Product Manual
Page 4
... 67 Exporting the DFL-700's Configuration 67 Restoring the DFL-700's Configuration 67 Restart/Reset 68 4 IPSec VPN between two networks 53 Creating a LAN-to-LAN IPSec VPN Tunnel 53 VPN between client and an internal network 54 Creating a Roaming Users IPSec Tunnel 54 Adding an L2TP/PPTP VPN Client 55 Adding an L2TP/PPTP VPN Server 55 VPN - Advanced Settings 56...
... 67 Exporting the DFL-700's Configuration 67 Restoring the DFL-700's Configuration 67 Restart/Reset 68 4 IPSec VPN between two networks 53 Creating a LAN-to-LAN IPSec VPN Tunnel 53 VPN between client and an internal network 54 Creating a Roaming Users IPSec Tunnel 54 Adding an L2TP/PPTP VPN Client 55 Adding an L2TP/PPTP VPN Server 55 VPN - Advanced Settings 56...
Product Manual
Page 7
...port that prevents unauthorized access to or from HTTP traffic z Bandwidth Management DFL-700 features an extensive Traffic Shaper for different users, such as a firewall. A firewall can also run specific security functions based on the type of application or type of criteria configured by ... ActiveX objects, Java Applets, JavaScript, and VBScript from your network. Features and Benefits z Firewall Security z VPN Server/Client Supported Supports IPSec LAN-to-LAN or Roaming user tunnels with an FTP or Telnet server. Introduction to Firewalls A firewall is a device that sits between...
...port that prevents unauthorized access to or from HTTP traffic z Bandwidth Management DFL-700 features an extensive Traffic Shaper for different users, such as a firewall. A firewall can also run specific security functions based on the type of application or type of criteria configured by ... ActiveX objects, Java Applets, JavaScript, and VBScript from your network. Features and Benefits z Firewall Security z VPN Server/Client Supported Supports IPSec LAN-to-LAN or Roaming user tunnels with an FTP or Telnet server. Introduction to Firewalls A firewall is a device that sits between...
Product Manual
Page 22
...If the network is no need to cause errors or breaches in security. Additional IP Address - This address will also be used is there...as a gateway. Network - Specifies the IP address of all interfaces (except WAN) if enabled on the VPN tunnel. 22 If no gateway address is easier to understand, making it less likely for this route shall be ... most other systems. However, we believe that the firewall shall publish this route via another interface. The DFL-700 uses a slightly different method of describing routes is specified. Instead, you can specify a gateway for this...
...If the network is no need to cause errors or breaches in security. Additional IP Address - This address will also be used is there...as a gateway. Network - Specifies the IP address of all interfaces (except WAN) if enabled on the VPN tunnel. 22 If no gateway address is easier to understand, making it less likely for this route shall be ... most other systems. However, we believe that the firewall shall publish this route via another interface. The DFL-700 uses a slightly different method of describing routes is specified. Instead, you can specify a gateway for this...
Product Manual
Page 48
...in a number of protocols defined by using the IPSec protocol ESP. Introduction to PPTP PPTP, Point-to-Point Tunneling Protocol, jointly developed by defining a set of Security Associations (SA), for each connection. PPTP supports data encryption by the IETF, Internet Engineering Task Force, to ...remote access companies known collectively as that of the DFL-700, is made up an IPSec Virtual Private Network (VPN), you do not need to configure an Access Policy to provide VPN functionality. Each SA is used to make a VPN connection. The firewalls on which methods will be ...
...in a number of protocols defined by using the IPSec protocol ESP. Introduction to PPTP PPTP, Point-to-Point Tunneling Protocol, jointly developed by defining a set of Security Associations (SA), for each connection. PPTP supports data encryption by the IETF, Internet Engineering Task Force, to ...remote access companies known collectively as that of the DFL-700, is made up an IPSec Virtual Private Network (VPN), you do not need to configure an Access Policy to provide VPN functionality. Each SA is used to make a VPN connection. The firewalls on which methods will be ...
Product Manual
Page 49
... datagram's over the link. An L2TP based VPN is made up by these three components: • Link Control Protocols (LCP) to negotiate parameters, test and establish the link. • Network Control Protocol (NCP) to establish and negotiate different network layer protocols (DFL-700 only supports IP) ...security at least one of the peers has to authenticate itself before the network layer protocol parameters can be negotiated using MPPE. To establish a PPP tunnel, both sides send LCP frames to negotiate parameters and test the data link. Introduction to L2TP L2TP, Layer 2 Tunneling...
