Product Manual
Page 3
...Port mapping / Virtual Servers 30 Add a new mapping 30 Delete mapping 31 Administrative users 32 Change Administrative User Password 32 Users 33 The DFL-200 RADIUS Support 33 Enable User Authentication via HTTP / HTTPS 34 Enable RADIUS Support 34 Add User ...35 Change User Password 35 Delete User...schedule 38 Services 39 Adding TCP, UDP or TCP/UDP Service 39 Adding IP Protocol 40 Grouping Services 40 Protocol-independent settings 41 VPN...42 Introduction to IPSec 42 Introduction to PPTP 42 Introduction to L2TP 43 Point-to-Point Protocol 43 Authentication Protocols 44 MPPE, ...
...Port mapping / Virtual Servers 30 Add a new mapping 30 Delete mapping 31 Administrative users 32 Change Administrative User Password 32 Users 33 The DFL-200 RADIUS Support 33 Enable User Authentication via HTTP / HTTPS 34 Enable RADIUS Support 34 Add User ...35 Change User Password 35 Delete User...schedule 38 Services 39 Adding TCP, UDP or TCP/UDP Service 39 Adding IP Protocol 40 Grouping Services 40 Protocol-independent settings 41 VPN...42 Introduction to IPSec 42 Introduction to PPTP 42 Introduction to L2TP 43 Point-to-Point Protocol 43 Authentication Protocols 44 MPPE, ...
Product Manual
Page 4
... Relayer 58 Disable DNS Relayer 58 Tools 59 Ping ...59 Ping Example 59 Dynamic DNS 60 Add Dynamic DNS Settings 60 Backup 61 Exporting the DFL-200's Configuration 61 Restoring the DFL-200's Configuration 61 Restart/Reset 62 Restoring system settings to factory defaults 63 Upgrade 64 Upgrade Firmware 64 4 Adding an L2TP/PPTP...
... Relayer 58 Disable DNS Relayer 58 Tools 59 Ping ...59 Ping Example 59 Dynamic DNS 60 Add Dynamic DNS Settings 60 Backup 61 Exporting the DFL-200's Configuration 61 Restoring the DFL-200's Configuration 61 Restart/Reset 62 Restoring system settings to factory defaults 63 Upgrade 64 Upgrade Firmware 64 4 Adding an L2TP/PPTP...
Product Manual
Page 5
Upgrade IDS Signature-database 64 Status 65 System 65 Interfaces 66 VPN...67 Connections 68 DHCP Server 69 How to read the logs 70 USAGE events 70 DROP events 70 CONN events 71 Step by Step Guides 72 LAN-to-LAN VPN using IPSec 73 Settings for Main office 75 LAN-to-LAN... VPN using PPTP 77 Settings for Main office 79 LAN-to-LAN VPN using L2TP 83 Settings for Branch office 83 Settings for Main office 86 A more secure LAN-to-LAN VPN solution 90 Settings for Branch office 90 Settings for Main office 93...
Upgrade IDS Signature-database 64 Status 65 System 65 Interfaces 66 VPN...67 Connections 68 DHCP Server 69 How to read the logs 70 USAGE events 70 DROP events 70 CONN events 71 Step by Step Guides 72 LAN-to-LAN VPN using IPSec 73 Settings for Main office 75 LAN-to-LAN... VPN using PPTP 77 Settings for Main office 79 LAN-to-LAN VPN using L2TP 83 Settings for Branch office 83 Settings for Main office 86 A more secure LAN-to-LAN VPN solution 90 Settings for Branch office 90 Settings for Main office 93...
Product Manual
Page 6
...being used to prevent unauthorized Internet users from accessing private networks or corporate LAN's and Intranets. Features and Benefits z Firewall Security z VPN Server/Client Supported Supports IPSec LAN-to-LAN or Roaming user tunnels with specific UDP or TCP ports to allow certain ...firewall can be a computer using a Web browser supporting Java. In addition the DFL-200 also provides a user-friendly Web UI that prevents unauthorized access to or from your network. Introduction The DFL-200 provides six 10/100Mbps Auto MDI/MDIX Ethernet network interface ports, which are also...
