![D-Link DFL-1000 [77/168] About perfect forward secrecy pfs](/img/pdf.png)
D-Link DFL-1000 [77/168] About perfect forward secrecy pfs
![D-Link DFL-1000 [77/168] About perfect forward secrecy pfs](/views2/1045575/page77/bg4d.png)
DFL-1000 User Manual
7
7
Adding an AutoIKE key VPN tunnel
About the P2 proposal
During tunnel negotiation, the VPN gateways negotiate to select a common algorithm for data
communication. When you select algorithms for the P2 proposal, you are selecting the algorithms that the
DFL-1000 NPG proposes during phase 2 negotiation. For phase 2 to be completed successfully, each
VPN gateway must have at least one encryption and one authentication algorithm in common.
• Select DES to propose to encrypt packets using DES encryption.
• Select 3DES to propose to encrypt packets using triple-DES encryption.
• Select MD5 to propose to use MD5 authentication.
• Select SHA1 to propose to use SHA1 authentication.
• Select NULL to propose that the VPN packets not be encrypted or that a hash is not made for
authentication.
About replay detection
IPSec tunnels can be vulnerable to replay attacks. A replay attack occurs when an unauthorized party
intercepts a series of IPSec packets and replays them back into the tunnel. An attacker can use this
technique to cause a denial of service (DoS) attack by flooding the tunnel with packets. An attacker could
also change and then replay intercepted packets to attempt to gain entry to a trusted network.
Enable replay detection to check the sequence number of every IPSec packet to see if it has previously
been received. If packets arrive out of sequence, the DFL-1000 NPG discards them.
The DFL-1000 NPG sends an alert email when replay detection detects a replay packet. To receive the
alert email, you must configure alert email and select "Enable alert email for critical firewall/VPN events or
violations". For information about alert email, see Configuring alert email
.
About perfect forward secrecy (PFS)
Perfect forward secrecy (PFS) improves the security of a VPN tunnel by making sure that each key
created during phase 2 is not related to the keys created during phase 1 or to other keys created during
phase 2. PFS might reduce performance because it forces a new Diffie-Hellman key exchange when the
phase 2 tunnel starts and whenever the keylife ends and a new key must be generated. As a result, using
PFS might cause minor delays during key generation.
Содержание
- Building networks for people 1
- D link dfl 1000 1
- Network security firewall manual 1
- Getting started 7 3
- Introduction 0 3
- Nat route mode installation 2 3
- Table of contents 3
- Transparent mode installation 7 3
- Firewall configuration 1 4
- Example policies 5 5
- Ipsec vpns 6 5
- Users and authentication 1 5
- Ipsec vpn configuration examples 4 6
- Logging and reporting 23 7
- Pptp and l2tp vpns 03 7
- Web content filtering 13 7
- Administration 32 8
- Glossary 56 9
- Limited warranty 65 9
- Registration 68 9
- Technical support 62 9
- Troubleshooting faqs 59 9
- Firewall 10
- Introduction 10
- Web content filtering 10
- Nat route mode 11
- Transparent mode 11
- Command line interface 12
- Secure installation configuration and management 12
- Web based manager 12
- Configure port forwarding by configuring virtual ips 13
- H 23 nat traversal 13
- Ipsec vpn improvements 13
- Logging and reporting 13
- Multiple ip pools for each interface 13
- Policy based nat 13
- What s new in version 2 6 13
- A checksum added to the v2 6 firmware image guarantees its integrity during a firmware update 14
- Alert email 14
- Checksum to protect upgrade image from corruption 14
- Dfl 1000 logs are displayed with the last message at the top of the message list 14
- In v2 6 you configure alert email from logging reporting you can configure the dfl 1000 npg to send alert email to report firewall or vpn events or violations see configuring alert email 14
- Load balancing to balance the amount of traffic routed to each wan port for more information see configuring the dfl 1000 npg for multiple internet connections 14
- Local dfl 1000 user database 14
- Logging 14
- Messages can be cleared from event log saved to memory 14
- Multiple wan support 14
- New cli commands 14
- Redundancy using link detection if one wan connection fails the dfl 1000 npg re routes all traffic to and from the other wan connection 14
- The command line interface has been extensively changed for v2 6 command syntax has been changed to be easier to use and more effective many command names and keywords have changed and cli help has been improved 14
- The following logging features are new in v2 6 see logging and reporting 14
- You can add user names to the local dfl 1000 user database when you add a user name you can specify a password or that the user can be authenticated using a radius server you can then add user names to user groups and make these user groups available for authenticating with firewall policies dialup vpn pptp vpn and l2tp vpn see users and authentication 14