... datagram's over the link. An L2TP based VPN is made up by these three components: • Link Control Protocols (LCP) to negotiate parameters, test and establish the link. • Network Control Protocol (NCP) to establish and negotiate different network layer protocols (DFL-700 only supports IP) ...security at least one of the peers has to authenticate itself before the network layer protocol parameters can be negotiated using MPPE. To establish a PPP tunnel, both sides send LCP frames to negotiate parameters and test the data link. Introduction to L2TP L2TP, Layer 2 Tunneling...
Product Manual
Page 52
...names. Information related to the Authentication Protocols section for data encryption. If configuring for L2TP, you most likely will be sent over the PPP link unencrypted. L2TP/PPTP Servers Settings for the WAN IP. Outer IP - If utilizing the DNS Relay function, be used, select the desired ...Pool and settings - IP of encryption key (MPPE is to be sure to enable the check box to clients. IP addresses of the VPN tunnel. Refer to client IP assignment. Require IPSec encryption - Specifies the internal IP of the primary and secondary DNS servers.
...names. Information related to the Authentication Protocols section for data encryption. If configuring for L2TP, you most likely will be sent over the PPP link unencrypted. L2TP/PPTP Servers Settings for the WAN IP. Outer IP - If utilizing the DNS Relay function, be used, select the desired ...Pool and settings - IP of encryption key (MPPE is to be sure to enable the check box to clients. IP addresses of the VPN tunnel. Refer to client IP assignment. Require IPSec encryption - Specifies the internal IP of the primary and secondary DNS servers.
Product Manual
Page 53
...the Apply button below to apply the changes or click Cancel to the main office network. No other DFL-700 as IPSec VPN gateways to create a VPN tunnel that connects the branch office network to discard changes. Choose authentication type, either an IP or a DNS ... Certificate-based. One may also create VPN tunnels between an internal network behind one VPN gateway and a DMZ network behind the other special characters and spaces are allowed. DFL-700 Firewall As shown in an encrypted IPSec VPN tunnel that connects the two DFL-700 NetDefend Firewalls across the Internet. Enter...
...the Apply button below to apply the changes or click Cancel to the main office network. No other DFL-700 as IPSec VPN gateways to create a VPN tunnel that connects the branch office network to discard changes. Choose authentication type, either an IP or a DNS ... Certificate-based. One may also create VPN tunnels between an internal network behind one VPN gateway and a DMZ network behind the other special characters and spaces are allowed. DFL-700 Firewall As shown in an encrypted IPSec VPN tunnel that connects the two DFL-700 NetDefend Firewalls across the Internet. Enter...
Product Manual
Page 54
... be allowed to connect to add a roaming user tunnel. This is the network your side of the VPN tunnel are allowed. For Tunnel Type, choose Roaming User. DFL-700 Firewall The example shows a VPN between a roaming VPN client and the internal network, but you can also create a VPN tunnel that connects the DFL-700 and the roaming users across the Internet. Choose...
... be allowed to connect to add a roaming user tunnel. This is the network your side of the VPN tunnel are allowed. For Tunnel Type, choose Roaming User. DFL-700 Firewall The example shows a VPN between a roaming VPN client and the internal network, but you can also create a VPN tunnel that connects the DFL-700 and the roaming users across the Internet. Choose...
Product Manual
Page 55
...(Pre-shared Key) or Certificate-based. No other special characters or spaces are allowed. Step 5. If you are using IPSec encryption for the new tunnel in the L2TP/PPTP Server section. Step 1. Step 2. No other special characters or spaces are allowed. This field should be used. Click the ...the Apply button below to apply the change or click Cancel to Firewall and VPN and choose Add new PPTP client or Add new L2TP client in the name field. Specify the Client IP Pool; this tunnel in the L2TP/PPTP Clients section. If you are connecting to add an L2TP...
...(Pre-shared Key) or Certificate-based. No other special characters or spaces are allowed. Step 5. If you are using IPSec encryption for the new tunnel in the L2TP/PPTP Server section. Step 1. Step 2. No other special characters or spaces are allowed. This field should be used. Click the ...the Apply button below to apply the change or click Cancel to Firewall and VPN and choose Add new PPTP client or Add new L2TP client in the name field. Specify the Client IP Pool; this tunnel in the L2TP/PPTP Clients section. If you are connecting to add an L2TP...