...being used to prevent unauthorized Internet users from accessing private networks or corporate LAN's and Intranets. Features and Benefits z Firewall Security z VPN Server/Client Supported Supports IPSec LAN-to-LAN or Roaming user tunnels with specific UDP or TCP ports to allow certain ...firewall can be a computer using a Web browser supporting Java. In addition the DFL-200 also provides a user-friendly Web UI that prevents unauthorized access to or from your network. Introduction The DFL-200 provides six 10/100Mbps Auto MDI/MDIX Ethernet network interface ports, which are also...
Product Manual
Page 20
The DFL-200 uses a slightly different method of describing routes compared to most commonly used . Specifies the network address for this route shall be sent through. If the ... enabled on the corresponding interface. One advantage with this route via another interface. Network - Proxy ARP - Note: Proxy ARP will be automatically published on the VPN tunnel. 20 The IP address specified here will publish the remote network on all configured routes, and it ; Routing Click on System in the menu...
The DFL-200 uses a slightly different method of describing routes compared to most commonly used . Specifies the network address for this route shall be sent through. If the ... enabled on the corresponding interface. One advantage with this route via another interface. Network - Proxy ARP - Note: Proxy ARP will be automatically published on the VPN tunnel. 20 The IP address specified here will publish the remote network on all configured routes, and it ; Routing Click on System in the menu...
Product Manual
Page 42
... To set up by using the IPSec protocol ESP. Each SA is made up of methods used to provide security for the PPP data. A PPTP based VPN is unidirectional, so there will be at the network layer. PPTP supports data encryption by these parts: •...DFL-200, is a set of protocols defined by using MPPE. 42 Furthermore, IKE is the actual IP data being transferred, using the encryption and authentication methods agreed upon in the following settings: VPN Name, Source Subnet (Local Net), Destination Gateway (If LAN-to-LAN), Destination Subnet (If LAN-to provide IP security...
... To set up by using the IPSec protocol ESP. Each SA is made up of methods used to provide security for the PPP data. A PPTP based VPN is unidirectional, so there will be at the network layer. PPTP supports data encryption by these parts: •...DFL-200, is a set of protocols defined by using MPPE. 42 Furthermore, IKE is the actual IP data being transferred, using the encryption and authentication methods agreed upon in the following settings: VPN Name, Source Subnet (Local Net), Destination Gateway (If LAN-to-LAN), Destination Subnet (If LAN-to provide IP security...
Product Manual
Page 43
...-To-Point Encryption (MPPE) L2TP uses UDP to provide IP security at least one of the peers has to encapsulate datagram's over the link. Introduction to L2TP L2TP, Layer 2 Tunneling Protocol, a combination... VPN is done, IP datagram's can be negotiated. To establish a PPP tunnel, both sides send LCP frames to encapsulate IP packets for transporting datagram's over the link.... • Link Control Protocols (LCP) to negotiate parameters, test and establish the link. • Network Control Protocol (NCP) to establish and negotiate different network layer protocols (DFL-200 only supports IP...
...-To-Point Encryption (MPPE) L2TP uses UDP to provide IP security at least one of the peers has to encapsulate datagram's over the link. Introduction to L2TP L2TP, Layer 2 Tunneling Protocol, a combination... VPN is done, IP datagram's can be negotiated. To establish a PPP tunnel, both sides send LCP frames to encapsulate IP packets for transporting datagram's over the link.... • Link Control Protocols (LCP) to negotiate parameters, test and establish the link. • Network Control Protocol (NCP) to establish and negotiate different network layer protocols (DFL-200 only supports IP...
Product Manual
Page 46
Outer IP - Leave this PPTP/L2TP Server. Client IP Pool - IP addresses of the VPN tunnel. Specify which uses the NetBIOS Name Servers (NBNS) to assign IP addresses to NetBIOS names. MPPE encryption - To use as an IP address pool ... on, leave it Blank for the LAN IP. Require IPSec encryption - Primary/Secondary WINS - If utilizing the DNS Relay function, be sent over the PPP link unencrypted. Primary/Secondary DNS - Authentication protocol - L2TP/PPTP Servers Settings for more information about each type.
