User manual

ManualsBrandsD-Link ManualsNetworkingDFL - 1660 Network Security UTM Firewall

321

322

323

324

325

326

327

328

329

330

• An external authentication server.

An internal user database is easier to set up and is assumed here. Changing this to an external

server is simple to do later.

To implement user authentication with an internal database:

• Define a Local User DB object (let's call this object TrustedUsers).

• Add individual users to TrustedUsers. This should consist of at least a username and

password combination.

The Group string for a user can be specified if its group's access is to be restricted to

certain source networks. Group can be specified (with the same text string) in the

Authentication section of an IP object. If that IP object is then used as the Source

Network of a rule in the IP rule set, that rule will only apply to a user if their Group string

matches the Group string of the IP object.

Note

Group has no meaning in Authentication Rules.

• Create a new User Authentication Rule with the Authentication Source set to

TrustedUsers. The other parameters for the rule are:

Agent Auth Source Src Network Interface Client Source IP

XAUTH Local all-nets any all-nets (0.0.0.0/0)

2. The IPsec Tunnel object ipsec_tunnel should have the following parameters:

• Set Local Network to lannet.

• Set Remote Network to all-nets

• Set Remote Endpoint to all-nets.

• Set Encapsulation mode to Tunnel.

• Set the IKE and IPsec algorithm proposal lists to match the capabilities of the clients.

• No routes can be predefined so the option Dynamically add route to the remote network

when tunnel established should be enabled for the tunnel object. If all-nets is the

destination network, the option Add route for remote network should be disabled.

Note

The option to dynamically add routes should not be enabled in LAN to LAN

tunnel scenarios.

• Enable the option Require IKE XAuth user authentication for inbound IPsec tunnels.

This will enable a search for the first matching XAUTH rule in the authentication rules.

3. The IP rule set should contain the single rule:

Action Src Interface Src Network Dest Interface Dest Network Service

Allow ipsec_tunnel all-nets lan lannet All

Once an Allow rule permits the connection to be set up, bidirectional traffic flow is allowed which is

why only one rule is used here. Instead of all-nets being used in the above, a more secure defined IP

9.2.3. IPsec Roaming Clients with

Pre-shared Keys

Chapter 9. VPN

326