Product Manual
Page 3
... 36 Add Administrative User 36 Change Administrative User Access level 37 Change Administrative User Password 37 Delete Administrative User 38 Users 39 The DFL-700 RADIUS Support 39 Enable User Authentication via HTTP / HTTPS 40 Enable RADIUS Support 40 Add User ...41 Change User Password 41 Delete... 44 Services 45 Adding TCP, UDP or TCP/UDP Service 45 Adding IP Protocol 46 Grouping Services 46 Protocol-independent settings 47 VPN...48 Introduction to IPSec 48 Introduction to PPTP 48 Introduction to L2TP 49 Point-to-Point Protocol 49 Authentication Protocols 50 MPPE, ...
... 36 Add Administrative User 36 Change Administrative User Access level 37 Change Administrative User Password 37 Delete Administrative User 38 Users 39 The DFL-700 RADIUS Support 39 Enable User Authentication via HTTP / HTTPS 40 Enable RADIUS Support 40 Add User ...41 Change User Password 41 Delete... 44 Services 45 Adding TCP, UDP or TCP/UDP Service 45 Adding IP Protocol 46 Grouping Services 46 Protocol-independent settings 47 VPN...48 Introduction to IPSec 48 Introduction to PPTP 48 Introduction to L2TP 49 Point-to-Point Protocol 49 Authentication Protocols 50 MPPE, ...
Product Manual
Page 4
... Ping Example 65 Dynamic DNS 66 Add Dynamic DNS Settings 66 Backup 67 Exporting the DFL-700's Configuration 67 Restoring the DFL-700's Configuration 67 Restart/Reset 68 4 IPSec VPN between two networks 53 Creating a LAN-to-LAN IPSec VPN Tunnel 53 VPN between client and an internal network 54 Creating a Roaming Users IPSec Tunnel 54 Adding...
... Ping Example 65 Dynamic DNS 66 Add Dynamic DNS Settings 66 Backup 67 Exporting the DFL-700's Configuration 67 Restoring the DFL-700's Configuration 67 Restart/Reset 68 4 IPSec VPN between two networks 53 Creating a LAN-to-LAN IPSec VPN Tunnel 53 VPN between client and an internal network 54 Creating a Roaming Users IPSec Tunnel 54 Adding...
Product Manual
Page 5
Restoring system settings to factory defaults 69 Upgrade 70 Upgrade Firmware 70 Upgrade IDS Signature-database 70 Status 71 System 71 Interfaces 72 VPN...73 Connections 74 DHCP Server 75 Users 76 How to read the logs 77 USAGE events 77 DROP events 77 CONN events 78 Step by ... IPSec 80 Settings for Main office 82 LAN-to-LAN VPN using PPTP 84 Settings for Main office 86 LAN-to-LAN VPN using L2TP 90 Settings for Branch office 90 Settings for Main office 93 A more secure LAN-to-LAN VPN solution 97 Settings for Branch office 97 Settings for Main office 100...
Restoring system settings to factory defaults 69 Upgrade 70 Upgrade Firmware 70 Upgrade IDS Signature-database 70 Status 71 System 71 Interfaces 72 VPN...73 Connections 74 DHCP Server 75 Users 76 How to read the logs 77 USAGE events 77 DROP events 77 CONN events 78 Step by ... IPSec 80 Settings for Main office 82 LAN-to-LAN VPN using PPTP 84 Settings for Main office 86 LAN-to-LAN VPN using L2TP 90 Settings for Branch office 90 Settings for Main office 93 A more secure LAN-to-LAN VPN solution 97 Settings for Branch office 97 Settings for Main office 100...
Product Manual
Page 7
...over L2TP z Content Filtering Strip ActiveX objects, Java Applets, JavaScript, and VBScript from your network. Features and Benefits z Firewall Security z VPN Server/Client Supported Supports IPSec LAN-to-LAN or Roaming user tunnels with an FTP or Telnet server. Introduction to Firewalls A ...all of the information moving to or from HTTP traffic z Bandwidth Management DFL-700 features an extensive Traffic Shaper for different users, such as a firewall. A firewall can also run specific security functions based on the type of application or type of hardware built specifically ...
