring manual key IPSec VPNConfiguring a VPN concentrator for hub and spoke VPN Configuring the VPN concentrator Configuring the member VPNs Configuring IPSec redundancy Go to VPN Ipsec Remote Gateway Adding a remote gatewayLocal ID Nat-traversal Keepalive Frequency About dialup VPN authenticationAdding a remote gateway Dialup User selected Main mode with no user group selected Local ID Empty About DH groupsAbout the P1 proposal Key About NAT traversal Adding an AutoIKE key VPN tunnelGo to VPN Ipsec AutoIKE Key Autokey Keep Alive Concentrator About the P2 proposalAbout replay detection Adding an AutoIKE key VPN tunnel About perfect forward secrecy PFS Adding a manual key VPN tunnelGo to VPN Ipsec Manual Key Adding a VPN concentrator Adding a manual key VPN tunnel Adding an encrypt policy Adding a VPN concentrator Adding an encrypt policy Go to Firewall Policy Int-ExtVPN Tunnel Allow inbound Viewing VPN tunnel status Allow outbound Inbound Viewing dialup VPN connection status Testing a VPNAutoIKE key tunnel status Page Pptp VPN configuration Pptp and L2TP VPNs Go to VPN Pptp Pptp Range Configuring the DFL-500 NPG as a Pptp gatewayPptp VPN between a Windows client and the DFL-500 NPG Example Pptp Range configuration Source Destination Service Action Go to VPN L2TP L2TP Range L2TP VPN configurationConfiguring the DFL-500 NPG as an L2TP gateway L2TP VPN between a Windows client and the DFL-500 NPG Sample L2TP address range configuration Blocking web pages that contain unwanted content Web content filteringEnabling web content Filtering Configuring content filtering Clearing the banned word list Changing the content block messageBacking up and restoring the banned word list Configuring URL blocking Blocking access to URLsGo to Web Filter URL Block Downloading the URL block list Clearing the URL block listChanging the URL block message Uploading a URL block list Removing scripts from web pages Exempting URLs from content or URL blockingGo to Web Filter Script Filter Downloading the Exempt URL list Adding URLs to the Exempt URL ListClearing the Exempt URL list Go to Web Filter Exempt URL Uploading an Exempt URL list Logging and reporting Configuring LoggingGo to Log&Report Log setting Recording logs on a remote computer Example log settings Configuring alert emailSelecting what to log Configuring alert email Go to System Network DNS Administration System status Upgrading the DFL-500 NPG firmware Execute ping Enter Local Address Enter Tftp Server AddressEnter File Name image.out Restoring system settings to factory defaults Backing up system settingsRestoring system settings Displaying the DFL-500 NPG serial number Changing to Transparent mode Shutting down the DFL-500 NPG Restarting the DFL-500 NPGSystem status monitor CPU usage Memory usage Up time Total Number of Sessions Network configurationSystem status monitor Protocol From IP From Port To IP To Port Expire Clear Configuring the internal interface Configuring the internal interfaceConfiguring the external interface Go to System Network Interface Configuring the external interface with a static IP address Configuring the external interface for PPPoE Configuring the external interface Https Ping SSH Snmp Setting DNS server addresses Configuring routingConfiguring the management interface Transparent mode Adding routing gateways Adding routes to the routing table Adding a default routeGo to System Network Routing Table Enabling RIP server support Configuring the routing tableAdding routes Transparent mode Go to System Network Routing Go to System Network Dhcp Providing Dhcp services to your internal networkDefault Route Exclusion Range Starting IP Ending IP Netmask Lease Duration Domain Sample Dhcp settings System configurationExample Dynamic IP list Go to System Config Time Setting system date and timeExample date and time setting Changing web-based manager options Adding and editing administrator accountsGo to System Config Admin Read Write Only Configuring Snmp Go to System Config Snmp 100 Glossary 101 102 103 Index 104 CLI 105 Dhcp 106 Snmp 107 PFS 108 Transparent mode manual key Adding VPN tunnel IPSec VPN 109 NTP 110 Pptp 111 Smtp 112 VPN 113 IPSec VPN Remote Gateway user groups Deleting 114 115 Technical Support 116 Registration Card 117 118 Limited Warranty 119 120 121 Registration 122