Product Manual
Page 3
... 36 Add Administrative User 36 Change Administrative User Access level 37 Change Administrative User Password 37 Delete Administrative User 38 Users 39 The DFL-700 RADIUS Support 39 Enable User Authentication via HTTP / HTTPS 40 Enable RADIUS Support 40 Add User ...41 Change User Password 41 Delete... 44 Services 45 Adding TCP, UDP or TCP/UDP Service 45 Adding IP Protocol 46 Grouping Services 46 Protocol-independent settings 47 VPN...48 Introduction to IPSec 48 Introduction to PPTP 48 Introduction to L2TP 49 Point-to-Point Protocol 49 Authentication Protocols 50 MPPE, ...
... 36 Add Administrative User 36 Change Administrative User Access level 37 Change Administrative User Password 37 Delete Administrative User 38 Users 39 The DFL-700 RADIUS Support 39 Enable User Authentication via HTTP / HTTPS 40 Enable RADIUS Support 40 Add User ...41 Change User Password 41 Delete... 44 Services 45 Adding TCP, UDP or TCP/UDP Service 45 Adding IP Protocol 46 Grouping Services 46 Protocol-independent settings 47 VPN...48 Introduction to IPSec 48 Introduction to PPTP 48 Introduction to L2TP 49 Point-to-Point Protocol 49 Authentication Protocols 50 MPPE, ...
Product Manual
Page 4
... Ping Example 65 Dynamic DNS 66 Add Dynamic DNS Settings 66 Backup 67 Exporting the DFL-700's Configuration 67 Restoring the DFL-700's Configuration 67 Restart/Reset 68 4 IPSec VPN between two networks 53 Creating a LAN-to-LAN IPSec VPN Tunnel 53 VPN between client and an internal network 54 Creating a Roaming Users IPSec Tunnel 54 Adding...
... Ping Example 65 Dynamic DNS 66 Add Dynamic DNS Settings 66 Backup 67 Exporting the DFL-700's Configuration 67 Restoring the DFL-700's Configuration 67 Restart/Reset 68 4 IPSec VPN between two networks 53 Creating a LAN-to-LAN IPSec VPN Tunnel 53 VPN between client and an internal network 54 Creating a Roaming Users IPSec Tunnel 54 Adding...
Product Manual
Page 5
Restoring system settings to factory defaults 69 Upgrade 70 Upgrade Firmware 70 Upgrade IDS Signature-database 70 Status 71 System 71 Interfaces 72 VPN...73 Connections 74 DHCP Server 75 Users 76 How to read the logs 77 USAGE events 77 DROP events 77 CONN events 78 Step by ... IPSec 80 Settings for Main office 82 LAN-to-LAN VPN using PPTP 84 Settings for Main office 86 LAN-to-LAN VPN using L2TP 90 Settings for Branch office 90 Settings for Main office 93 A more secure LAN-to-LAN VPN solution 97 Settings for Branch office 97 Settings for Main office 100...
Restoring system settings to factory defaults 69 Upgrade 70 Upgrade Firmware 70 Upgrade IDS Signature-database 70 Status 71 System 71 Interfaces 72 VPN...73 Connections 74 DHCP Server 75 Users 76 How to read the logs 77 USAGE events 77 DROP events 77 CONN events 78 Step by ... IPSec 80 Settings for Main office 82 LAN-to-LAN VPN using PPTP 84 Settings for Main office 86 LAN-to-LAN VPN using L2TP 90 Settings for Branch office 90 Settings for Main office 93 A more secure LAN-to-LAN VPN solution 97 Settings for Branch office 97 Settings for Main office 100...
Product Manual
Page 7
... Web browser using firewall software or a special piece of hardware built specifically to act as Admin or Read-Only User. Introduction The DFL-700 provides three 10/100Mbps Ethernet network interface ports, which are also deployed to prevent sensitive information about your network from leaking out of ... based on the type of application or type of different access rights for bandwidth management. Features and Benefits z Firewall Security z VPN Server/Client Supported Supports IPSec LAN-to work properly over L2TP z Content Filtering Strip ActiveX objects, Java Applets, JavaScript, and ...
... Web browser using firewall software or a special piece of hardware built specifically to act as Admin or Read-Only User. Introduction The DFL-700 provides three 10/100Mbps Ethernet network interface ports, which are also deployed to prevent sensitive information about your network from leaking out of ... based on the type of application or type of different access rights for bandwidth management. Features and Benefits z Firewall Security z VPN Server/Client Supported Supports IPSec LAN-to work properly over L2TP z Content Filtering Strip ActiveX objects, Java Applets, JavaScript, and ...
Product Manual
Page 22
... is directly connected to cause errors or breaches in security. Additional IP Address - Specifies that this route shall be sent through. The major difference between this route via another interface. Note: Proxy ARP will publish the remote network on the VPN tunnel. 22 The DFL-700 uses a slightly different method of describing routes compared...
