Search:     

 
 
HOME
SOLUTIONS
PRODUCTS
EDUCATION
SERVICE & SUPPORT
»  Clavister Forums
»  Services
»  Beta Program
»  Tools Download
»  Product Documentation
»  Customer Web

PARTNERS
THE COMPANY
 

Clavister VPN Client 1.4 to D-Link firewall using PSK (Pre-Shared Key)

This Knowledge Base article applies to:

Clavister VPN Client 1.4
D-Link DFL-200, DFL-700 and DFL-1100.

This document should not be considered a definitive guide to connecting a Clavister VPN client to the D-Link DFL firewall. Rather, it should be treated as what it actually is; A quick guide to setting up a encrypted connection between above mentioned products. It does not discuss the various ways one could go about to achieve this; nor does it discuss the possible implications on security different configurations might produce.

This document assumes that you already got the firewall up and running. If not, please consult the proper documentation for this.

Topics covered in this document

D-Link VPN configuration

See the picture below and follow theese steps:

  • Start your D-Link administration Web interface and pick the section Firewall.
  • Select VPN and Add New.
  • Type in a name for your VPN tunnel, in this example we use Roaming_users.
  • Select the network you want your users to connect to. The default net is your internal net, in this example 192.168.1.0/24.
    In a situation where you want to use Windows Networking and domain logon from your client you should type in 0.0.0.0/0 which means "all networks" and also select Any as remote network in your client. (see configuration of the client later in this guide) This forces all traffic, including NetBios, to go through the VPN tunnel from the client.
  • As authentication method select PSK - Pre-Shared Key. Type in your password twice and remember this for later use in the VPN client.
  • Select Roaming Users as Tunnel type.
    There is also an option to have Xauth as a second authentication method to increase security of the VPN connection. In order to use this function you must enable RADIUS support found in the Firewall\Users section.
  • Press Apply and activate your changes.

Clavister VPN client

Installation of the VPN client

One of the few things to think about during the installation of the VPN Client is to choose Administrator e-mail as primary host identifier if you plan to use self-signed certificates later on as authentication key for your VPN connection. This is normally the step right after generating the random seed. Its not critical if you by mistake choose something else, its changeable later, on a per configured connection basis.

Key Management

Because we need to configure a PSK to use for authentication against the VPN gateway, this is the normally the first step. This is done by running the Policy Editor, clicking on Key Management and choosing Add under My Keys.

Security Policy

VPN Connections

Press Add. As can be seen from the screen shot to the right, this is a pretty straightforward configuration if everything is configured correctly in the VPN gateway.

Gateway IP address

Specify the IP address of the external interface of the D-Link VPN gateway.

Remote network

This is where the internal network behind the D-Link VPN gateway is defined. This should be identical to the Local Net specified in the VPN Tunnel configuration.

Authentication key

Choose the PSK created earlier with the Key Management tool in the VPN Client. Press OK twice and your configuration is done.

NATed connection

If your client has a NATed connection to the Internet you must enable NAT-traversal in the VPN client.
To do this select your VPN connection and pick Properties and Advanced. Enable the setting Pass NAT devices using.

Enabling the VPN connection

To enable your VPN tunnel, "right-click" on the VPN icon in the lower right corner and select Select VPN and pick your tunnel configuration.

Troubleshooting

If something goes wrong and the VPN tunnel is not properly established, there are a few things that should be checked:

  • First of all, check that the IP address of the remote gateway is what it should be (your D-Link Firewall). Also check that the remote net on the client is correct.
  • If you are using NAT-traversal, running Diagnostic of the VPN connection will sometimes fail, but you can still establish the tunnel by "right-click" on the VPN icon and pick your tunnel under Select VPN.
  • Verify that lifetimes/algorithms on gateway and client match. Note: If you have not changed any lifetimes or encryption algorithms you can skip this part.
  • Make sure that a you donīt have two Roaming Clients configurations in your firewall VPN configuration section: One with PSK and another one with certificates, that wont work.



 Published: 2007-01-17 13:27:55 (GMT +01:00)
      Copyright Đ Clavister AB Legal