- You can configure the dfl 1000 npg to have multiple connections to the internet using routing and policies the dfl 1000 multiple wan feature supports 14
- About this document 15
- Customer service and technical support 15
- For more information 15
- Getting started 17
- Package contents 17
- Mounting 18
- Powering on 18
- A computer with an ethernet connection 19
- A crossover cable or an ethernet hub and two ethernet cables to connect to the web based manager 19
- Connecting to the web based manager 19
- Initial configuration 19
- Internet explorer version 4 or higher 19
- Set the ip address of the computer with an ethernet connection to the static ip address 192 68 and a netmask of 255 55 55 19
- The web based manager is the primary tool for installing and configuring your dfl 1000 npg configuration changes made with the web based manager are effective immediately without the need to reset the firewall or interrupt service to connect to the web based manager you need 19
- When the dfl 1000 npg is first powered on it is running in nat route mode and has the basic configuration listed in dfl 1000 npg initial power on settings 19
- Connecting to the command line interface cli 20
- Next steps 21
- Advanced nat route mode settings 22
- Completing the configuration 22
- Configuring your networks 22
- Connecting to your networks 22
- Nat route mode installation 22
- Preparing to configure nat route mode 22
- This chapter describes how to install your dfl 1000 npg in nat route mode if you want to install the dfl 1000 npg in transparent mode see transparent mode installation this chapter includes 22
- Use advanced dfl 1000 nat route mode settings to gather the information that you need to customize advanced dfl 1000 nat route mode settings 22
- Use nat route mode settings to gather the information that you need to customize nat route mode settings 22
- Using the command line interface 22
- Using the setup wizard 22
- Confirm your configuration settings and then select finish and close 23
- Dmz interface 23
- From the web based manager you can use the setup wizard to create the initial configuration of your dfl 1000 npg to connect to the web based manager see connecting to the web based manager 23
- If you changed the ip address of the internal interface using the setup wizard you must reconnect to the web based manager using a new ip address browse to https followed by the new ip address of the internal interface otherwise you can reconnect to the web based manager by browsing to https 192 68 9 you have now completed the initial configuration of your dfl 1000 npg and you can proceed to connect the dfl 1000 npg to your network using the information in connecting to your networks 23
- Reconnecting to the web based manager 23
- Select easy setup wizard the middle button in upper right corner of the web based manager 23
- Starting the setup wizard 23
- Use dmz interface optional to record the ip address and netmask of the dfl 1000 dmz interface if you are configuring it during installation 23
- Use the information that you gathered in nat route mode settings to fill in the wizard fields select the next button to step through the wizard pages 23
- Using the setup wizard 23
- Configuring nat route mode ip addresses 24
- Configuring the dfl 1000 npg to run in nat route mode 24
- Using the command line interface 24
- Configuring your networks 25
- Connecting to your networks 25
- Completing the configuration 26
- Configuring the dmz interface 26
- Setting the date and time 26
- Changing to transparent mode 27
- Preparing to configure transparent mode 27
- Transparent mode installation 27
- Using the setup wizard 27
- Changing to transparent mode 28
- Configuring the transparent mode management ip address 28
- Reconnecting to the web based manager 28
- Starting the setup wizard 28
- Using the command line interface 28
- Configure the transparent mode default gateway 29
- Connecting to your networks 29
- Setting the date and time 29
- Firewall configuration 31
- Adding nat route mode policies 32
- Changing to nat route mode 32
- Changing to transparent mode 32
- Nat route mode 32
- Nat route mode and transparent mode 32
- Transparent mode 32
- Configure the policy 33
- On a policy in the list to add the new policy above a specific policy 33
- You can also select insert policy before 33
- Arrange policies in the policy list so that they have the results that you expect arranging policies in a policy list is described in configuring policy lists 34
- Select ok to add the policy 34
- Add transparent mode policies to control the network traffic that is allowed to pass through the dfl 1000 npg when you are running the firewall in transparent mode 35
- Adding transparent mode policies 35
- Configure the policy 35