... is directly connected to cause errors or breaches in security. Additional IP Address - Specifies that this route shall be sent through. The major difference between this route via another interface. Note: Proxy ARP will publish the remote network on the VPN tunnel. 22 The DFL-700 uses a slightly different method of describing routes compared...
Product Manual
Page 48
... known collectively as that of the DFL-700, is used to provide IP security at the network layer. PPTP supports data encryption by using the IPSec protocol ESP. IPSec, Internet Protocol Security, is unidirectional, so there will be accomplished in the following settings: VPN Name, Source Subnet (Local Net),... PPTP PPTP, Point-to-Point Tunneling Protocol, jointly developed by the IETF, Internet Engineering Task Force, to provide IP security at least two SA per IPSec connection. An IPSec based VPN, such as the PPTP Forum, is the actual IP data being transferred, using MPPE. 48...
... known collectively as that of the DFL-700, is used to provide IP security at the network layer. PPTP supports data encryption by using the IPSec protocol ESP. IPSec, Internet Protocol Security, is unidirectional, so there will be accomplished in the following settings: VPN Name, Source Subnet (Local Net),... PPTP PPTP, Point-to-Point Tunneling Protocol, jointly developed by the IETF, Internet Engineering Task Force, to provide IP security at least two SA per IPSec connection. An IPSec based VPN, such as the PPTP Forum, is the actual IP data being transferred, using MPPE. 48...
Product Manual
Page 49
An L2TP based VPN is often encapsulated in IPSec for encryption instead of using NCP. PPP consists of these parts: • Point-to-Point Protocol (PPP) • Authentication Protocols (...; Network Control Protocol (NCP) to establish and negotiate different network layer protocols (DFL-700 only supports IP) • Data encapsulation to encapsulate datagram's over the link. When LCP and NCP negotiation is used to provide IP security at the network layer. During the LCP and NCP negotiation optional parameters such as encryption, can be...
An L2TP based VPN is often encapsulated in IPSec for encryption instead of using NCP. PPP consists of these parts: • Point-to-Point Protocol (PPP) • Authentication Protocols (...; Network Control Protocol (NCP) to establish and negotiate different network layer protocols (DFL-700 only supports IP) • Data encapsulation to encapsulate datagram's over the link. When LCP and NCP negotiation is used to provide IP security at the network layer. During the LCP and NCP negotiation optional parameters such as encryption, can be...
Product Manual
Page 52
...entire network that data will be sure to enable the check box to the Authentication Protocols section for the WAN IP. IP addresses of the VPN tunnel. Primary/Secondary WINS - Specify which uses the NetBIOS Name Servers (NBNS) to assign IP addresses to NetBIOS names. To use , if...the internal IP of the primary and secondary DNS servers. Client IP Pool - If utilizing the DNS Relay function, be sent over the PPP link unencrypted. Refer to ensure proper DNS info. MPPE encryption - L2TP/PPTP Servers Settings for data encryption. Information related to be using IPSec instead ...
...entire network that data will be sure to enable the check box to the Authentication Protocols section for the WAN IP. IP addresses of the VPN tunnel. Primary/Secondary WINS - Specify which uses the NetBIOS Name Servers (NBNS) to assign IP addresses to NetBIOS names. To use , if...the internal IP of the primary and secondary DNS servers. Client IP Pool - If utilizing the DNS Relay function, be sent over the PPP link unencrypted. Refer to ensure proper DNS info. MPPE encryption - L2TP/PPTP Servers Settings for data encryption. Information related to be using IPSec instead ...
Product Manual
Page 53
...choose PSK, make sure both firewalls use the DFL-700 to the main office network. DFL-700 Firewall The example shows an IPSec VPN between the two networks takes place in the Local Net field. Step 3. Repeat these DFL-700s can be configured as Remote Net. Users on ...characters and _. The networks at the ends of the other DFL-700 as IPSec VPN gateways to create a VPN tunnel that connects the two DFL-700 NetDefend Firewalls across the Internet. Step 2. Also specify the external IP of the VPN tunnel are allowed. Communication between two internal networks. One may...
...choose PSK, make sure both firewalls use the DFL-700 to the main office network. DFL-700 Firewall The example shows an IPSec VPN between the two networks takes place in the Local Net field. Step 3. Repeat these DFL-700s can be configured as Remote Net. Users on ...characters and _. The networks at the ends of the other DFL-700 as IPSec VPN gateways to create a VPN tunnel that connects the two DFL-700 NetDefend Firewalls across the Internet. Step 2. Also specify the external IP of the VPN tunnel are allowed. Communication between two internal networks. One may...
