Page 116 / 131
Scroll up to view Page 111 - 115
116
2.
Select the
Security
tab and click
IPsec Settings
3. Check
Use pre-shared key for authentication
, type the key and click
OK
Page 117 / 131
Settings for Main office
1.
Setup interfaces,
System->Interfaces
:
WAN IP:
193.0.2.20
LAN IP:
192.168.1.1
, Subnet mask:
255.255.255.0
2.
Setup L2TP server,
Firewall->VPN:
Under L2TP / PPTP Server click
Add new L2TP server
Name the server
l2tpServer
Leave Outer IP and Inner IP blank
Set client IP pool to
Check
Proxy ARP dynamically added routes
Check
Use unit’s own DNS relayer addresses
Leave WINS settings blank
Under authentication
MSCHAPv2
should be the only checked option
Under MPPE encryption
None
should be the only checked option
Check the
Use IPsec encryption
box
Enter the pre-shared key,
1234567890
, and retype same pre-shared key
Click
Apply
3.
Setup policies for the new tunnel,
Firewall->Policy:
Click
Global policy parameters
Enable
Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN
Click
Apply
4.
Set up authentication source,
Firewall->Users
:
Select
Local database
Click
Apply
5.
Add a new user,
Firewall->Users
:
Under
Users in local database
click
Add new
Name the new user
HomeUser
Enter password:
1234567890
Retype password:
1234567890
Page 118 / 131
118
Leave static client IP empty (could also be set to eg 192.168.1.200. If no IP is set
here the IP pool from the PPTP server settings are used).
Click
Apply
6.
Click
Activate
and wait for the firewall to restart.
This example will allow
all
traffic from the client to the main office network. To get a more
secure solution read the
Settings for the Main office
part of
A more secure LAN-to-LAN
VPN solution
section in this chapter.
Page 119 / 131
Content filtering
To enable content filtering, follow these steps:
1.
Update the content filtering settings,
Firewall->Content Filtering
:
Select what content that should be filtered out. ActiveX, Java applets, JavaScript/VBScript
and cookies can be blocked or filtered out. Note that some web pages don’t work very well if
these options are enabled.
Pages that are safe or trusted can be added to the whitelist by clicking
Edit global URL
whitelist
. To enable all subdomains of eg google.com (eg gmail.google.com) and all possible
pages on that site, enter *
.google.com/
* in this list. This will allow for example
www.google.com/about.html and gmail.google.com.
In the same way servers can be blocked by adding them to the blacklist. Click
Edit global
URL blacklist
and add the sites that should be blocked. File extensions can also be blocked.
If you for example don’t want users to be able to download executable files add
*.exe
in this
list.
Page 120 / 131
120
2.
Make sure the http-outbound service exists and is using the HTTP ALG,
Firewall->Services
:
Find the
http-outbound
service in the list and click
Edit
. If there is no service with
that name you will have to create one by clicking
Add new
at the bottom of the list.
TCP / UDP Service
should be selected and protocol should be set to
TCP
.
Set destination port to
80
.
Select
HTTP/HTML Content Filtering
in the ALG dropdown.
Click
Apply
3.
Now add a policy rule that uses this service,
Firewall->Policy
:
Click
LAN->WAN
Click
Add new
19216811.live