- On a policy in the list to add the new policy above a specific policy 35
- Policy 35
- Select a policy list tab 35
- Select new to add a new policy you can also select insert policy before 35
- Arrange policies in the policy list so that they have the results that you expect arranging policies in a policy list is described in configuring policy lists 36
- Select ok to add the policy the policy is added to the policy list 36
- Configuring policy lists 37
- Policy matching in detail 37
- Addresses 38
- Changing the order of policies in a policy list 38
- Disabling a policy 38
- Enabling a policy 38
- Enabling and disabling policies 38
- Adding addresses 39
- Deleting addresses 40
- Editing addresses 40
- Organizing addresses into address groups 40
- Grouping services 41
- Predefined services 41
- Providing access to custom services 41
- Services 41
- The dfl 1000 predefined firewall services are listed in dfl 1000 predefined services you can add these services to any policy 41
- Use services to control the types of communication accepted or denied by the firewall you can add any of the predefined services to a policy you can also create your own custom services and add services to service groups this section describes 41
- Add a custom service if you need to create a policy for a service that is not in the predefined service list 43
- Custom 43
- Enter a group name to identify the group this name appears in the service list when you add a policy and cannot be the same as a predefined service name the name can contain numbers 0 9 uppercase and lowercase letters a z a z and the special characters and _ other special characters and spaces are not allowed 43
- Enter a name for the service this name appears in the service list used when you add a policy the name can contain numbers 0 9 uppercase and lowercase letters a z a z and the special characters and _ other special characters and spaces are not allowed 43
- Grouping services 43
- If the service has more than one port range select add to specify additional protocols and port ranges if you mistakenly add too many port range rows select delete 43
- Providing access to custom services 43
- Select new 43
- Select ok to add the custom service you can now add this custom service to a policy 43
- Select the protocol either tcp or udp used by the service 43
- Specify a source and destination port number range for the service by entering the low and high port numbers if the service uses one port number enter this number in both the low and high fields 43
- To make it easier to add policies you can create groups of services and then add one policy to provide access to or block access for all the services in the group a service group can contain predefined services and custom services in any combination you cannot add service groups to another service group 43
- To remove each extra row 43
- Creating one time schedules 44
- Schedules 44
- Creating recurring schedules 45
- Adding a schedule to a policy 46
- Adding static nat virtual ips 47
- Adding static nat virtual ipssee adding policies with virtual ips 47
- Adding static nat virtual ipssee adding port forwarding virtual ips 47
- Adding static nat virtual ipssee adding static nat virtual ips 47
- Dmz firewall policy and set destination to the virtual ip you can create two types of virtual ips 47
- This section describes 47
- Virtual ip 47
- Virtual ips 47
- Adding port forwarding virtual ips 49
- Adding policies with virtual ips 50
- Ip pools 51
- Configuring ip mac binding for packets going through the firewall 52
- Ip mac binding 52
- Adding ip mac addresses 53
- Configuring ip mac binding for packets going to the firewall 53
- Viewing the dynamic ip mac list 53
- Enabling ip mac binding 54
- Example policies 55
- Nat policy for public access to a server 55
- Routing policy for access to a server from the internal network 55
- Transparent mode policy for public access to a server 56
- Denying connections from the internet 57
- Denying connections to the internet 57
- Using a schedule to deny access 57
- Adding policies that accept connections 58
- Requiring authentication to connect to the internet 59
- Adding user names and configuring authentication 61
- Setting authentication timeout 61
- Users and authentication 61
- Adding user names and configuring authentication 62
- Deleting user names from the internal database 62
- Adding radius servers 63
- Configuring radius support 63
- Deleting radius servers 63
- Adding user groups 64
- Configuring user groups 64
- Deleting user groups 65
- Ipsec vpns 66
- Configuring autoike key ipsec vpn 67
- Interoperability with ipsec vpn products 67
- Configuring dialup vpn 68
- Configuring manual key ipsec vpn 68
- Configuring a vpn concentrator for hub and spoke vpn 69
- Configuring the vpn concentrator 69
- Add a remote gateway if you are adding autoike key tunnels see adding a remote gateway 70