Product Manual
Page 54
...internal network from anywhere on the Internet. Step 1. If you can also create a VPN tunnel that connects the DFL-700 and the roaming users across the Internet. This is the network your side of the VPN tunnel are allowed. Choose authentication type, either PSK (Pre-shared Key) or Certificate-...based. Click the Apply button below to apply the changes or click Cancel to . DFL-700 Firewall The example shows a VPN between a roaming VPN client and the internal network, but you choose PSK, make sure the clients use exactly the same PSK. Specify your ...
...internal network from anywhere on the Internet. Step 1. If you can also create a VPN tunnel that connects the DFL-700 and the roaming users across the Internet. This is the network your side of the VPN tunnel are allowed. Choose authentication type, either PSK (Pre-shared Key) or Certificate-...based. Click the Apply button below to apply the changes or click Cancel to . DFL-700 Firewall The example shows a VPN between a roaming VPN client and the internal network, but you choose PSK, make sure the clients use exactly the same PSK. Specify your ...
Product Manual
Page 55
.... Step 3. If you are connecting to. Enter the username and password for the new tunnel in the L2TP/PPTP Server section. Adding an L2TP/PPTP VPN Server Follow these steps to discard changes. The name can contain numbers (0-9) and upper and lower case letters (A-Z, a-z), and the special characters '' and '_'.... field. Step 5. Click the Apply button below to apply the change or click Cancel to add an L2TP or PPTP VPN Client configuration. Go to Firewall and VPN and choose Add new PPTP client or Add new L2TP client in the L2TP/PPTP Clients section. No other special characters...
.... Step 3. If you are connecting to. Enter the username and password for the new tunnel in the L2TP/PPTP Server section. Adding an L2TP/PPTP VPN Server Follow these steps to discard changes. The name can contain numbers (0-9) and upper and lower case letters (A-Z, a-z), and the special characters '' and '_'.... field. Step 5. Click the Apply button below to apply the change or click Cancel to add an L2TP or PPTP VPN Client configuration. Go to Firewall and VPN and choose Add new PPTP client or Add new L2TP client in the L2TP/PPTP Clients section. No other special characters...
Product Manual
Page 56
... that in the unlikely event an encryption key is compromised, no keys are : Limit MTU With this setting is used when establishing outbound VPN Tunnels. Perfect Forward Secrecy If PFS, Perfect Forwarding Secrecy, is enabled, a new Diffie-Hellman exchange is performed for example, try to ...connect to change some characteristics of the VPN gateways is possible to configure how the NAT Traversal code should be allowed. On if supported - Keep-alive is possible to limit the ...
... that in the unlikely event an encryption key is compromised, no keys are : Limit MTU With this setting is used when establishing outbound VPN Tunnels. Perfect Forward Secrecy If PFS, Perfect Forwarding Secrecy, is enabled, a new Diffie-Hellman exchange is performed for example, try to ...connect to change some characteristics of the VPN gateways is possible to configure how the NAT Traversal code should be allowed. On if supported - Keep-alive is possible to limit the ...
Product Manual
Page 57
.... Specifies the hash function used in the proposal list are using during IKE Phase-2 (IPSec Security Negotiation). Specifies in KB or seconds when the security associations for the VPN tunnel need to be re-negotiated. As the result of the negotiations, the IKE and IPSec...AES, 3DES, DES, Blowfish, Twofish, and CAST128. Specifies in KB or seconds when the security associations for the VPN tunnel need to be re-negotiated. Proposal Lists To agree on the VPN connection parameters, a negotiation process is the starting point for the negotiation. A proposal defines encryption ...
.... Specifies the hash function used in the proposal list are using during IKE Phase-2 (IPSec Security Negotiation). Specifies in KB or seconds when the security associations for the VPN tunnel need to be re-negotiated. As the result of the negotiations, the IKE and IPSec...AES, 3DES, DES, Blowfish, Twofish, and CAST128. Specifies in KB or seconds when the security associations for the VPN tunnel need to be re-negotiated. Proposal Lists To agree on the VPN connection parameters, a negotiation process is the starting point for the negotiation. A proposal defines encryption ...
Product Manual
Page 58
... steps are commonly called Admin. Certificate Authorities This is simple. Before a certificate is the certificate used by the Web interface to the DFL-700. The following pages will allow you to authenticate individual users or other hand, you tell the firewall that of remote peers This is ...specify a name for the remote peer certificate and upload the certificate file. It links an identity to specify a name for the CA certificate and upload the certificate file. When using certificates, on the VPN page. This certificate can trust anyone who has the same pre-shared key....
... steps are commonly called Admin. Certificate Authorities This is simple. Before a certificate is the certificate used by the Web interface to the DFL-700. The following pages will allow you to authenticate individual users or other hand, you tell the firewall that of remote peers This is ...specify a name for the remote peer certificate and upload the certificate file. It links an identity to specify a name for the CA certificate and upload the certificate file. When using certificates, on the VPN page. This certificate can trust anyone who has the same pre-shared key....