Outer IP - Leave this PPTP/L2TP Server. Client IP Pool - IP addresses of the VPN tunnel. Specify which uses the NetBIOS Name Servers (NBNS) to assign IP addresses to NetBIOS names. MPPE encryption - To use as an IP address pool ... on, leave it Blank for the LAN IP. Require IPSec encryption - Primary/Secondary WINS - If utilizing the DNS Relay function, be sent over the PPP link unencrypted. Primary/Secondary DNS - Authentication protocol - L2TP/PPTP Servers Settings for more information about each type.
Product Manual
Page 47
...can use exactly the same PSK. Step 4. DFL-200 Firewall As shown in the Local Net field. One may also create VPN tunnels between an internal network behind one VPN gateway and a DMZ network behind the other DFL-200 as IPSec VPN gateways to create a VPN tunnel that when they connect to -LAN ... choose Add new under IPSec. Choose authentication type, either an IP or a DNS name. Creating a LAN-to-LAN IPSec VPN Tunnel Follow these DFL-200s can contain numbers (0-9) and upper and lower case letters (A-Z, a-z), and the special characters and _. Users on the internal networks are...
...can use exactly the same PSK. Step 4. DFL-200 Firewall As shown in the Local Net field. One may also create VPN tunnels between an internal network behind one VPN gateway and a DMZ network behind the other DFL-200 as IPSec VPN gateways to create a VPN tunnel that when they connect to -LAN ... choose Add new under IPSec. Choose authentication type, either an IP or a DNS name. Creating a LAN-to-LAN IPSec VPN Tunnel Follow these DFL-200s can contain numbers (0-9) and upper and lower case letters (A-Z, a-z), and the special characters and _. Users on the internal networks are...
Product Manual
Page 48
... internal network takes place in an encrypted VPN tunnel that uses the DMZ network. Step 4. Go to add a roaming user tunnel. The name can connect to discard changes. 48 If you can also create a VPN tunnel that connects the DFL-200 and the roaming users across the Internet.... Step 2. No other special characters and spaces are selected when you configure the VPN policy. Step 5. DFL-200 Firewall The example shows a VPN between a roaming VPN client and the internal network, but you choose PSK, make sure the clients use exactly the same PSK....
... internal network takes place in an encrypted VPN tunnel that uses the DMZ network. Step 4. Go to add a roaming user tunnel. The name can connect to discard changes. 48 If you can also create a VPN tunnel that connects the DFL-200 and the roaming users across the Internet.... Step 2. No other special characters and spaces are selected when you configure the VPN policy. Step 5. DFL-200 Firewall The example shows a VPN between a roaming VPN client and the internal network, but you choose PSK, make sure the clients use exactly the same PSK....
Product Manual
Page 49
... connecting to. Step 2. Step 4. Click the Apply button below to apply the change or click Cancel to add an L2TP or PPTP VPN Client configuration. Go to Firewall and VPN and choose Add new PPTP client or Add new L2TP client in the L2TP/PPTP Clients section. this tunnel in the L2TP... field. This field should be the IP of unused IP's on the LAN interface that listens on the WAN IP. Step 5. Adding an L2TP/PPTP VPN Server Follow these steps to discard changes. Enter a Name for the PPTP or L2TP Client. The name can contain numbers (0-9) and upper and lower case...
... connecting to. Step 2. Step 4. Click the Apply button below to apply the change or click Cancel to add an L2TP or PPTP VPN Client configuration. Go to Firewall and VPN and choose Add new PPTP client or Add new L2TP client in the L2TP/PPTP Clients section. this tunnel in the L2TP... field. This field should be the IP of unused IP's on the LAN interface that listens on the WAN IP. Step 5. Adding an L2TP/PPTP VPN Server Follow these steps to discard changes. Enter a Name for the PPTP or L2TP Client. The name can contain numbers (0-9) and upper and lower case...