...over L2TP z Content Filtering Strip ActiveX objects, Java Applets, JavaScript, and VBScript from your network. Features and Benefits z Firewall Security z VPN Server/Client Supported Supports IPSec LAN-to-LAN or Roaming user tunnels with an FTP or Telnet server. Introduction to Firewalls A ...all of the information moving to or from HTTP traffic z Bandwidth Management DFL-700 features an extensive Traffic Shaper for different users, such as a firewall. A firewall can also run specific security functions based on the type of application or type of hardware built specifically ...
Product Manual
Page 22
... each interface as the sender address in security. If no address is normally routed via Proxy ARP. Proxy ARP - One advantage with this form of notation is that you specify the IP address of the firewall will be sent through. The DFL-700 uses a slightly different method of the ...next router hop used as a gateway. Interface - Network - This address will be used to cause errors or breaches in ARP queries. The IP address specified here will also be automatically published on the VPN tunnel. 22 Specifies ...
... each interface as the sender address in security. If no address is normally routed via Proxy ARP. Proxy ARP - One advantage with this form of notation is that you specify the IP address of the firewall will be sent through. The DFL-700 uses a slightly different method of the ...next router hop used as a gateway. Interface - Network - This address will be used to cause errors or breaches in ARP queries. The IP address specified here will also be automatically published on the VPN tunnel. 22 Specifies ...
Product Manual
Page 48
.... The other remote access companies known collectively as that of the DFL-700, is used to provide IP security at the network layer. by Microsoft, US Robotics, and various other part is made up an IPSec Virtual Private Network (VPN), you do not need to configure an Access Policy to -LAN...the same Pre-shared key or set of Certificates and IPSec lifetime to provide IP security at least two SA per IPSec connection. The firewalls on which methods will be used to provide VPN functionality. VPN Introduction to IPSec This chapter introduces IPSec, the method, or rather set of ...
.... The other remote access companies known collectively as that of the DFL-700, is used to provide IP security at the network layer. by Microsoft, US Robotics, and various other part is made up an IPSec Virtual Private Network (VPN), you do not need to configure an Access Policy to -LAN...the same Pre-shared key or set of Certificates and IPSec lifetime to provide IP security at least two SA per IPSec connection. The firewalls on which methods will be used to provide VPN functionality. VPN Introduction to IPSec This chapter introduces IPSec, the method, or rather set of ...
Product Manual
Page 49
... VPN is made up by these three components: • Link Control Protocols (LCP) to negotiate parameters, test and establish the link. • Network Control Protocol (NCP) to establish and negotiate different network layer protocols (DFL-700 only supports IP) • Data encapsulation to encapsulate datagram's over point-to-point links. PPP is used to provide IP security...
... VPN is made up by these three components: • Link Control Protocols (LCP) to negotiate parameters, test and establish the link. • Network Control Protocol (NCP) to establish and negotiate different network layer protocols (DFL-700 only supports IP) • Data encapsulation to encapsulate datagram's over point-to-point links. PPP is used to provide IP security...
Product Manual
Page 52
...). Leave this PPTP/L2TP Server. L2TP/PPTP Servers Settings for the LAN IP. Inner IP - Information related to clients. IP addresses of the VPN tunnel. Primary/Secondary WINS - IP Pool and settings - An IP range, group or entire network that the PPTP/L2TP Server will use as ...section for the WAN IP. Primary/Secondary DNS - Authentication protocol - If configuring for L2TP, you most likely will be sent over the PPP link unencrypted. If utilizing the DNS Relay function, be using IPSec instead of the Windows Internet Name Service (WINS) servers that the PPTP/L2TP ...
