remote IP addresses. As already mentioned above, many third party IPsec client products
are available and this manual will not discuss any particular client.
The step to set up user authentication is optional since this is additional security to certificates.
Note: The system time and date should be correct
The NetDefendOS date and time should be set correctly since certificates have an expiry
date and time.
Also review Section 3.9.4, “CA Server Access”, which describes important considerations for
certificate validation.
9.2.5. L2TP/IPsec Roaming Clients with Pre-Shared Keys
Due to the inbuilt L2TP client in Microsoft Windows, L2TP is a popular choice for roaming client
VPN scenarios. L2TP is usually encapsulated in IPsec to provide encryption with IPsec running in
transport mode instead of tunnel mode. The steps for L2TP over IPsec setup are:
1. Create an IPv4 address object (let's call it l2tp_pool) which defines the range of IP addresses
which can be handed out to clients. Note that this object is a normal address book object
and not an IP Pool object.
The range chosen for this address object can be one of the following two types:
• A range taken from the internal network to which clients will connect. If the internal
network is 192.168.0.0/24 then we might use the address range 192.168.0.10 to
192.168.0.20. The danger here is that an IP address might be accidentally used on the
internal network and handed out to a client.
• Use a new address range that is totally different to any internal network. This prevents
any chance of an address in the range also being used on the internal network.
2. Define two other IP objects:
• wan_ip which is the external public IPv4 address through which clients connect (assume
this is on the wan interface).
• lan_ip which is the internal IP address of the interface to which the internal network is
connected (let's call this interface lan).
3. Define a Pre-shared Key for the IPsec tunnel.
4. Define an IPsec Tunnel object (let's call this object ipsec_tunnel) with the following
parameters:
• Set Encapsulation Mode to Transport.
• Set Local Endpoint to wan_ip (specify all-nets instead if NetDefendOS is behind a
NATing device).
• Set Remote Endpoint to all-nets.
• For Authentication select the Pre-shared Key object defined in the first step.
• Select the IKE and IPsec algorithm proposal lists to be used.
Chapter 9: VPN
678
To Next Page
Loading...