- Add additional encrypt policies between the member vpns use the following configuration 70
- Add an autoike key vpn tunnel and include the remote gateway added in step 1 see adding an autoike key vpn tunnel or add a manual key vpn tunnel see adding a manual key vpn tunnel 70
- Add one encrypt policy between the member vpn and the vpn concentrator use the following configuration 70
- Configuring the member vpns 70
- For each member vpn you must create a vpn tunnel to the vpn concentrator network this tunnel can be an autoike key or manual key tunnel you must create an encrypt policy that allows inbound and outbound vpn connections between the member vpn and the concentrator you must create additional encrypt policies that allow inbound and outbound vpn connections between each of the member vpns the policy between the member vpn and the concentrator must be arranged in the policy list above the policies between member vpns each encrypt policy must include the same tunnel name to configure each member vpn 70
- See adding an encrypt policy 70
- Adding a remote gateway 71
- Configuring ipsec redundancy 71
- Select ok to save the remote gateway 72
- About dialup vpn authentication 73
- A username and password in the user group added to the dialup server remote gateway in this configuration the clients pre shared key must be formatted with a between the user name and password username password 74
- Aggressive mode with no user group 74
- In this configuration the server and the clients use aggressive mode for key exchange a user group has not been selected in the server dialup remote gateway clients authenticate with the server using their authentication keys 74
- In this configuration the server and the clients use main mode for key exchange a user group has been selected in the server dialup remote gateway clients authenticate with the server using their authentication keys the client authentication key can be one of the following 74
- In this configuration the server and the clients use main mode for key exchange a user group has not been added to the server dialup remote gateway clients authenticate with the server using their authentication keys 74
- Main mode with a user group selected 74
- Main mode with no user group selected 74
- The same as the server authentication key 74
- About dh groups 75
- About nat traversal 75
- About the p1 proposal 75
- Aggressive mode with a user group selected 75
- Autoike key ipsec vpns use a two phase process for creating a vpn tunnel during the first phase p1 the vpn gateways at each end of the tunnel negotiate to select a common algorithm for encryption and another one for authentication when you configure the remote gateway p1 proposal you are selecting the algorithms that the dfl 1000 npg proposes during phase 1 negotiation you can select up to three different encryption and authentication algorithm combinations choosing more combinations might make it easier for p1 negotiation but you can restrict the choice to one if required for negotiation to be successful both ends of the vpn tunnel must have at least one encryption algorithm and one authentication algorithm in common 75
- In this configuration the server and the clients use aggressive mode for key exchange a user group is selected in the server dialup remote gateway the format of the authentication key depends on the information in the local id field 75
- Nat network address translation converts private ip addresses into routable public ip addresses the dfl 1000 npg uses napt network address port translation in which both ip addresses and ports are mapped mapping both components allows multiple private ip addresses to use a single public ip address because a nat device modifies the original ip address of an ipsec packet the packet fails an integrity check this failure means that ipsec vpn does not work with nat devices nat traversal solves this problem by encapsulating the ipsec packet within a udp packet encapsulating the ipsec packet allows nat to process the packet without changing the original ipsec packet 75
- Select 3des to propose to encrypt packets using triple des encryption 75
- Select des to propose to encrypt packets using des encryption 75
- Select md5 to propose to use md5 authentication 75
- Select sha1 to propose to use sha1 authentication 75
- The diffie hellman dh algorithm creates a shared secret key that can be created at both ends of the vpn tunnel without communicating the key across the internet you can select from dh group 1 2 and 5 dh group 5 produces the most secure shared secret key and dh group 1 produces the least secure key however dh group 1 is faster that dh group 5 75
- Add an autoike key tunnel to specify the parameters used to create and maintain a vpn tunnel that has been started by a remote gateway configuration to add an autoike key vpn tunnel 76
- Adding an autoike key vpn tunnel 76
- Autoike key 76
