This section details the setup with roaming clients connecting through an IPsec tunnel using
pre-shared keys to a protected Local Network which is located behind a NetDefend Firewall.
There are two types of roaming clients:
A. the IPv4 addresses of the clients are already allocated.
B. the IPv4 addresses of clients are not known beforehand and must be handed out by
NetDefendOS when the clients try to connect.
A. IP addresses already allocated
the IPv4 addresses may be known beforehand and have been pre-allocated to the roaming
clients before they connect. The client's IP address will be manually input into the VPN client
software.
1. Set up user authentication. XAuth user authentication is not required with IPsec roaming
clients but is recommended (this step could initially be left out to simplify setup). The
authentication source can be one of the following:
• A Local User DB object which is internal to NetDefendOS.
• An external authentication server.
An internal user database is easier to set up and is assumed here. Changing this to an
external server is simple to do later.
To implement user authentication with an internal database:
• Define a Local User DB object (let's call this object TrustedUsers).
• Add individual users to TrustedUsers. This should consist of at least a username and
password combination.
The Group string for a user can be specified if its group's access is to be restricted to
certain source networks. Group can be specified (with the same text string) in the
Authentication section of an IP object. If that IP object is then used as the Source
Network of a rule in the IP rule set, that rule will only apply to a user if their Group string
matches the Group string of the IP object.
Chapter 9: VPN
675
To Next Page
Loading...