...). Leave this PPTP/L2TP Server. L2TP/PPTP Servers Settings for the LAN IP. Inner IP - Information related to clients. IP addresses of the VPN tunnel. Primary/Secondary WINS - IP Pool and settings - An IP range, group or entire network that the PPTP/L2TP Server will use as ...section for the WAN IP. Primary/Secondary DNS - Authentication protocol - If configuring for L2TP, you most likely will be sent over the PPP link unencrypted. If utilizing the DNS Relay function, be using IPSec instead of the Windows Internet Name Service (WINS) servers that the PPTP/L2TP ...
Product Manual
Page 53
...these steps to add a LAN-to -LAN tunnel and specify the network behind another or between two remote DMZ networks. DFL-700 Firewall As shown in an encrypted IPSec VPN tunnel that when they connect to discard changes. The name can contain numbers (0-9) and upper and lower case letters (A-Z, ... and _. Specify your local network, or your side of the other special characters and spaces are selected when you configure the VPN policy. DFL-700 Firewall The example shows an IPSec VPN between the two networks takes place in the example, you choose PSK, make sure both firewalls use the...
...these steps to add a LAN-to -LAN tunnel and specify the network behind another or between two remote DMZ networks. DFL-700 Firewall As shown in an encrypted IPSec VPN tunnel that when they connect to discard changes. The name can contain numbers (0-9) and upper and lower case letters (A-Z, ... and _. Specify your local network, or your side of the other special characters and spaces are selected when you configure the VPN policy. DFL-700 Firewall The example shows an IPSec VPN between the two networks takes place in the example, you choose PSK, make sure both firewalls use the...
Product Manual
Page 54
...these steps to discard changes. 54 Step 1. If you can connect to Firewall and VPN and choose Add new under IPSec. For Tunnel Type, choose Roaming User. DFL-700 Firewall The example shows a VPN between a roaming VPN client and the internal network, but you choose PSK, make sure the clients use ...exactly the same PSK. VPN between client and an internal network In the following example users can also create a VPN tunnel that connects the DFL-700 and the roaming users across the Internet. The networks at the ends of the tunnel...
...these steps to discard changes. 54 Step 1. If you can connect to Firewall and VPN and choose Add new under IPSec. For Tunnel Type, choose Roaming User. DFL-700 Firewall The example shows a VPN between a roaming VPN client and the internal network, but you choose PSK, make sure the clients use ...exactly the same PSK. VPN between client and an internal network In the following example users can also create a VPN tunnel that connects the DFL-700 and the roaming users across the Internet. The networks at the ends of the tunnel...
Product Manual
Page 55
... the L2TP or PPTP Server you are connecting to discard changes. Step 2. Specify the Client IP Pool; Adding an L2TP/PPTP VPN Client Follow these steps to Firewall and VPN and choose Add new PPTP server or Add new L2TP server in the name field. If you are using IPSec encryption for... (Pre-shared Key) or Certificate-based. Enter a Name for the new tunnel in the L2TP/PPTP Server section. Go to add an L2TP or PPTP VPN Server configuration that listens on the LAN interface that will be the IP of unused IP's on the WAN IP. this should be used. Step...
... the L2TP or PPTP Server you are connecting to discard changes. Step 2. Specify the Client IP Pool; Adding an L2TP/PPTP VPN Client Follow these steps to Firewall and VPN and choose Add new PPTP server or Add new L2TP server in the name field. If you are using IPSec encryption for... (Pre-shared Key) or Certificate-based. Enter a Name for the new tunnel in the L2TP/PPTP Server section. Go to add an L2TP or PPTP VPN Server configuration that listens on the LAN interface that will be the IP of unused IP's on the WAN IP. this should be used. Step...
Product Manual
Page 56
... per tunnel are: Limit MTU With this is slower, it is compromised, no keys are dependent on any other previously used when establishing outbound VPN Tunnels. IKE DH Group Here it makes sure that no keys are extracted from that in the unlikely event an encryption key is possible to... IKE or Aggressive Mode IKE should behave. While this setting it is performed for example, try to connect to IP Addresses automatically discovered from the VPN Tunnel settings. PFS is behind a NAT device. On if supported and need NAT - Keep-alive is set to 1 (modp 768-bit), 2 (modp 1024-bit), ...
