VPN – Advanced Settings

Advanced settings for a VPN tunnel is used when one need change some characteristics

of the tunnel when using for example trying to connect to a third party VPN Gateway.

The

different settings to set per tunnel is the following:

Limit MTU

Whit this setting it’s possible to limit the MTU (Max Transferable Unit) of the VPN tunnel.

IKE Mode

Specify if Main mode IKE or Aggressive Mode IKE should be used when establishing

outbound VPN Tunnels. Inbound main mode connections will always be allowed. Inbound

aggressive mode connections will only be allowed if this setting is set to aggressive mode.

IKE DH Group

Here it’s possible to configure the Diffie-Hellman group to 1 (modp 768-bit), 2 (modp 1024-

bit) or 5 (modp 1536-bit).

PFS – Perfect Forward Secrecy

If PFS, Perfect Forwarding Secrecy, is enabled, a new Diffie-Hellman exchange is

performed for each phase-2 negotiation. While this is slower, it makes sure that no keys are

dependent on any other previously used keys; no keys are extracted from the same initial

keying material. This is to make sure that, in the unlikely event that some key was

compromised; no subsequent keys can be derived.

NAT Traversal

Here it’s possible to configure how the NAT Traversal code should behave.

Disabled

- The firewall does not send the Vendor ID's that include NAT-T support when

setting up the tunnel.

On if supported and need NAT

- Will only use NAT-T if one of the VPN gateways is

NATed.

On if supported

- Always tries to use NAT-T when setting up the tunnel.

Keepalives

No keepalives

– Keep-alive is disabled.

Automatic keepalives

- The firewall will send ICMP pings to IP Addresses automatically

discovered from the VPN Tunnel settings.

Manually configured IP addresses

- Configure the source and destination IP addresses

used when sending the ICMP pings

52

Proposal Lists

To agree on the VPN connection parameters, a negotiation process is performed. As the

result of the negotiations, the IKE and IPSec security associations (SAs) are established. As

the name implies, a proposal is the starting point for the negotiation. A proposal defines

encryption parameters, for instance encryption algorithm, life times etc, that the VPN gateway

supports.

There are two types of proposals, IKE proposals and IPSec proposals. IKE proposals are

used during IKE Phase-1 (IKE Security Negotiation), while IPSec proposals are using during

IKE Phase-2 (IPSec Security Negotiation).

A Proposal List is used to group several proposals. During the negotiation process, the

proposals in the proposal list are offered to the remote VPN gateway one after another until a

matching proposal is found.

IKE Proposal List

Cipher

– Specifies the encryption algorithm used in this IKE proposal. Supported

algorithms are AES, 3DES, DES, Blowfish, Twofish and CAST128.

Hash

– Specifies the hash function used to calculate a check sum that reveals if the data

packet is altered while being transmitted. MD5 and SHA1 are supported algorithms.

Life Times

– Specifies in KB or seconds when the security associations for the VPN

tunnel need to be re-negotiated.

IPSec Proposal List

Cipher

– Specifies the encryption algorithm used in this IPSec proposal. Supported

algorithms are AES, 3DES, DES, Blowfish, Twofish and CAST128.

HMAC

– Specifies the hash function used to calculate a check sum that reveals if the data

packet is altered while being transmitted. MD5 and SHA1 are supported algorithms.

Life Times

– Specifies in KB or seconds when the security associations for the VPN

tunnel need to be re-negotiated.

Certificates

A certificate is a digital proof of identity. It links an identity to a public key in a trustworthy

manner. Certificates can be used to authenticate individual users or other entities. These

types of certificates are commonly called end-entity certificates.

Before a VPN tunnel with certificate based authentication can be set up, the firewall needs

a certificate of its own and that of the remote firewall. These certificates can either be self-

signed certificates, or issued by a CA.

Trusting Certificates

When setting up a VPN tunnel, the firewall has to be told whom it should trust. When using

pre-shared keys, this is simple. The firewall trusts anyone who has the same pre-shared key.