Product Manual
Page 50
...the necessary Vendor ID's to IP Addresses automatically discovered from the same initial keying material. PFS - Always tries to use NAT-T if one of the VPN gateways is slower, it is set to 1 (modp 768-bit), 2 (modp 1024-bit), or 5 (modp 1536-bit). Configure the source and... destination IP addresses used keys; Advanced Settings Advanced settings for a VPN tunnel is possible to configure how the NAT Traversal code should be allowed if this setting is possible to configure the Diffie-Hellman group to...
...the necessary Vendor ID's to IP Addresses automatically discovered from the same initial keying material. PFS - Always tries to use NAT-T if one of the VPN gateways is slower, it is set to 1 (modp 768-bit), 2 (modp 1024-bit), or 5 (modp 1536-bit). Configure the source and... destination IP addresses used keys; Advanced Settings Advanced settings for a VPN tunnel is possible to configure how the NAT Traversal code should be allowed if this setting is possible to configure the Diffie-Hellman group to...
Product Manual
Page 51
...algorithms are supported algorithms. Life Times - Specifies in KB or seconds when the security associations for the VPN tunnel need to group several proposals. Supported algorithms are using during IKE Phase-1 (IKE Security Negotiation), while IPSec proposals are AES, 3DES, DES, Blowfish, Twofish, and ...the data packet is found. Hash - Specifies the hash function used in KB or seconds when the security associations for the VPN tunnel need to the remote VPN gateway one after another until a matching proposal is altered while being transmitted. Specifies the encryption algorithm ...
...algorithms are supported algorithms. Life Times - Specifies in KB or seconds when the security associations for the VPN tunnel need to group several proposals. Supported algorithms are using during IKE Phase-1 (IKE Security Negotiation), while IPSec proposals are AES, 3DES, DES, Blowfish, Twofish, and ...the data packet is found. Hash - Specifies the hash function used in KB or seconds when the security associations for the VPN tunnel need to the remote VPN gateway one after another until a matching proposal is altered while being transmitted. Specifies the encryption algorithm ...
Product Manual
Page 52
It links an identity to provide HTTPS access. When using pre-shared keys, this is a digital ...using certificates, on the other entities. The following steps are commonly called Admin. Before a VPN tunnel with certificate based authentication can be told whom it can be selected in the Local Identity field on the...Web interface to a public key in VPN tunnels. Certificates can either be set up a VPN tunnel, the firewall has to prove its own and that none of the certificate: • Construct a certification path up to the DFL-200. To add a new local identity ...
It links an identity to provide HTTPS access. When using pre-shared keys, this is a digital ...using certificates, on the other entities. The following steps are commonly called Admin. Before a VPN tunnel with certificate based authentication can be told whom it can be selected in the Local Identity field on the...Web interface to a public key in VPN tunnels. Certificates can either be set up a VPN tunnel, the firewall has to prove its own and that none of the certificate: • Construct a certification path up to the DFL-200. To add a new local identity ...
Product Manual
Page 53
... will automatically be placed in the Remote Peers list even if Add New was clicked in the Remote Peers list. An Identity list can establish a VPN tunnel, even among peers signed by a CA whose certificate is a list of known identities. However, in some cases it will match the identity of ...is performed. Note: If the uploaded certificate is a list of the connecting remote peer against the Identity List, and only allow you to limit inbound VPN access from the Certificate Authorities list. Identities This is a CA certificate, it might be selected in the Identity List field on the...
... will automatically be placed in the Remote Peers list even if Add New was clicked in the Remote Peers list. An Identity list can establish a VPN tunnel, even among peers signed by a CA whose certificate is a list of known identities. However, in some cases it will match the identity of ...is performed. Note: If the uploaded certificate is a list of the connecting remote peer against the Identity List, and only allow you to limit inbound VPN access from the Certificate Authorities list. Identities This is a CA certificate, it might be selected in the Identity List field on the...
