Interoperability Profiles for D-Link DFL-200 / DFL-700 / DFL-1100

Last update: 2004-09-29

Overview
This document describes how to configure D-Link DFL-200 / DFL-700 / DFL-1100 firewalls to implement scenario 1, specified in Documentation Profiles for IPSec interoperability by the VPN Consortium.
Scenario 1: Gateway-to-gateway with preshared secrets
The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication.
10.5.6.0/24 172.23.9.0/24 | | --| |-| +-----------+ /-^-^-^-^--\ +-----------+ | |-----| Gateway A |=====| Internet |=====| Gateway B |-----| | AL+-----------+AW \--v-v-v-v-/ BW+-----------+BL | --| 10.5.6.1 14.15.16.17 22.23.24.25 172.23.9.1 |-| |
Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17. Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used for testing IPsec but is not needed for configuring Gateway A. The IKE Phase 1 parameters used in Scenario 1 are:
Main mode TripleDES SHA-1 MODP group 2 (1024 bits) pre-shared secret of "hr5xb84l6aa9r6" SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying
The IKE Phase 2 parameters used in Scenario 1 are:
TripleDES SHA-1 ESP tunnel mode MODP group 2 (1024 bits) Perfect forward secrecy for rekeying SA lifetime of 3600 seconds (one hour) with no kbytes rekeying Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4 subnets
To set up Gateway A for this scenario, follow these steps:
Configuring D-Link DFL-200 / DFL-700 / DFL-1100
The default LAN address of the DFL is 192.168.1.1. Connect your PC to the LAN port and use a browser to set up the DFL. In this document Foo->Bar indicates that you first should select the Foo menu (top of the page) and then the submenu Bar (to the left).

1. First time startup

The first time you connect to the DFL you will see a setup wizard. If this not is the first time you connect to the DFL, skip this step and continue to 2 Setting up the environment. Wizard welcome page: Click Next. Wizard step 1: Enter a password (eg. admin) for the admin account, verify the password and click Next. Wizard step 2: Choose the correct time zone and click Next.
Wizard step 3: Select Static IP and click Next. Wizard step 3: Enter the following values: IP Address: 14.15.16.17 Subnet Mask: 255.255.255.0 Gateway: 14.15.16.1 Click Next. Wizard step 4: Select Disable DHCP Server and click Next. Wizard step 5: Click Next. Wizard complete: Click Restart and wait for the DFL to restart. Log in using the password you choose in the wizard step 1 (eg user: admin, password: admin).
2. Setting up the environment
Go to System->Interfaces. Edit LAN: IP Address: 10.5.6.1 Subnet Mask: 255.255.255.0 Click Apply Edit WAN: Select WAN type Static and click Apply Change. IP Address: 14.15.16.17 Subnet Mask: 255.255.255.0 Gateway IP: 14.15.16.1 Click Apply
Go to Firewall->VPN. Click Add new: Name: Local net:

VPNC 10.5.6.0/24

Select PSK Pre-shared key PSK: hr5xb84l6aa9r6 Retype PSK: hr5xb84l6aa9r6 Select LAN-to-LAN tunnel Remote Net: 172.23.9.0/24 Remote Gateway: 22.23.24.25 Click Apply In the list of VPN tunnels, click Edit on the tunnel you just created.

Click Advanced (near bottom of page). Change the following settings: Check the PFS: Enable Perfect Forward Secrecy option. Change the NAT Traversal setting to disabled. Change the first proposal in the IKE Proposal List to 3DES, SHA-1 and 28800 seconds.
Change the first proposal in the IPsec Proposal List to 3DES, SHA-1 and 3600 seconds.

Click Apply

Now everything is set up and we can activate the changes.
Click Activate (to the left on the bottom of the page).
Click Activate Changes to save your new setup and wait for the DFL to restart. If you dont login within the set time (default setting is one minute) the unit will revert to its previous configuration. After you successfully reconnected to the unit you will see the following text: The configuration was successfully finalized.

3. Status

View interface status
To view the status and IP addresses of the interfaces, go to Status->Interface and click on the interface name (LAN, WAN or DMZ).

View VPN status

To view the status of the VPN tunnel, go to Status->VPN. If you have more than one tunnel, you first have to click on the name of the tunnel to see its status.
View status of connections
To view the status of the current connections, go to Status->Connections. If you only want to see connections to/from a particular IP address or to/from a particular interface, enter an IP address in the source or destination field or/and select a source or destination interface from the dropdown boxes. Then click apply. You can, for example, select the VPN tunnel interface as the destination interface to only see connections from your network through the tunnel.