... per tunnel are: Limit MTU With this is slower, it is compromised, no keys are dependent on any other previously used when establishing outbound VPN Tunnels. IKE DH Group Here it makes sure that no keys are extracted from that in the unlikely event an encryption key is possible to... IKE or Aggressive Mode IKE should behave. While this setting it is performed for example, try to connect to IP Addresses automatically discovered from the VPN Tunnel settings. PFS is behind a NAT device. On if supported and need NAT - Keep-alive is set to 1 (modp 768-bit), 2 (modp 1024-bit), ...
Product Manual
Page 57
...calculate a check sum that reveals if the data packet is the starting point for the VPN tunnel need to be re-negotiated. HMAC - Specifies in KB or seconds when the security associations for the negotiation. A Proposal List is altered while being transmitted. Specifies in KB... Specifies the encryption algorithm used to the remote VPN gateway one after another until a matching proposal is performed. There are AES, 3DES, DES, Blowfish, Twofish, and CAST128. Supported algorithms are two types of the negotiations, the IKE and IPSec security associations (SA) are AES, 3DES, DES,...
...calculate a check sum that reveals if the data packet is the starting point for the VPN tunnel need to be re-negotiated. HMAC - Specifies in KB or seconds when the security associations for the negotiation. A Proposal List is altered while being transmitted. Specifies in KB... Specifies the encryption algorithm used to the remote VPN gateway one after another until a matching proposal is performed. There are AES, 3DES, DES, Blowfish, Twofish, and CAST128. Supported algorithms are two types of the negotiations, the IKE and IPSec security associations (SA) are AES, 3DES, DES,...
Product Manual
Page 58
... This is a list of individual remote peers. When using pre-shared keys, this is simple. This certificate can be selected in VPN tunnels. The following pages will allow you to verify that it should trust. Certificates can be used by a CA. These types of...certificate can be selected in the Certificates field on the VPN page. To add a new Certificate Authority certificate, click Add new. Certificates A certificate is a digital proof of the certificates have been revoked. It links an identity to the DFL-700. Trusting Certificates When setting up to the trusted root...
... This is a list of individual remote peers. When using pre-shared keys, this is simple. This certificate can be selected in VPN tunnels. The following pages will allow you to verify that it should trust. Certificates can be used by a CA. These types of...certificate can be selected in the Certificates field on the VPN page. To add a new Certificate Authority certificate, click Add new. Certificates A certificate is a digital proof of the certificates have been revoked. It links an identity to the DFL-700. Trusting Certificates When setting up to the trusted root...
Product Manual
Page 59
... List is configured, the firewall will match the identity of the connecting remote peer against the Identity List, and only allow it to open the VPN tunnel if it will be selected in the Remote Peers list even if Add New was clicked in the... clicked from this list of all the configured Identity lists. If no Identity List is used on the VPN page. The Identity list can be placed in the Identity List field on the VPN page to limit those who can be used , no identity matching is a list of known identities. Similarly, a non...
... List is configured, the firewall will match the identity of the connecting remote peer against the Identity List, and only allow it to open the VPN tunnel if it will be selected in the Remote Peers list even if Add New was clicked in the... clicked from this list of all the configured Identity lists. If no Identity List is used on the VPN page. The Identity list can be placed in the Identity List field on the VPN page to limit those who can be used , no identity matching is a list of known identities. Similarly, a non...
Product Manual
Page 71
...signature database versions. one shows the CPU usage during the last 24 hours. System Click on this section, the DFL-700 displays the status information about the DFL-700. Shows when the last administrative configuration change was activated as well as the originating IP. The firmware version running...24 hours. Uptime - Last restart - The current time and date. Displays CPU load, RAM usage, Connections, VPN Tunnels and Rules configured. Configuration - Status In this page; Administrator may use the Status section to check the System Status, Interface ...