Product Manual
Page 65
Last restart - The reason for your Displays CPU load, RAM usage, Connections, VPN Tunnels and Rules configured. one shows the CPU usage during the last 24 hours. Useful for plotting usage trends for the last restart.... The IDS signature database versions. There are also two graphs on this section, the DFL-200 displays the status information about the DFL-200. Uptime - Administrator may use the Status section to check the System Status, Interface statistics, VPN status, IP connections, and DHCP Servers Status. Shows when the last administrative configuration change...
Last restart - The reason for your Displays CPU load, RAM usage, Connections, VPN Tunnels and Rules configured. one shows the CPU usage during the last 24 hours. Useful for plotting usage trends for the last restart.... The IDS signature database versions. There are also two graphs on this section, the DFL-200 displays the status information about the DFL-200. Uptime - Administrator may use the Status section to check the System Status, Interface statistics, VPN status, IP connections, and DHCP Servers Status. Shows when the last administrative configuration change...
Product Manual
Page 67
The two graphs display the send and receive rate through the selected VPN tunnel during the last 24 hours. VPN Click on the DFL-200. To see another one, click on that allows roaming users. This is a tunnel that VPN tunnels name. So under the IPSec SA listing each roaming user connected to this example, a tunnel...
The two graphs display the send and receive rate through the selected VPN tunnel during the last 24 hours. VPN Click on the DFL-200. To see another one, click on that allows roaming users. This is a tunnel that VPN tunnels name. So under the IPSec SA listing each roaming user connected to this example, a tunnel...
Product Manual
Page 73
Setup interfaces, System->Interfaces: WAN IP: 194.0.2.10 LAN IP: 192.168.4.1, Subnet mask: 255.255.255.0 2. Setup IPSec tunnel, Firewall->VPN: Under IPSec tunnels click Add new Name the tunnel ToMainOffice Local net: 192.168.4.0/24 PSK: 1234567890 (Do not use this as your PSK) Retype PSK: 1234567890 LAN-to-LAN VPN using IPSec Settings for Branch office 1.
Setup interfaces, System->Interfaces: WAN IP: 194.0.2.10 LAN IP: 192.168.4.1, Subnet mask: 255.255.255.0 2. Setup IPSec tunnel, Firewall->VPN: Under IPSec tunnels click Add new Name the tunnel ToMainOffice Local net: 192.168.4.0/24 PSK: 1234567890 (Do not use this as your PSK) Retype PSK: 1234567890 LAN-to-LAN VPN using IPSec Settings for Branch office 1.
Product Manual
Page 74
Click Activate and wait for the remote network Click Apply 3. Select Tunnel type: LAN-to-LAN tunnel Remote Net: 192.168.1.0/24 Remote Gateway: 194.0.2.20 Enable Automatically add a route for the firewall to restart 74 Setup policies for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4.
Click Activate and wait for the remote network Click Apply 3. Select Tunnel type: LAN-to-LAN tunnel Remote Net: 192.168.1.0/24 Remote Gateway: 194.0.2.20 Enable Automatically add a route for the firewall to restart 74 Setup policies for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4.
Product Manual
Page 75
Settings for the remote network" Click Apply You should use a key that is hard to guess) Retype PSK: 1234567890 Select Tunnel type: LAN-to-LAN tunnel Remote Net: 192.168.4.0/24 Remote Gateway: 194.0.2.10 Enable "Automatically add a route for Main office 1. Setup IPSec tunnel, Firewall->VPN: Under IPSec tunnels click add new Name the tunnel ToBranchOffice Local net: 192.168.1.0/24 PSK: 1234567890 (Note! Setup interfaces, System->Interfaces: WAN IP: 194.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2.
Settings for the remote network" Click Apply You should use a key that is hard to guess) Retype PSK: 1234567890 Select Tunnel type: LAN-to-LAN tunnel Remote Net: 192.168.4.0/24 Remote Gateway: 194.0.2.10 Enable "Automatically add a route for Main office 1. Setup IPSec tunnel, Firewall->VPN: Under IPSec tunnels click add new Name the tunnel ToBranchOffice Local net: 192.168.1.0/24 PSK: 1234567890 (Note! Setup interfaces, System->Interfaces: WAN IP: 194.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2.