VPN Configuration Guide

D-Link DFL-200

Revision 1.0.0

equinux AG and equinux USA, Inc. 2007 equinux USA, Inc. All rights reserved. Under the copyright laws, this manual may not be copied, in whole or in part, without the written consent of equinux AG or equinux USA, Inc. Your rights to the software are governed by the accompanying software license agreement. The equinux logo is a trademark of equinux AG and equinux USA, Inc., registered in the U.S. and other countries. Every effort has been made to ensure that the information in this manual is accurate. equinux is not responsible for printing or clerical errors. Created using Apple Pages. www.equinux.com Apple, the Apple logo, iBook, Mac, Mac OS, MacBook, PowerBook are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. Finder and Mail are trademarks of Apple Computer, Inc. AppleCare is a service mark of Apple Computer, Inc., registered in the U.S. and other countries. FileMaker is a trademark of FileMaker, Inc. equinux shall have absolutely no liability for any direct or indirect, special or other consequential damages in connection with the use of the quick setup guide or any change to the router generally, including without limitation, any lost profits, business, or data, even if equinux has been advised of the possibility of such damages.
Introduction... 5 Prerequisites...6 Scenario... 7 Task 1 Configure your D-Link DFL-200. 9
Step 1 - Add a New VPN Tunnel... 10 Step 2 - Configure your VPN Tunnel...11 Step 3 - Activate the VPN Tunnel... 13 Step 4 - Add a New VPN User...14 Step 5 - Activate the User... 16
Acquire more Licenses.. 33
Task 2 Configure VPN Tracker.. 17
Step 1 - Create a new Connection... 17 Step 3 - Network Settings... 19 Step 4 - Authentication Settings... 20 Step 5 - Identifiers Settings... 21
Task 3 - Check the VPN connection. 22
Its time to go out!...22 Test your connection.... 22
Troubleshooting.. 25 Whats next?.. 26
Introduction.... 26 Known Limitations.... 26 Accessing Files.... 27 Accessing a FileMaker Database... 29

Introduction

This document describes how VPN Tracker can be used to establish a connection between a Macintosh running Mac OS X and a D-Link DFL-200 router. The D-Link gateway is configured as a router connecting a company LAN to the Internet. This paper is only a supplement to, not a replacement for, the instructions that have been included with your D-Link DFL-200. Please be sure to read those instructions and understand them before starting.
EQUINUX SHALL HAVE ABSOLUTELY NO LIABILITY FOR ANY DIRECT OR INDIRECT, SPECIAL OR OTHER CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE USE OF THE HOW-TO OR ANY CHANGE TO THE ROUTER GENERALLY, INCLUDING WITHOUT LIMITATION, ANY LOST PROFITS, BUSINESS, OR DATA, EVEN IF EQUINUX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Prerequisites

First you have to make sure to use a recent D-Link DFL-200 firmware version. The latest release for your D-Link firewall can be obtained from http://www.d-link.com/ For this document, firmware version 1.34.00 has been used. Please note: VPN Tracker has been only been tested with the D-Link DFL-200 and the above firmware version. You will need one VPN Tracker Personal Edition license for each Mac connecting to the DFL-200. We recommend one VPN Tracker Professional Edition for the administrators Mac in order to export configuration files to the clients. VPN Tracker is compatible with Mac OS X version 10.2.5+, 10.3 and 10.4.1+

Scenario

In our example, we need to connect an employee's Mac Book in San Francisco to an office in New York. The following diagram illustrates this scenario:
The MacBook is directly connected to the Internet and has a public IP address, assigned by an ISP. The office's VPN gateway is also connected to the Internet and can be accessed via an static IP address. The VPN gateway also has a second interface which is connected to the internal office network. In our example, the office network has the IP range 192.168.13.0/24. A VPN tunnel will be established between the public interfaces in San Francisco and New York. Once the VPN tunnel is up, San Francisco can access the office network behind the VPN gateway.
Please note that the connection from a MacBook at home to an office network is just one possible scenario. The instructions also apply to connections from a desktop computer or notebook in your office to a VPN gateway at home or at another office. Please adapt the term "office network", which is used throughout this manual, to your scenario.
Task 1 Configure your D-Link DFL-200
This section describes the configuration of your D-Link DFL-200 router.
TIP When setting up a VPN, youll have to handle a couple of parameters. Those parameters are marked with red dots with little numbers in it. Throughout the setup we will point back to those parameters.
Step 1 - Add a New VPN Tunnel
Connect to your DFL-200 and open the Firewall settings. Select the VPN settings Click Add new to create a new VPN tunnel
Step 2 - Configure your VPN Tunnel
Go to the Firewall tab of the firewalls setup interface and select VPN. Name: Enter a unique name for your VPN tunnel Local Net: Enter the IP address of your office network PSK - Pre-Shared Key: Enter your desired password (pre-share key) (e.g. secretkey) Scroll down for further options (instructions continue on next page)