- Configure the autoike key vpn tunnel 76
- Select new to add a new autoike key vpn tunnel 76
- Select ok to save the autoike key vpn tunnel 76
- About perfect forward secrecy pfs 77
- About replay detection 77
- About the p2 proposal 77
- Adding a manual key vpn tunnel 78
- Configure a manual key tunnel to create an ipsec vpn tunnel between the dfl 1000 npg and a remote ipsec vpn client or gateway that is also using manual key a manual key vpn tunnel consists of a name for the tunnel the ip address of the vpn gateway or client at the opposite end of the tunnel and the encryption algorithm to use for the tunnel depending on the encryption algorithm you must also specify the encryption keys and optionally the authentication keys used by the tunnel because the keys are created when you configure the tunnel no negotiation is required for the vpn tunnel to start however the vpn gateway or client that connects to this tunnel must use the same encryption algorithm and must have the same encryption and authentication keys to create a manual key vpn tunnel 78
- Configure the vpn tunnel 78
- If you do not enable pfs the vpn tunnel creates all phase 2 keys from a key created during phase 1 this method of creating keys is less processor intensive but also less secure if an unauthorized party gains access to the key created during phase 1 all the phase 2 encryption keys can be compromised 78
- Manual key 78
- Select new to add a new manual key vpn tunnel 78
- Select ok to save the manual key vpn tunnel 78
- Adding a vpn concentrator 79
- Adding an encrypt policy 80
- Viewing vpn tunnel status 82
- Testing a vpn 83
- Viewing dialup vpn connection status 83
- Autoike key vpn between two networks 84
- Ipsec vpn configuration examples 84
- Configuring the remote gateway for a remote network 85
- Use the following procedure to configure the remote gateway for the example vpn in example vpn between two internal networks example remote gateway configuration shows the information required to configure the remote gateway 85
- Autoike key 86
- Configuring the autoike key tunnel for a remote network 86
- On the branch office dfl 1000 configure the autoike key tunnel using the branch office information in example autoike key tunnel configuration 86
- On the branch office dfl 1000 npg configure the remote gateway using the branch office information in example remote gateway configuration 86
- On the main office dfl 1000 configure the autoike key tunnel using the main office information in example autoike key tunnel configuration 86
- On the main office dfl 1000 npg configure the remote gateway using the main office information in example remote gateway configuration 86
- Remote gateway 86
- Select new to add a remote gateway 86
- Select new to add an autoike key tunnel 86
- Select ok to save the autoike key tunnel 86
- Select ok to save the remote gateway 86
- To configure the autoike key tunnel for the main office and branch office vpn gateways 86
- To configure the remote gateways for the main office and branch office 86
- Use the following procedure to configure the autoike key tunnel for the example vpn in example vpn between two internal networks example autoike key tunnel configuration shows the information required to configure the tunnel 86
- Adding an encrypt policy for a network to network vpn 87
- Adding source and destination addresses for a network to network vpn 87
- Internal 87
- On the branch office dfl 1000 npg enter the address name ip address and netmask using the branch office source address information in ipsec vpn source and destination addresses 87
- On the main office dfl 1000 npg enter the address name ip address and netmask using the main office source address information in ipsec vpn source and destination addresses 87
- Repeat these steps this time selecting the external address list to add the main office and branch office destination addresses 87
- Select new to add an address 87
- Select ok to save the source address 87
- To add the main office and branch office source addresses 87
- Use the following procedure to add an encrypt policy that allows ipsec vpn traffic through the firewall the encrypt policy associates the tunnel with the source and destination address example encrypt policies show main office and branch office encrypt policies for the vpn in example vpn between two internal networks 87
- Use the following procedures to add the network addresses to the autoike key tunnel shown in example vpn between two internal networks you must add a source and a destination address to both gateways ipsec vpn source and destination addresses shows the information required to add the source and destination addresses to the autoike key tunnel 87
- Autoike key vpn for remote clients 88
- Adding an encrypt policy for a remote client 89
- Adding source and destination addresses for a remote client vpn 89