...signature database versions. one shows the CPU usage during the last 24 hours. System Click on this section, the DFL-700 displays the status information about the DFL-700. Shows when the last administrative configuration change was activated as well as the originating IP. The firmware version running...24 hours. Uptime - Last restart - The current time and date. Displays CPU load, RAM usage, Connections, VPN Tunnels and Rules configured. Configuration - Status In this page; Administrator may use the Status section to check the System Status, Interface ...
Product Manual
Page 73
In this tunnel is shown. The two graphs display the send and receive rate through the selected VPN tunnel during the last 24 hours. By default information about the VPN connections on the DFL-700. To see another one, click on Status in the menu bar, and then click Interfaces below it. ...This is selected. VPN Click on that allows roaming users. So under the IPSec SA listing each roaming...
In this tunnel is shown. The two graphs display the send and receive rate through the selected VPN tunnel during the last 24 hours. By default information about the VPN connections on the DFL-700. To see another one, click on Status in the menu bar, and then click Interfaces below it. ...This is selected. VPN Click on that allows roaming users. So under the IPSec SA listing each roaming...
Product Manual
Page 80
Setup IPSec tunnel, Firewall->VPN: Under IPSec tunnels click Add new Name the tunnel ToMainOffice Local net: 192.168.4.0/24 PSK: 1234567890 (Do not use this as your PSK) Retype PSK: 1234567890 80 Setup interfaces, System->Interfaces: WAN IP: 194.0.2.10 LAN IP: 192.168.4.1, Subnet mask: 255.255.255.0 2. LAN-to-LAN VPN using IPSec Settings for Branch office 1.
Setup IPSec tunnel, Firewall->VPN: Under IPSec tunnels click Add new Name the tunnel ToMainOffice Local net: 192.168.4.0/24 PSK: 1234567890 (Do not use this as your PSK) Retype PSK: 1234567890 80 Setup interfaces, System->Interfaces: WAN IP: 194.0.2.10 LAN IP: 192.168.4.1, Subnet mask: 255.255.255.0 2. LAN-to-LAN VPN using IPSec Settings for Branch office 1.
Product Manual
Page 81
Setup policies for the firewall to -LAN tunnel Remote Net: 192.168.1.0/24 Remote Gateway: 194.0.2.20 Enable Automatically add a route for the remote network Click Apply 3. Click Activate and wait for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4. Select Tunnel type: LAN-to restart
Setup policies for the firewall to -LAN tunnel Remote Net: 192.168.1.0/24 Remote Gateway: 194.0.2.20 Enable Automatically add a route for the remote network Click Apply 3. Click Activate and wait for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4. Select Tunnel type: LAN-to restart
Product Manual
Page 82
You should use a key that is hard to guess) Retype PSK: 1234567890 Select Tunnel type: LAN-to-LAN tunnel Remote Net: 192.168.4.0/24 Remote Gateway: 194.0.2.10 Enable "Automatically add a route for Main office 1. Setup IPSec tunnel, Firewall->VPN: Under IPSec tunnels click add new Name the tunnel ToBranchOffice Local net: 192.168.1.0/24 PSK: 1234567890 (Note! Settings for the remote network" Click Apply 82 Setup interfaces, System->Interfaces: WAN IP: 194.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2.
You should use a key that is hard to guess) Retype PSK: 1234567890 Select Tunnel type: LAN-to-LAN tunnel Remote Net: 192.168.4.0/24 Remote Gateway: 194.0.2.10 Enable "Automatically add a route for Main office 1. Setup IPSec tunnel, Firewall->VPN: Under IPSec tunnels click add new Name the tunnel ToBranchOffice Local net: 192.168.1.0/24 PSK: 1234567890 (Note! Settings for the remote network" Click Apply 82 Setup interfaces, System->Interfaces: WAN IP: 194.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2.