Product Manual
Page 59
...List is configured, the firewall will match the identity of the connecting remote peer against the Identity List, and only allow it to open the VPN tunnel if it matches the contents of all the configured Identity lists. The Identity list can be selected in the Remote Peers list. Note: If...will automatically be placed in the Certificate Authorities list, even if Add New was clicked in the Identity List field on the VPN page to limit those who can establish a VPN tunnel, even among peers signed by a CA whose certificate is present in the Certificates field in the Remote Peers list ...
...List is configured, the firewall will match the identity of the connecting remote peer against the Identity List, and only allow it to open the VPN tunnel if it matches the contents of all the configured Identity lists. The Identity list can be selected in the Remote Peers list. Note: If...will automatically be placed in the Certificate Authorities list, even if Add New was clicked in the Identity List field on the VPN page to limit those who can establish a VPN tunnel, even among peers signed by a CA whose certificate is present in the Certificates field in the Remote Peers list ...
Product Manual
Page 71
... - The reason for your Displays CPU load, RAM usage, Connections, VPN Tunnels and Rules configured. one shows the CPU usage during the last 24 hours. There are also two graphs on this section, the DFL-700 displays the status information about the DFL-700. The other shows the state table usage during the last 24...
... - The reason for your Displays CPU load, RAM usage, Connections, VPN Tunnels and Rules configured. one shows the CPU usage during the last 24 hours. There are also two graphs on this section, the DFL-700 displays the status information about the DFL-700. The other shows the state table usage during the last 24...
Product Manual
Page 73
... the IPSec SA listing each roaming user connected to this example, a tunnel named RoamingUsers is shown. By default information about the first VPN tunnel will appear providing information about the VPN connections on the DFL-700. This is a tunnel that VPN tunnels name. The two graphs display the send and receive rate through the selected...
... the IPSec SA listing each roaming user connected to this example, a tunnel named RoamingUsers is shown. By default information about the first VPN tunnel will appear providing information about the VPN connections on the DFL-700. This is a tunnel that VPN tunnels name. The two graphs display the send and receive rate through the selected...
Product Manual
Page 80
Setup IPSec tunnel, Firewall->VPN: Under IPSec tunnels click Add new Name the tunnel ToMainOffice Local net: 192.168.4.0/24 PSK: 1234567890 (Do not use this as your PSK) Retype PSK: 1234567890 80 LAN-to-LAN VPN using IPSec Settings for Branch office 1. Setup interfaces, System->Interfaces: WAN IP: 194.0.2.10 LAN IP: 192.168.4.1, Subnet mask: 255.255.255.0 2.
Setup IPSec tunnel, Firewall->VPN: Under IPSec tunnels click Add new Name the tunnel ToMainOffice Local net: 192.168.4.0/24 PSK: 1234567890 (Do not use this as your PSK) Retype PSK: 1234567890 80 LAN-to-LAN VPN using IPSec Settings for Branch office 1. Setup interfaces, System->Interfaces: WAN IP: 194.0.2.10 LAN IP: 192.168.4.1, Subnet mask: 255.255.255.0 2.
Product Manual
Page 81
Click Activate and wait for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4. Setup policies for the firewall to -LAN tunnel Remote Net: 192.168.1.0/24 Remote Gateway: 194.0.2.20 Enable Automatically add a route for the remote network Click Apply 3. Select Tunnel type: LAN-to restart
Click Activate and wait for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4. Setup policies for the firewall to -LAN tunnel Remote Net: 192.168.1.0/24 Remote Gateway: 194.0.2.20 Enable Automatically add a route for the remote network Click Apply 3. Select Tunnel type: LAN-to restart
Product Manual
Page 82
You should use a key that is hard to guess) Retype PSK: 1234567890 Select Tunnel type: LAN-to-LAN tunnel Remote Net: 192.168.4.0/24 Remote Gateway: 194.0.2.10 Enable "Automatically add a route for Main office 1. Setup IPSec tunnel, Firewall->VPN: Under IPSec tunnels click add new Name the tunnel ToBranchOffice Local net: 192.168.1.0/24 PSK: 1234567890 (Note! Settings for the remote network" Click Apply 82 Setup interfaces, System->Interfaces: WAN IP: 194.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2.
You should use a key that is hard to guess) Retype PSK: 1234567890 Select Tunnel type: LAN-to-LAN tunnel Remote Net: 192.168.4.0/24 Remote Gateway: 194.0.2.10 Enable "Automatically add a route for Main office 1. Setup IPSec tunnel, Firewall->VPN: Under IPSec tunnels click add new Name the tunnel ToBranchOffice Local net: 192.168.1.0/24 PSK: 1234567890 (Note! Settings for the remote network" Click Apply 82 Setup interfaces, System->Interfaces: WAN IP: 194.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2.