- Configure the remote gateway using the information in example remote gateway configuration 89
- Configuring the autoike key tunnel for a remote client 89
- Configuring the ipsec vpn client 89
- Configuring the remote gateway for remote clients 89
- Example autoike key tunnel configuration shows the information required to configure the autoike key tunnel for the example vpn in example vpn between a main office internal network and a remote client 89
- Example remote gateway configuration shows the information required to configure the remote gateway for the example vpn in example vpn between a main office internal network and a remote client 89
- Remote gateway 89
- Select new to add a remote gateway 89
- Select ok to save the remote gateway 89
- To configure the remote gateway 89
- Adding a source address for the internal network 90
- Adding source and destination addresses for a remote client vpn 90
- Autoike key 90
- Configure the tunnel using the information in example autoike key tunnel configuration 90
- Enter the address name ip address and netmask using the source address information in example source and destination addresses for a client with a static ip address 90
- Internal 90
- Repeat these steps this time selecting the external address list to add destination address 90
- Select new to add an address 90
- Select new to add an autoike key tunnel 90
- Select ok to save the autoike key tunnel 90
- Select ok to save the source address 90
- To configure the vpn tunnel 90
- Use the following procedures to add the example source and destination addresses 90
- Use the following procedures to add the network and client addresses to the autoike key tunnel the source address is the ip address of the network behind the local vpn gateway and the destination address is the ip address of the remote vpn client 90
- Adding an encrypt policy for a remote client 91
- Configuring the ipsec vpn client 91
- Dialup vpn 92
- Adding a dialup remote gateway 93
- Adding autoike key tunnels for dialup vpn 93
- Adding source and destination addresses for dialup vpn 93
- Adding encrypt policies for dialup vpn 94
- Configuring remote ipsec vpn clients for dialup vpn 94
- Configuring remote ipsec vpn gateways for dialup vpn 94
- Manual key vpn between two networks 94
- Adding an encrypt policy 95
- Adding source and destination addresses 95
- Configure the manual key tunnel using the main office information in example manual key tunnel configuration 95
- Configuring the manual key vpn tunnel 95
- Example manual key tunnel configuration shows the information required to configure the manual key tunnel for the vpn in example vpn between two internal networks 95
- Manual key 95
- Repeat steps select new to add a manual key tunnel to select ok to save the manual key tunnel on the appropriate dfl 1000 npg using the branch office information in example manual key tunnel configuration 95
- Select new to add a manual key tunnel 95
- Select ok to save the manual key tunnel 95
- To configure the manual key tunnel on both vpn gateways 95
- Use the procedure adding an encrypt policy for a network to network vpn 95
- Use the procedure adding source and destination addresses for a network to network vpn 95
- Adding an encrypt policy 96
- Adding internal and external addresses 96
- Configure the manual key tunnel using the dfl 1000 vpn gateway information in example dfl 1000 vpn gateway and client manual key tunnels 96
- Configuring the ipsec vpn client 96
- Configuring the manual key tunnel 96
- Example dfl 1000 vpn gateway and client manual key tunnels shows the information required to configure the manual key tunnel for the example vpn in example vpn between a main office internal network and a remote client 96
- In this example you configure a manual key vpn between an internal network and a remote vpn client example vpn between a main office internal network and a remote client shows this configuration use the following procedures to configure the manual key vpn 96
- Manual key 96
- Manual key vpn for remote clients 96
- Select new to add a manual key tunnel 96
- To configure the manual key tunnel on the dfl 1000 vpn gateway 96
- Adding an encrypt policy 97
- Adding internal and external addresses 97
- Configuring the ipsec vpn client 97
- Hub and spoke vpn vpn concentrator 97
- Configuring the hub 98
- Configuring the spokes 98
- Adding encrypt policies 99
- Adding source and destination addresses 99
- Configure a separate autoike key tunnel for the hub and for each spoke these tunnels will use the remote gateways that you created in the procedure configuring the remote gateways use the procedure configuring the autoike key tunnel for a remote client use the information in example autoike key tunnel configuration to configure the autoike key tunnels 99
- Configuring the autoike key tunnels 99
- Configuring the remote gateways 99
- Use the following procedures to create branch 1 and branch 2 99