Product Manual
Page 56
...automatically discovered from that no keys are : Limit MTU With this is set to limit the MTU (Max Transferable Unit) of the VPN gateways is performed for a VPN tunnel is used when sending the ICMP pings. 56 The firewall will always be used keys; Manually configured IP addresses - Inbound main ...mode connections will send ICMP pings to use NAT-T if one of the VPN tunnel. IKE Mode Specify if Main mode IKE or Aggressive Mode IKE should behave. On if supported - no keys are dependent on any other ...
...automatically discovered from that no keys are : Limit MTU With this is set to limit the MTU (Max Transferable Unit) of the VPN gateways is performed for a VPN tunnel is used when sending the ICMP pings. 56 The firewall will always be used keys; Manually configured IP addresses - Inbound main ...mode connections will send ICMP pings to use NAT-T if one of the VPN tunnel. IKE Mode Specify if Main mode IKE or Aggressive Mode IKE should behave. On if supported - no keys are dependent on any other ...
Product Manual
Page 57
During the negotiation process, the proposals in KB or seconds when the security associations for the VPN tunnel need to the remote VPN gateway one after another until a matching proposal is altered while being transmitted. Hash - HMAC - MD5 and SHA1 are AES, 3DES, DES, ...a check sum that the VPN gateway supports. Specifies in this IKE proposal. A proposal defines encryption parameters, for the VPN tunnel need to calculate a check sum that reveals if the data packet is found. There are two types of the negotiations, the IKE and IPSec security associations (SA) are using...
During the negotiation process, the proposals in KB or seconds when the security associations for the VPN tunnel need to the remote VPN gateway one after another until a matching proposal is altered while being transmitted. Hash - HMAC - MD5 and SHA1 are AES, 3DES, DES, ...a check sum that the VPN gateway supports. Specifies in this IKE proposal. A proposal defines encryption parameters, for the VPN tunnel need to calculate a check sum that reveals if the data packet is found. There are two types of the negotiations, the IKE and IPSec security associations (SA) are using...
Product Manual
Page 58
Before a VPN tunnel with certificate based authentication can be selected in the certification path. • Fetch the CRL for the local identity, and upload the certificate and private key files. Trusting Certificates When setting up to the DFL-700. Before a certificate is a list of all CA ... CA. This list also includes a special certificate called end-entity certificates. Certificate Authorities This is a digital proof of identity. It links an identity to a public key in the Certificates field on the other entities. The following pages will allow you to specify a name...
Before a VPN tunnel with certificate based authentication can be selected in the certification path. • Fetch the CRL for the local identity, and upload the certificate and private key files. Trusting Certificates When setting up to the DFL-700. Before a certificate is a list of all CA ... CA. This list also includes a special certificate called end-entity certificates. Certificate Authorities This is a digital proof of identity. It links an identity to a public key in the Certificates field on the other entities. The following pages will allow you to specify a name...
Product Manual
Page 59
... is configured, the firewall will match the identity of the connecting remote peer against the Identity List, and only allow it to open the VPN tunnel if it matches the contents of the list. An Identity list can be used , no identity matching is a list of all the configured... Identity lists. However, in some cases it might be necessary to limit inbound VPN access from the Certificate Authorities list. If an Identity List is present in the Certificates field in the VPN section. Normally, a VPN tunnel is established if the certificate of the remote peer is present in the Certificates...
... is configured, the firewall will match the identity of the connecting remote peer against the Identity List, and only allow it to open the VPN tunnel if it matches the contents of the list. An Identity list can be used , no identity matching is a list of all the configured... Identity lists. However, in some cases it might be necessary to limit inbound VPN access from the Certificate Authorities list. If an Identity List is present in the Certificates field in the VPN section. Normally, a VPN tunnel is established if the certificate of the remote peer is present in the Certificates...
Product Manual
Page 71
...- application. Status In this page; one shows the CPU usage during the last 24 hours. IDS Signatures - Displays CPU load, RAM usage, Connections, VPN Tunnels and Rules configured. Uptime - Time - Resources - There are also two graphs on the firewall. Useful for plotting usage trends for the last restart. The... time the firewall has been running on this section, the DFL-700 displays the status information about the DFL-700. System Click on Status in the menu bar, and then click System below it.
...- application. Status In this page; one shows the CPU usage during the last 24 hours. IDS Signatures - Displays CPU load, RAM usage, Connections, VPN Tunnels and Rules configured. Uptime - Time - Resources - There are also two graphs on the firewall. Useful for plotting usage trends for the last restart. The... time the firewall has been running on this section, the DFL-700 displays the status information about the DFL-700. System Click on Status in the menu bar, and then click System below it.
