Page 106 / 139
Scroll up to view Page 101 - 105
106
Leave WINS settings blank
Under authentication
MSCHAPv2
should be the only checked option.
Under MPPE encryption
None
should be the only checked option.
Check
Use IPsec encryption
Enter key
1234567890
(Note! You should use a key that is hard to guess)
Retype key
1234567890
Click
Apply
Page 107 / 139
3.
Setup policies for the new tunnel,
Firewall->Policy:
Click
Global policy parameters
Enable
Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN
Click
Apply
4.
Set up authentication source,
Firewall->Users
:
Select
Local database
Click
Apply
Page 108 / 139
108
5.
Add a new user,
Firewall->Users
:
Under
Users in local database
click
Add new
Name the new user
BranchOffice
Enter password:
1234567890
Retype password:
1234567890
Leave static client IP empty (could also be set to eg 192.168.1.200. If no IP is set
here the IP pool from the L2TP server settings are used).
Set Networks behind user to
192.168.4.0/4
Click
Apply
6.
Click
Activate
and wait for the firewall to restart.
This example will allow
all
traffic between the two offices. To get a more secure solution read
the
A more secure LAN-to-LAN VPN solution
section in this chapter.
Page 109 / 139
A more secure LAN-to-LAN VPN solution
Go get a more secure solution, policies should be created instead of allowing all traffic
between the two offices. The following steps will show how to enable some common services.
In this example we have a mail server, ftp server and a web server (intranet) in the main office
that we want to access from the branch office.
Settings for Branch office
1.
Setup policies for the new tunnel,
Firewall->Policy:
Click
Global policy parameters
Disable
Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN
Click
Apply
2.
Now is it possible to create policies for the VPN interfaces. Select from
LAN
to
toMainOffice
and click
Show
.
3.
Click
Add new
to create the first rule
Page 110 / 139
110
4.
Setup the new rule:
Name the new rule:
allow_pop3
Select action:
Allow
Select service:
pop3
Select schedule:
Always
We don’t want any Intrusion detection or traffic shaping for now, so leave these
options unchecked.
Click
Apply