Page 56 / 139 Scroll up to view Page 51 - 55
56
Authentication Protocols
PPP supports different authentication protocols, PAP, CHAP, MS-CHAP v1 and MS-
CHAP v2 is supported. Which authentication protocol to use is negotiated during LCP
negotiation.
PAP
PAP (Password Authentication Protocol) is a simple, plaintext authentication scheme,
which means that user name and password are sent in plaintext. PAP is therefore not a
secure authentication protocol.
CHAP
CHAP
(Challenge
Handshake
Authentication
Protocol)
is
a
challenge-response
authentication protocol specified in RFC 1994. CHAP uses a MD5 one-way encryption
scheme to hash the response to a challenge issued by the DFL-1100. CHAP is better then
PAP in that the password is never sent over the link. Instead the password is used to create
the one-way MD5 hash. That means that CHAP requires passwords to be stored in a
reversibly encrypted form.
MS-CHAP v1
MS-CHAP v1 (Microsoft Challenge Handshake Authentication Protocol version 1) is
similar to CHAP, the main difference is that with MS-CHAP v1 the password only needs to be
stored as a MD4 hash instead of a reversibly encrypted form. Another difference is that MS-
CHAP v1 uses MD4 instead of MD5.
MS-CHAP v2
MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 1) is more
secure then MS-CHAP v1 as it provides two –way authentication.
MPPE, Microsoft Point-To-Point Encryption
MPPE is used is used to encrypt Point-to-Point Protocol (PPP) packets. MPPE uses the
RSA RC4 algorithm to provide data confidentiality. The length of the session key to be used
for the encryption can be negotiated. MPPE currently supports 40-bit, 56-bit and 128-bit RC4
session keys.
Page 57 / 139
L2TP/PPTP Clients
General parameters
Name
– Specifies a name for
the PPTP/L2TP Client.
Username
- Specify the
username to use for this
PPTP/L2TP Client.
Password/Confirm
Password - The password to use
for this PPTP/L2TP Client.
Interface IP
.
-
Specifies if the
L2TP/PPTP Client should try to
use a specified IP or get one from
the server.
Remote Gateway
- The IP
address of the PPTP/L2TP
Server. To connect to
Dial on demand
is used
when the tunnel should only be used when needed, if diabled the tunnel will always try to be
up.
Authentication protocol
Specify if, and what
authentication protocol to use,
read more about the different
authentication protocols in the
Authentication Protocol
Introduction
chapter.
MPPE encryption
If MPPE encryption is going to
be used, this is where the
encryption level is configured.
If L2TP or PPTP over
IPSec
is going to be used it has to be
enabled and configured to either
use a Pre-Shared Key or a
Certificate.
Page 58 / 139
58
L2TP/PPTP Servers
Name
– Specifies a name for
this PPTP/L2TP Server.
Outer IP
- Specifies the IP
that the PPTP/L2TP server
should listen on, leave it Blank for
the WAN IP.
Inner IP
- Specifies the IP
inside the tunnel, leave it Blank
for the LAN IP.
IP Pool and settings
Client IP Pool
- A range,
group or network that the
PPTP/L2TP Server will use as IP
address pool to give out IP addresses to the clients from.
Primary/Secondary DNS
- IP of the primary and secondary DNS servers.
Primary/Secondary WINS
- IP of the Windows Internet Name Service (WINS) servers
that are used in Microsoft environments which uses the NetBIOS Name Servers (NBNS) to
assign IP addresses to NetBIOS names.
Authentication protocol
Specify if, and what
authentication protocol to use,
read more about the different
authentication protocols in the
Authentication Protocol
Introduction
chapter.
Page 59 / 139
MPPE encryption
If MPPE encryption is going to
be used, this is where the
encryption level is configured.
If L2TP or PPTP over
IPSec
is going to be used it has to be
enabled and configured to either
use a Pre-Shared Key or a
Certificate.
Page 60 / 139
60
VPN between two networks
In the following example users on the main
office internal network can connect to the branch
office internal network vice versa. Communication
between the two networks takes place in an
encrypted VPN tunnel that connects the two DFLs
Network Security Firewall across the Internet. Users
on the internal networks are not aware that when
they connect to a computer on the other network
that the connection runs across the Internet.
As shown in the example, you can use the DFL
to protect a branch office and a small main office.
Both of these DFLs can be configured as IPSec
VPN gateways to create the VPN that connects the
branch office network to the main office network.
The example shows a VPN between two
internal networks, but you can also create VPNs
between an internal network behind one VPN
gateway and a DMZ network behind another or
between two DMZ networks. The networks at the
ends of the VPN tunnel are selected when you configure the VPN policy.
Creating a LAN-to-LAN IPSec VPN Tunnel
Follow these steps to add LAN-to-LAN Tunnel.
Step 1.
Go to Firewall and VPN and choose
Add new
in the IPSec tunnels section.
Step 2.
Enter a Name for the new tunnel in the name field. The name can contain
numbers (0-9) and upper and lower case letters (A-Z, a-z), and the special characters -
and _. No other special characters and spaces are allowed.
Step 3.
Specify your local network, or your side of the tunnel, for example
192.168.1.0/255.255.255.0, in the Local Net field.
Step 4.
Choose authentication type, either PSK (Pre-shared Key) or Certificate-based. If
you choose PSK make sure both firewalls use exactly the same PSK.
Step 5.
As Tunnel Type choose LAN-to-LAN tunnel and specify the network behind the
other DFL-1100 as Remote Net also specify the external IP of the other DFL-1100, this
can be an IP or a DNS name.
Click the
Apply
button below to apply the change or click
Cancel
to discard changes.
Repeat this on the firewall on the other site.

Rate

3.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top