Product Manual
Page 73
By default information about the first VPN tunnel will appear providing information about the VPN connections on the DFL-700. To see another one, click on Status in the menu bar, and then click Interfaces below it. This is selected. VPN Click on that allows roaming users. A window will be displayed. The two graphs display the send...
By default information about the first VPN tunnel will appear providing information about the VPN connections on the DFL-700. To see another one, click on Status in the menu bar, and then click Interfaces below it. This is selected. VPN Click on that allows roaming users. A window will be displayed. The two graphs display the send...
Product Manual
Page 80
LAN-to-LAN VPN using IPSec Settings for Branch office 1. Setup interfaces, System->Interfaces: WAN IP: 194.0.2.10 LAN IP: 192.168.4.1, Subnet mask: 255.255.255.0 2. Setup IPSec tunnel, Firewall->VPN: Under IPSec tunnels click Add new Name the tunnel ToMainOffice Local net: 192.168.4.0/24 PSK: 1234567890 (Do not use this as your PSK) Retype PSK: 1234567890 80
LAN-to-LAN VPN using IPSec Settings for Branch office 1. Setup interfaces, System->Interfaces: WAN IP: 194.0.2.10 LAN IP: 192.168.4.1, Subnet mask: 255.255.255.0 2. Setup IPSec tunnel, Firewall->VPN: Under IPSec tunnels click Add new Name the tunnel ToMainOffice Local net: 192.168.4.0/24 PSK: 1234567890 (Do not use this as your PSK) Retype PSK: 1234567890 80
Product Manual
Page 81
Select Tunnel type: LAN-to restart Click Activate and wait for the firewall to -LAN tunnel Remote Net: 192.168.1.0/24 Remote Gateway: 194.0.2.20 Enable Automatically add a route for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4. Setup policies for the remote network Click Apply 3.
Select Tunnel type: LAN-to restart Click Activate and wait for the firewall to -LAN tunnel Remote Net: 192.168.1.0/24 Remote Gateway: 194.0.2.20 Enable Automatically add a route for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4. Setup policies for the remote network Click Apply 3.
Product Manual
Page 82
You should use a key that is hard to guess) Retype PSK: 1234567890 Select Tunnel type: LAN-to-LAN tunnel Remote Net: 192.168.4.0/24 Remote Gateway: 194.0.2.10 Enable "Automatically add a route for Main office 1. Settings for the remote network" Click Apply 82 Setup interfaces, System->Interfaces: WAN IP: 194.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2. Setup IPSec tunnel, Firewall->VPN: Under IPSec tunnels click add new Name the tunnel ToBranchOffice Local net: 192.168.1.0/24 PSK: 1234567890 (Note!
You should use a key that is hard to guess) Retype PSK: 1234567890 Select Tunnel type: LAN-to-LAN tunnel Remote Net: 192.168.4.0/24 Remote Gateway: 194.0.2.10 Enable "Automatically add a route for Main office 1. Settings for the remote network" Click Apply 82 Setup interfaces, System->Interfaces: WAN IP: 194.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2. Setup IPSec tunnel, Firewall->VPN: Under IPSec tunnels click add new Name the tunnel ToBranchOffice Local net: 192.168.1.0/24 PSK: 1234567890 (Note!
Product Manual
Page 83
Setup policies for the firewall to -LAN VPN solution section of this user guide. Click Activate and wait for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all traffic between the two offices. To get a more secure solution read the A more secure LAN-to restart This example will allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4. 3.
Setup policies for the firewall to -LAN VPN solution section of this user guide. Click Activate and wait for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all traffic between the two offices. To get a more secure solution read the A more secure LAN-to restart This example will allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4. 3.
Product Manual
Page 97
...for the VPN interfaces. Setup policies for Branch office 1. A more secure LAN-to-LAN VPN solution In order to establish a more secure LAN-to-LAN VPN connection, traffic policies should be created instead of allowing all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 2. Settings for the new tunnel, Firewall->... server (intranet) in the main office that we want to access from LAN to enable some common services allowed through the VPN tunnel. Now is it possible to create the first rule Select from the branch office. The following steps show how to toMainOffice and click...
...for the VPN interfaces. Setup policies for Branch office 1. A more secure LAN-to-LAN VPN solution In order to establish a more secure LAN-to-LAN VPN connection, traffic policies should be created instead of allowing all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 2. Settings for the new tunnel, Firewall->... server (intranet) in the main office that we want to access from LAN to enable some common services allowed through the VPN tunnel. Now is it possible to create the first rule Select from the branch office. The following steps show how to toMainOffice and click...