- Use the procedure configuring the remote gateway for remote clients use the information in example remote gateway configuration to configure remote gateways for the main office branch 1 and branch 2 99
- Add source and destination addresses for the main office branch 1 and branch 2 use the procedure adding source and destination addresses for a remote client vpn use the information in example ipsec source and destination address information to add the source and destination addresses you need to add the addresses for each location individually 100
- Adding source and destination addresses 100
- Concentrator 100
- Configuring the vpn concentrator 100
- Enter the name of the new vpn concentrator in the concentrator name field 100
- For the main office the hub create the vpn concentrator and add the appropriate members to it add all the tunnels that are part of the same hub and spoke configuration to the same vpn concentrator if you add a spoke to the configuration after you create the vpn concentrator you can add the new vpn tunnel to the vpn concentrator by selecting the concentrator name while you are configuring the tunnel example vpn concentrator configuration shows the information required to configure the vpn concentrator 100
- Select branch1_vpn in the available tunnels list and select the right arrow the tunnel moves to the members list 100
- Select branch2_vpn in the available tunnels list and select the right arrow the tunnel moves to the members list 100
- Select new to add a vpn concentrator 100
- Select ok to add the vpn concentrator 100
- To add a vpn concentrator 100
- Adding encrypt policies 101
- Use the information in tables below to add the encrypt policies use the procedure adding an encrypt policy for a remote client the main office requires one policy to each branch office each branch office requires two policies on the same tunnel at the branch offices the policy for the hub must be arranged in the policy list above the policies for the spokes 101
- Pptp and l2tp vpns 103
- Pptp vpn configuration 103
- Configuring the dfl 1000 npg as a pptp gateway 104
- Configuring a windows 98 client for pptp 105
- Installing pptp support 105
- Configuring a pptp dialup connection 106
- Configuring a windows 2000 client for pptp 106
- Connecting to the pptp vpn 106
- Configuring a pptp dialup connection 107
- Configuring a windows xp client for pptp 107
- Configuring the vpn connection 107
- Connecting to the pptp vpn 107
- Connecting to the pptp vpn 108
- L2tp vpn configuration 108
- Configuring the dfl 1000 npg as an l2tp gateway 109
- Configuring a windows 2000 client for l2tp 110
- Configuring an l2tp dialup connection 110
- Disabling ipsec 110
- Configuring a windows xp client for l2tp 111
- Configuring an l2tp vpn dialup connection 111
- Configuring the vpn connection 111
- Connecting to the l2tp vpn 111
- Connecting to the l2tp vpn 112
- Disabling ipsec 112
- Blocking web pages that contain unwanted content 113
- Enabling web content filtering 113
- Web content filtering 113
- Adding words and phrases to the banned word list 114
- Changing the content block message 114
- Enabling the banned word list 114
- Backing up the banned word list 115
- Clearing the banned word list 115
- Temporarily disabling individual words in the banned word list 115
- Temporarily disabling the banned word list 115
- Blocking access to urls 116
- Changing the url block message 116
- Enabling the url block list 116
- Restoring the banned word list 116
- Adding urls to the url block list 117
- Clearing the url block list 118
- Downloading the url block list 118
- Temporarily disabling individual url blocking 118
- Temporarily disabling the url block list 118
- Uploading a url block list 118
- Exempting urls from content or url blocking 119
- Removing scripts from web pages 119
- Adding urls to the exempt url list 120
- Clearing the exempt url list 121
- Downloading the exempt url list 121
- Temporarily disabling entries in the exempt url list 121
- Uploading an exempt url list 121
- Configuring logging 123
- Logging and reporting 123
- Recording logs on a netiq webtrends server 123
- Recording logs on a remote computer 123
- Recording logs on the dfl 1000 hard disk 124
- Logging event log to memory 125
- Selecting what to log 125
- Searching event log 126
- Viewing event log 126
- Viewing event log saved to memory 126
- Clearing event log messages 127
- Viewing and maintaining logs saved to the hard disk 127
- Viewing logs 127
- Downloading a log file to the management computer 128
- Searching logs 128
- Configuring alert email 129
- Deleting a saved log file 129
- Deleting all messages in an active log 129
- Enabling alert emails 130
- Log message formats 130
- Testing alert emails 130
- Traffic log message format 130
- Content filtering messages 131
- Event log message format 131
- Management messages 131
- Traffic log example messages 131
