56

Authentication Protocols

PPP supports different authentication protocols, PAP, CHAP, MS-CHAP v1 and MS-

CHAP v2 is supported. Which authentication protocol to use is negotiated during LCP

negotiation.

PAP

PAP (Password Authentication Protocol) is a simple, plaintext authentication scheme,

which means that user name and password are sent in plaintext. PAP is therefore not a

secure authentication protocol.

CHAP

CHAP

(Challenge

Handshake

Authentication

Protocol)

is

a

challenge-response

authentication protocol specified in RFC 1994. CHAP uses a MD5 one-way encryption

scheme to hash the response to a challenge issued by the DFL-1100. CHAP is better then

PAP in that the password is never sent over the link. Instead the password is used to create

the one-way MD5 hash. That means that CHAP requires passwords to be stored in a

reversibly encrypted form.

MS-CHAP v1

MS-CHAP v1 (Microsoft Challenge Handshake Authentication Protocol version 1) is

similar to CHAP, the main difference is that with MS-CHAP v1 the password only needs to be

stored as a MD4 hash instead of a reversibly encrypted form. Another difference is that MS-

CHAP v1 uses MD4 instead of MD5.

MS-CHAP v2

MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 1) is more

secure then MS-CHAP v1 as it provides two –way authentication.

MPPE, Microsoft Point-To-Point Encryption

MPPE is used is used to encrypt Point-to-Point Protocol (PPP) packets. MPPE uses the

RSA RC4 algorithm to provide data confidentiality. The length of the session key to be used

for the encryption can be negotiated. MPPE currently supports 40-bit, 56-bit and 128-bit RC4

session keys.

L2TP/PPTP Clients

General parameters

Name

– Specifies a name for

the PPTP/L2TP Client.

Username

- Specify the

username to use for this

PPTP/L2TP Client.

Password/Confirm

Password - The password to use

for this PPTP/L2TP Client.

Interface IP

.

-

Specifies if the

L2TP/PPTP Client should try to

use a specified IP or get one from

the server.

Remote Gateway

- The IP

address of the PPTP/L2TP

Server. To connect to

Dial on demand

is used

when the tunnel should only be used when needed, if diabled the tunnel will always try to be

up.

Authentication protocol

Specify if, and what

authentication protocol to use,

read more about the different

authentication protocols in the

Authentication Protocol

Introduction

chapter.

MPPE encryption

If MPPE encryption is going to

be used, this is where the

encryption level is configured.

If L2TP or PPTP over

IPSec

is going to be used it has to be

enabled and configured to either

use a Pre-Shared Key or a

Certificate.

58

L2TP/PPTP Servers

Name

– Specifies a name for

this PPTP/L2TP Server.

Outer IP

- Specifies the IP

that the PPTP/L2TP server

should listen on, leave it Blank for

the WAN IP.

Inner IP

- Specifies the IP

inside the tunnel, leave it Blank

for the LAN IP.

IP Pool and settings

Client IP Pool

- A range,

group or network that the

PPTP/L2TP Server will use as IP

address pool to give out IP addresses to the clients from.

Primary/Secondary DNS

- IP of the primary and secondary DNS servers.

Primary/Secondary WINS

- IP of the Windows Internet Name Service (WINS) servers

that are used in Microsoft environments which uses the NetBIOS Name Servers (NBNS) to

assign IP addresses to NetBIOS names.

Authentication protocol

Specify if, and what

authentication protocol to use,

read more about the different

authentication protocols in the

Authentication Protocol

Introduction

chapter.

MPPE encryption

If MPPE encryption is going to

be used, this is where the

encryption level is configured.

If L2TP or PPTP over

IPSec

is going to be used it has to be

enabled and configured to either

use a Pre-Shared Key or a

Certificate.

60

VPN between two networks

In the following example users on the main

office internal network can connect to the branch

office internal network vice versa. Communication

between the two networks takes place in an

encrypted VPN tunnel that connects the two DFLs

Network Security Firewall across the Internet. Users

on the internal networks are not aware that when

they connect to a computer on the other network

that the connection runs across the Internet.

As shown in the example, you can use the DFL

to protect a branch office and a small main office.

Both of these DFLs can be configured as IPSec

VPN gateways to create the VPN that connects the

branch office network to the main office network.

The example shows a VPN between two

internal networks, but you can also create VPNs

between an internal network behind one VPN

gateway and a DMZ network behind another or

between two DMZ networks. The networks at the

ends of the VPN tunnel are selected when you configure the VPN policy.

Creating a LAN-to-LAN IPSec VPN Tunnel

Follow these steps to add LAN-to-LAN Tunnel.

Step 1.

Go to Firewall and VPN and choose

Add new

in the IPSec tunnels section.

Step 2.

Enter a Name for the new tunnel in the name field. The name can contain

numbers (0-9) and upper and lower case letters (A-Z, a-z), and the special characters -

and _. No other special characters and spaces are allowed.

Step 3.

Specify your local network, or your side of the tunnel, for example

192.168.1.0/255.255.255.0, in the Local Net field.

Step 4.

Choose authentication type, either PSK (Pre-shared Key) or Certificate-based. If

you choose PSK make sure both firewalls use exactly the same PSK.

Step 5.

As Tunnel Type choose LAN-to-LAN tunnel and specify the network behind the

other DFL-1100 as Remote Net also specify the external IP of the other DFL-1100, this

can be an IP or a DNS name.

Click the

Apply

button below to apply the change or click

Cancel

to discard changes.

Repeat this on the firewall on the other site.