1

InteroperabIIIty ProfIIes for 0-LInk

0FL-800
Last update: 2005-09-09

DvervIew
ThIs document descrIbes how to confIgure the 0LInk 0FL800 fIrewall to Implement
scenarIo 1, specIfIed In "0ocumentatIon ProfIles for Psec InteroperabIlIty" by the 7PN
ConsortIum.
ScenarIo 1: Cateway-to-gateway wIth
preshared secrets
The followIng Is a typIcal gatewaytogateway 7PN that uses a preshared secret for
authentIcatIon.

Cateway A connects the Internal LAN 10.5.6.0/24 to the nternet. Cateway A's LAN
Interface has the address 10.5.6.1, and Its WAN (nternet) Interface has the address
14.15.16.17.

Cateway 8 connects the Internal LAN 172.2J.9.0/24 to the nternet. Cateway 8's WAN
(nternet) Interface has the address 22.2J.24.25. Cateway 8's LAN Interface address,
172.2J.9.1, can be used for testIng Psec but Is not needed for confIgurIng Cateway A.

The IKE Phase 1 parameters used In ScenarIo 1 are:
|aIn mode
TrIple0ES
SHA1
|D0P group 2 (1024 bIts)
preshared secret of hr5xb84l6aa9r6
SA lIfetIme of 28800 seconds (eIght hours) wIth no kbytes rekeyIng

2
The IKE Phase 2 parameters used In ScenarIo 1 are:
TrIple0ES
SHA1
ESP tunnel mode
|D0P group 2 (1024 bIts)
Perfect forward secrecy for rekeyIng
SA lIfetIme of J600 seconds (one hour) wIth no kbytes rekeyIng
Selectors for all P protocols, all ports, between 10.5.6.0/24 and 172.2J.9.0/24,
usIng Pv4 subnets

To set up Cateway A for thIs scenarIo, follow these steps:


The default P address for the lan Interface on the 0FL800 Is 192.168.1.1. Connect
your PC to the lan Interface and use nternet Explorer 6.0+, FIrefox 1.0+ or Netscape 8.0+
to set up the 0FL. n thIs document, the notatIon Db]ects>Address book means that In the
tree on the left sIde of the screen Dbjects fIrst should be clIcked (expanded) and then
Address ook.

When you connect to the 0FL800 you wIll need to log In. The default admInIstrator
username Is admin and password admin.

Configuring D-Link DFL-800

3
1. SettIng up the addresses and networks
Co to Db]ects >Address book > lnter]cceAddresses:

EdIt the followIng Items:
Change lan_ip to 10.5.6.1
Change lannet to 10.5.6.0/24
Change wan1_ip to 14.15.16.17
Change wan1net to 14.16.17.0/24

Co to Db]ects > Address book:

Add a new Address FoIder named VPNCAddresses.

n the new folder, create the followIng objects:

Add an IP4 HostlNetwork object called VPNC-RemoteGW wIth the address 22.23.24.25
Add an IP4 HostlNetwork object called VPNC-RemoteNet wIth the address
172.23.9.0/24

4
2. SettIng up requIred VPN objects
Co to Db]ects > \PN Db]ects > PreShcred Keys:

Add a new Pre-Shared Key
Enter Name: VPNC-PSK
Select Passphrase
Enter hr5xb84l6aa9r6 as Shared Secret and confIrm the pass phrase In the ConfIrm
Secret box
ClIck Ok

Co to Db]ects > \PN Db]ects > lKE Alyorthms:

Add a new IKE aIgorIthm
Enter Name: VPNC-IKE

Select 3DES

Select SHA1
ClIck Ok

Co to Db]ects > \PN Db]ects > lPsec Alyorthms:

Add a new IPsec aIgorIthm
Enter Name: VPNC-IPsec
Select 3DES
Select SHA1
ClIck Ok


5
3. SettIng up the IPsec tunneI
Co to lnter]cces > lPsec Tunnels:

Add a new IPsec TunneI

n the CeneraI tab:

Ceneral:

Enter Name: VPNC
Select LocaI Network: lannet
Select Pemote Network: VPNC-RemoteNet
Select Pemote EndpoInt: VPNC-RemoteGW
Select EncapsuIatIon hode: Tunnel

Alyorthms:

Select IKE AIgorIthms: VPNC-IKE
Enter IKE LIfe TIme: 28800 seconds
Select IPsec AIgorIthms: VPNC-IPsec
Enter IPsec LIfe TIme: 3600 seconds
Enter IPsec LIfe TIme: 0 kIlobytes


6
Change to the AuthentIcatIon tab:

Authentcaton:

Select Pre-Shared key and VPNC-PSK

Change to the IKE SettIngs tab:

lKE:

Select haIn and DH Group 2

Perject Forward Secrecy:

Select PSF and DH Group 2

NAT Traversal:

Select Nat TraversaI: Off


ClIck Ok.



7
4. SettIng up ruIes
Co to Rules > lP Rules:

Add a new IP PuIe FoIder named lan_to_VPNC

n the new folder, create two rules

Add a new IP PuIe

n the CeneraI tab:

Ceneral:

Enter Name: allow_all
Select ActIon: allow
Select ServIce: all_services

Address jlter:

Select Source Interface: lan
Select Source Network: lannet
Select 0estInatIon Interface: VPNC
Select 0estInatIon Network: VPNC-RemoteNet

ClIck Ok




8
Add a new IP PuIe

n the CeneraI tab:

Ceneral:

Enter Name: allow_all
Select ActIon: allow
Select ServIce: all_services

Address jlter:

Select Source Interface: VPNC
Select Source Network: VPNC-RemoteNet
Select 0estInatIon Interface: lan
Select 0estInatIon Network: lannet

ClIck Ok

Save and actIvate the new confIguratIon.







9
5. TooIs
Useful tools that can be used In the fIrewall Is:

Pny:
PIng a remote gateway or computer to check connectIons, rules etc.
WebUI: ToolsPIng
ConsoIe: pIng Ipaddress, pIng Ipaddress r recvIf, pIng Ipaddress s srcIp

Kll actve SA:
Can be used to dIsconnected already establIshed tunnels.
WebUI: Stctus>lPsec>Lst cll cctve SAs
ConsoIe: kIllsa Ipaddress

6. Status
The followIng pages In the WebU or commands In the console can be used
to vIew the status of the setup or fInd problems.

lnterjace status:
Can be used to see P addresses of the Interfaces, lInk status, hardware
addresses and more.
WebUI: Statusnterfaces
ConsoIe: Ifstat Interfacename

lPsec status:
Can be used to see the settIngs of the Psec tunnel, If the tunnel Is establIshed and more
useful InformatIon.
WebUI: StatusPsec
ConsoIe: Ipsecstat, Ipsecstat -u, Ipsecstat -v, Ipsecconn

lKE snoony:
Can be used to fInd problems In the KE negotIatIons.
ConsoIe: Ikesnoop on, Ikesnoop verbose, Ikesnoop off

Loyyny:
Can be used to fInd a lot of useful InformatIon, eg If traffIc Is dropped.
WebUI: StatusLoggIng

Connectons:
Can be used to see the current connectIons In the fIrewall.
WebUI: StatusConnectIons
ConsoIe: connectIons