D-Link DFL-2500 User Manual

Authentication section of an IP object. If that IP object is then used as the Source
Network of a rule in the IP rule set, that rule will only apply to a user if their Group string
matches the Group string of the IP object. (note: Group has no meaning in
Authentication Rules).

•

Create a new User Authentication Rule with the Authentication Source set to
TrustedUsers. The other parameters for the rule are:

Agent

Auth Source

Src Network

Interface

Client Source IP

XAUTH

Local

all-nets

any

all-nets (0.0.0.0/0)

2.

The IPsec Tunnel object ipsec_tunnel should have the following parameters:

•

Set Local Network to lannet.

•

Set Remote Network to all-nets

•

Set Remote Gateway to all-nets.

•

Set Encapsulation mode to Tunnel.

•

Set the IKE and IPsec proposal lists to match the capabilities of the clients.

•

No routes can be predefined so the option Dynamically add route to the remote network
when tunnel established should be enabled for the tunnel object.

•

Enable the option Require IKE XAuth user authentication for inbound IPsec tunnels.
This will enable a search for the first matching XAUTH rule in the authentication rules.

3.

The IP rule set should contain the single rule:

Action

Src Interface

Src Network

Dest Interface

Dest Network

Service

Allow

ipsec_tunnel

all-nets

lan

lannet

All

Once an Allow rule permits the connection to be set up, bidirectional traffic flow is allowed which is
why only one rule is used here. Instead of all-nets being used in the above, a more secure defined IP
object could be used which specifies the exact range of the pre-allocated IP addresses.

B. IP addresses handed out by NetDefendOS

If the client IP addresses are not known then they must be handed out by NetDefendOS. To do this
the above must be modified with the following:

1.

If a specific IP address range is to be used as a pool of available addresses then:

•

Create a Config Mode Pool object (there can only be one associated with a NetDefendOS
installation) and in it specify the address range.

•

Enable the IKE Config Mode option in the IPsec Tunnel object ipsec_tunnel.

2.

If client IP addresses are to be retrieved through DHCP:

•

Create an IP Pool object and in it specify the DHCP server to use. The DHCP server can be
specified as a simple IP address or alternatively as being accessible on a specific interface.
If an internal DHCP server is to be used then specify the loopback address 127.0.0.1 as the
DHCP server IP address.

9.2.2. IPsec Roaming Clients with
Pre-shared Keys

Chapter 9. VPN

233