When using certificates, on the other hand, you tell the firewall that it can trust anyone

whose certificate is signed by a given CA. Before a certificate is accepted, the following steps

are taken to verify the validity of the certificate:

•

Construct a certification path up to the trusted root CA.

•

Verify the signatures of all certificates in the certification path.

•

Fetch the CRL for each certificate to verify that none of the certificates have been

revoked.

Local identities

This is a list of all the local identity certificates that can be used in VPN tunnels. A local

identity certificate is used by the firewall to prove its identity to the remote VPN peer.

To add a new local identity certificate, click Add new. The following pages will allow you to

specify a name for the local identity, and upload the certificate and private key files. This

certificate can be selected in the Local Identity field on the VPN page.

This list also includes a special certificate called Admin. This is the certificate used by the

web interface to provide HTTPS access.

Note: The certificate named Admin can only be replaced, not deleted or renamed. This is

used for HTTPS access to the DFL-200.

Certificates of remote peers

This is a list of all certificates of individual remote peers.

To add a new remote peer certificate, click Add new. The following pages will allow you to

specify a name for the remote peer certificate and upload the certificate file. This certificate

can be selected in the Certificates field on the VPN page.

Certificate Authorities

This is a list of all CA certificates. To add a new Certificate Authority certificate, click Add

new. The following pages will allow you to specify a name for the CA certificate and upload

the certificate file. This certificate can be selected in the Certificates field on the VPN page.

54

Note: If the uploaded certificate is a CA certificate, it will automatically be placed in the

Certificate Authorities list, even if Add New was clicked in the Remote Peers list. Similiarly, a

non-CA certificate will be placed in the Remote Peers list even if Add New was clicked from

the Certificate Authorities list.

Identities

This is a list of all the configured Identity lists. An Identity list can be used on the VPN

page to limit inbound VPN access from this list of known identities.

Normally, a VPN tunnel is established if the certificate of the remote peer is present in the

Certificates field in the VPN section, or if the remote peer's certificate is signed by a CA

whose certificate is present in the Certificates field in the VPN section. However, in some

cases it might be necessary to limit who can establish a VPN tunnel even among peers

signed by the same CA.

The Identity list can be selected in the Identity List field on the VPN page.

If an Identity List is configured, the firewall will match the identity of the connecting remote

peer against the Identity List, and only allow it to open the VPN tunnel if it matches the

contents of the list.

If no Identity List is used, no identity matching is done.

Content Filtering

DFL-200 HTTP content filtering can be configured to scan all HTTP content protocol

streams for URLs or for web page content.

You can configure URL blacklist to block all or just some of the pages on a website. Using

this feature you can deny access to parts of a web site without denying access to it

completely.

The HTTP content filter can also be configured to strip contents like ActiveX, Flash and

cookies.

There is also a URL whitelist for URLs that should be excluded from all Content Filtering.

To have the URL white/black list match entire sites, you will most likely want to use

wildcards before and after the host names, e.g. "*example.com/*". However, this will also

trigger on e.g. "myexample.com/", so you may want to split it up in two patterns, e.g.

"example.com/*" and "*.example.com/*", to catch the domain name by itself as well as

variants with prefixed host names ("www.") without having the filter trigger on domains ending

with the same text.

Note:

For HTTP URL filtering to work, all HTTP traffic needs to go trough a policy using a

service with the HTTP ALG, which is the case for the "http-outbound" service by default.

Also note that the HTTP content filter cannot examine HTTPS (encrypted) connections

due to their encrypted nature. If you wish to block access to HTTPS sites, you will need to

configure rules in the firewall policy to block access to port 443 (https) on the IP addresses in

question.

Active content handling

Active content handling can be enabled or disabled by checking the checkbox before each

type you would like to strip. For example to strip ActiveX and Flash enable the checkbox

named Strip ActiveX objects. It is possible to strip ActiveX, Flash, Java, JavaScript and

VBScript. It is also possible to block cookies.