- Vpn tunnel monitor messages 131
- Administration 132
- System status 132
- Upgrading the dfl 1000 firmware 133
- Upgrading the firmware 133
- Upgrading the firmware from a tftp server using the cli 133
- Upgrading the firmware using the web based manager 133
- Backing up system settings 135
- Displaying the dfl 1000 npg serial number 135
- Restoring system settings 135
- Restoring system settings to factory defaults 135
- Changing to nat route mode 136
- Changing to transparent mode 136
- Restarting the dfl 1000 npg 136
- Shutting down the dfl 1000 npg 136
- System status monitor 137
- Configuring the internal interface 138
- Network configuration 138
- Configuring the external interface 139
- Configuring the external interface with a static ip address 139
- Configuring the external interface for dhcp 140
- Configuring the external interface for pppoe 140
- Changing the external interface mtu size to improve network performance 141
- Controlling management access to the external interface 141
- Configuring the dmz interface 142
- Configuring the management interface transparent mode 142
- Adding routing gateways 143
- Configuring routing 143
- Setting dns server addresses 143
- Adding a default route 144
- Adding routes to the routing table 145
- Configuring the routing table 145
- Adding routes transparent mode 146
- Configuring the dfl 1000 npg for multiple internet connections 146
- Enabling rip server support 146
- Example configuration 147
- For example your main connection to the internet could be a t1 or broadband connection to the external interface to make sure that problems with this internet connection do not affect your access to the internet you could add a second t1 or broadband connection perhaps with a different isp you can connect this second internet connection to the dmz interface you can then configure routing so that incoming and outgoing traffic is automatically routed to the wan connection that is running you can also configure routing to balance the traffic between both connections if both are running 147
- This example configuration consists of a t1 wan connection to the external interface and a broadband wan connection to the dmz interface the wan networks have the following ip addresses 147
- Adding a route for redundancy 148
- Adding routes for load balancing 148
- Configuring routing for multiple internet connections 148
- Providing dhcp services to your internal network 148
- Viewing the dynamic ip list 149
- Setting system date and time 150
- System configuration 150
- Changing web based manager options 151
- Adding and editing administrator accounts 152
- Adding new administrator accounts 152
- Editing administrator accounts 152
- Configuring snmp 153
- Configuring the dfl 1000 npg for snmp connections 153
- Dfl 1000 mibs 154
- Select apply 154
- The dfl 1000 agent supports the standard internet mib ii system group rfc 1213 for reporting basic system information the agent also supports a dfl 1000 mib that reports firewall and vpn information example dfl 1000 mib fields shows the system and dfl 1000 mib fields you must compile the following mibs in your snmp manager to communicate with the dfl 1000 agent 154
- Dfl 1000 traps 155
- The dfl 1000 agent can send traps to up to three snmp trap receivers on your network that are configured to receive traps from the dfl 1000 npg the dfl 1000 agent sends traps in response to the events listed in snmp traps 155
- You can download copies of these mib files from d link 155
- Glossary 156
- Firewall policies 159
- General administration 159
- Network configuration 159
- Troubleshooting faqs 159
- Schedules 160
- Web content filtering 160
- Logging 161
- Dfl 1000 user manual 162 162
- Offices 162
- Technical support 162
- Dfl 1000 user manual 163 163
- Registration card 163
- Limited warranty 165
- Register the d link dfl 500 office firewall online at http www dlink com sales reg 168
- Registration 168
Похожие устройства
- Samsung RSG5F*** Инструкция по эксплуатации
- D-Link DFL-2100 Инструкция по эксплуатации
- Philips 170X5FB Инструкция по эксплуатации
- Nikon Coolpix S5200 Black Инструкция по эксплуатации
- LG DKS-7500 Инструкция по эксплуатации
- D-Link DFL-2400 Инструкция по эксплуатации
- Philips 190V5FB Инструкция по эксплуатации
- Nikon Coolpix S5200 Red Инструкция по эксплуатации
- Philips 190V6FB Инструкция по эксплуатации
- Vitek VT-1601 Инструкция по эксплуатации
- Nikon Coolpix S5200 Blue Инструкция по эксплуатации
- Philips 190C6FS Инструкция по эксплуатации
- D-Link DFL-500 Инструкция по эксплуатации
- Nikon Coolpix S9400 Black Инструкция по эксплуатации
- Bosch WLF16260OE Инструкция по эксплуатации
- Philips 190G6FB Инструкция по эксплуатации
- Nikon Coolpix S9400 White Инструкция по эксплуатации
- D-Link DFL-600 Инструкция по эксплуатации
- Philips 190CW7CS Инструкция по эксплуатации
- Hyundai H-TV1400 Инструкция по эксплуатации