• Name: RoamingIPsecTunnel
• Local Network: 203.0.113.0/24 (This is the local network that the roaming users will
connect to)
• Remote Network: all-nets
• Remote Endpoint: (None)
3. For Authentication enter:
• Choose X.509 Certificates as the authentication method
• Root Certificate(s): Select the relevant CA server root and add it to the Selected list
• Gateway Certificate: Choose the relevant firewall certificate
4. Click OK
C. Finally, configure IP rules to allow the traffic to flow inside the tunnel.
Using Self-signed Certificates
IPsec tunnels in NetDefendOS can be based on self-signed certificates instead of CA signed
certificates. This is configured by having a pair of different self-signed certificates which are both
present on the firewall (or other network device) on either side of the tunnel but have their roles
as root and gateway certificate reversed at either side.
Suppose the self-signed certificate pair are called cert_A which is uploaded to or created on
firewall gateway_A and cert_B which is created on or uploaded to gateway_B. On gateway_A,
cert_A is the gateway certificate and cert_B is the root certificate for the tunnel. On gateway_B,
the situation is reversed: cert_B is the gateway certificate and cert_A is the root certificate for the
tunnel.
Note that if cert_A was created on gateway_A, it should not need to be uploaded and its private
key is already available in the key store of gateway_A. When cert_B is loaded onto gateway_A, it is
stored as a root certificate without a private key file. The situation will be the reverse on
gateway_B.
Certificate Chains
Where there is a certificate chain between the root certificate and the gateway certificate for the
IPsec tunnel, all the intermediate certificates in the chain must be uploaded and then configured
as root certificates for the tunnel.
Using IKE Config Mode
IKE Configuration Mode (Config Mode) is an extension to IKE that allows NetDefendOS to provide
configuration information to remote IPsec clients. It is used to dynamically configure IPsec clients
with IP addresses and corresponding netmasks, and to exchange other types of information
associated with DHCP. This feature in NetDefendOS only hands out IPv4 addresses.
NetDefendOS contains only a single unnamed Config Mode Pool object that hands out IPv4
addresses. It already exists in the Web Interface but must be added when using the CLI. The way
that this object obtains those addresses is determined by setting its IP Pool Type property to one
Chapter 9: VPN
711
To Next Page
Loading...
