0 évaluation0% ont trouvé ce document utile (0 vote)
24 vues9 pages
Document descrIbes how to confIgure the 0 LInk 0FL 800 fIrewall to Implement scenarIo 1. The followIng Is a typIcal gateway to gateway 7PN that uses a pre shared secret for authentIcatIon.
Document descrIbes how to confIgure the 0 LInk 0FL 800 fIrewall to Implement scenarIo 1. The followIng Is a typIcal gateway to gateway 7PN that uses a pre shared secret for authentIcatIon.
Document descrIbes how to confIgure the 0 LInk 0FL 800 fIrewall to Implement scenarIo 1. The followIng Is a typIcal gateway to gateway 7PN that uses a pre shared secret for authentIcatIon.
DvervIew ThIs document descrIbes how to confIgure the 0LInk 0FL800 fIrewall to Implement scenarIo 1, specIfIed In "0ocumentatIon ProfIles for Psec InteroperabIlIty" by the 7PN ConsortIum. ScenarIo 1: Cateway-to-gateway wIth preshared secrets The followIng Is a typIcal gatewaytogateway 7PN that uses a preshared secret for authentIcatIon.
Cateway A connects the Internal LAN 10.5.6.0/24 to the nternet. Cateway A's LAN Interface has the address 10.5.6.1, and Its WAN (nternet) Interface has the address 14.15.16.17.
Cateway 8 connects the Internal LAN 172.2J.9.0/24 to the nternet. Cateway 8's WAN (nternet) Interface has the address 22.2J.24.25. Cateway 8's LAN Interface address, 172.2J.9.1, can be used for testIng Psec but Is not needed for confIgurIng Cateway A.
The IKE Phase 1 parameters used In ScenarIo 1 are: |aIn mode TrIple0ES SHA1 |D0P group 2 (1024 bIts) preshared secret of hr5xb84l6aa9r6 SA lIfetIme of 28800 seconds (eIght hours) wIth no kbytes rekeyIng
2 The IKE Phase 2 parameters used In ScenarIo 1 are: TrIple0ES SHA1 ESP tunnel mode |D0P group 2 (1024 bIts) Perfect forward secrecy for rekeyIng SA lIfetIme of J600 seconds (one hour) wIth no kbytes rekeyIng Selectors for all P protocols, all ports, between 10.5.6.0/24 and 172.2J.9.0/24, usIng Pv4 subnets
To set up Cateway A for thIs scenarIo, follow these steps:
The default P address for the lan Interface on the 0FL800 Is 192.168.1.1. Connect your PC to the lan Interface and use nternet Explorer 6.0+, FIrefox 1.0+ or Netscape 8.0+ to set up the 0FL. n thIs document, the notatIon Db]ects>Address book means that In the tree on the left sIde of the screen Dbjects fIrst should be clIcked (expanded) and then Address ook.
When you connect to the 0FL800 you wIll need to log In. The default admInIstrator username Is admin and password admin.
Configuring D-Link DFL-800
3 1. SettIng up the addresses and networks Co to Db]ects >Address book > lnter]cceAddresses:
EdIt the followIng Items: Change lan_ip to 10.5.6.1 Change lannet to 10.5.6.0/24 Change wan1_ip to 14.15.16.17 Change wan1net to 14.16.17.0/24
Co to Db]ects > Address book:
Add a new Address FoIder named VPNCAddresses.
n the new folder, create the followIng objects:
Add an IP4 HostlNetwork object called VPNC-RemoteGW wIth the address 22.23.24.25 Add an IP4 HostlNetwork object called VPNC-RemoteNet wIth the address 172.23.9.0/24
4 2. SettIng up requIred VPN objects Co to Db]ects > \PN Db]ects > PreShcred Keys:
Add a new Pre-Shared Key Enter Name: VPNC-PSK Select Passphrase Enter hr5xb84l6aa9r6 as Shared Secret and confIrm the pass phrase In the ConfIrm Secret box ClIck Ok
Co to Db]ects > \PN Db]ects > lKE Alyorthms:
Add a new IKE aIgorIthm Enter Name: VPNC-IKE
Select 3DES
Select SHA1 ClIck Ok
Co to Db]ects > \PN Db]ects > lPsec Alyorthms:
Add a new IPsec aIgorIthm Enter Name: VPNC-IPsec Select 3DES Select SHA1 ClIck Ok
5 3. SettIng up the IPsec tunneI Co to lnter]cces > lPsec Tunnels:
Select IKE AIgorIthms: VPNC-IKE Enter IKE LIfe TIme: 28800 seconds Select IPsec AIgorIthms: VPNC-IPsec Enter IPsec LIfe TIme: 3600 seconds Enter IPsec LIfe TIme: 0 kIlobytes
6 Change to the AuthentIcatIon tab:
Authentcaton:
Select Pre-Shared key and VPNC-PSK
Change to the IKE SettIngs tab:
lKE:
Select haIn and DH Group 2
Perject Forward Secrecy:
Select PSF and DH Group 2
NAT Traversal:
Select Nat TraversaI: Off
ClIck Ok.
7 4. SettIng up ruIes Co to Rules > lP Rules:
Add a new IP PuIe FoIder named lan_to_VPNC
n the new folder, create two rules
Add a new IP PuIe
n the CeneraI tab:
Ceneral:
Enter Name: allow_all Select ActIon: allow Select ServIce: all_services
9 5. TooIs Useful tools that can be used In the fIrewall Is:
Pny: PIng a remote gateway or computer to check connectIons, rules etc. WebUI: ToolsPIng ConsoIe: pIng Ipaddress, pIng Ipaddress r recvIf, pIng Ipaddress s srcIp
Kll actve SA: Can be used to dIsconnected already establIshed tunnels. WebUI: Stctus>lPsec>Lst cll cctve SAs ConsoIe: kIllsa Ipaddress
6. Status The followIng pages In the WebU or commands In the console can be used to vIew the status of the setup or fInd problems.
lnterjace status: Can be used to see P addresses of the Interfaces, lInk status, hardware addresses and more. WebUI: Statusnterfaces ConsoIe: Ifstat Interfacename
lPsec status: Can be used to see the settIngs of the Psec tunnel, If the tunnel Is establIshed and more useful InformatIon. WebUI: StatusPsec ConsoIe: Ipsecstat, Ipsecstat -u, Ipsecstat -v, Ipsecconn
lKE snoony: Can be used to fInd problems In the KE negotIatIons. ConsoIe: Ikesnoop on, Ikesnoop verbose, Ikesnoop off
Loyyny: Can be used to fInd a lot of useful InformatIon, eg If traffIc Is dropped. WebUI: StatusLoggIng
Connectons: Can be used to see the current connectIons In the fIrewall. WebUI: StatusConnectIons ConsoIe: connectIons