"

Tunnel type: Select Roaming Users and check the IKE XAuth checkbox. Click Apply
Step 3 - Activate the VPN Tunnel
Select Activate from the left menu Click Activate Changes to restart your device and store your settings
Step 4 - Add a New VPN User
Select Users from the left menu Click Add new, to add a new user to the local authentication database
Enter a unique user name Apply your settings

and password

! "
Step 5 - Activate the User
Select Activate Click Activate Changes to restart your device and store your settings
Task 2 Configure VPN Tracker
This section describes the configuration of VPN Tracker for your D-Link router.
Step 1 - Create a new Connection
Click on New in the VPN Tracker main window.

Step 2 - Connection Settings
Select the vendor (D-Link) Select your VPN router model (DFL-200) Make sure to enable Initiate connection from this end
The pre-defined VPN Tracker connection for the D-Link DFL-200 VPN router is based on the default settings for your D-Link DFL-200 VPN router. If you or the administrator changed any of the settings while configuring the device, you might have to adjust the connection type in VPN Tracker by double-clicking the model.
Step 3 - Network Settings
VPN Server Address: public IP address of your VPN Gateway (e.g. 169.154.19.12) Remote Network/Mask: network address and netmask of your office network
Step 4 - Authentication Settings
Pre-shared key: Enter the pre-shared key you used earlier when configuring the D-Link DFL-200
Make sure to check Enable Extended Authentication (XAUTH)
Step 5 - Identifiers Settings
Please use the local / remote endpoint IP addresses as identifiers
Task 3 - Check the VPN connection
This section explains how to start and test your VPN connection.

Its time to go out!

You will not be able to test and use your VPN connection from within your office network. In order to test your connection, you'll need to connect from a different location. Thats why its now time to go out. Take your MacBook Pro and have a coffee at your favorite Internet cafe or go visit a friend.

Test your connection

To test if everything is setup correctly please follow the steps below: Get access to the Internet Make sure the Internet connection is working; open your Internet browser and try to connect to http://www.equinux.com Start VPN Tracker if its not already running
Select the connection you configured for your DLink device Hit the Start VPN button
Provide the username earlier Click OK

defined

If the light turns red after a few seconds, then please read the Troubleshooting section on the next page If the light turns green, that means youve successfully established a connection
Congratulations! You did it!

Troubleshooting

I dont get a green light in the VPN Tracker main window
Make sure that your computer is not connected directly to the office network you want to connect to. Make sure, that the Identifier and the Pre-shared key you've entered in the router configuration match the settings you entered in VPN Tracker. Verify that the public IP address you entered in VPN Tracker matches the public IP address of your router. Download our sample configuration and connect to our test device at http://www.vpntracker.com/connectiontest/ If the test connection cannot be established: Make sure, that the internet connection is working and verify that your local router is not blocking any connection attempts. If the test connection is established successfully: Your internet connection is working and does not block VPN connections. Please check the log file of your D-Link DFL-200 for error messages. If youre still having issues with your connection, please create some screenshots of your settings on both ends, gather the log files and send them over to our support team via http://www.equinux.com/us/products/vpntracker/contactus.html.

Whats next?

This section explains how to use your VPN connection.
As the VPN connection has now been established, you should be able to access most of the resources in your office network.

Known Limitations

There are some limitations of a VPN connection compared to a direct connection to a office network. Bonjour: As Bonjour Chat is not supported over a VPN tunnel, youll need to use iChat server in order to chat remotely. Browsing the network: You cant browse the remote network as youre normally used to. You need to connect to each machine manually, as described on the next page.

Accessing Files

To access files in your office network, just follow the steps below: Go to the Finder application In the menu bar, click on Go->Connect To Server.
Enter the IP address of the machine you want to connect to. In our example network this would be the IP address 192.168.13.21 Click on the Connect button Enter your Username and Password to access the files
When connecting to a Windows fileserver, youll need to prefix the IP address with smb:// e.g. smb://192.168.13.21 ,.
Accessing a FileMaker Database
To access a database available in your office network, just follow the steps below: Start the FileMaker application In the menu bar, click on File->Open Remote.

Click on the Add. button

Enter the IP address of the FileMaker server machine Enter a hostname for this machine (optional) Click on the Save button
Select a database from the list of Available Files and click Open You are now able to access your FileMaker databases as usual

Acquire more Licenses

If two or more people need to access your office network via VPN, then you need to acquire more VPN Tracker licenses.
To get more licenses, please contact your reseller and inquire about VPN Tracker Personal Edition. Or point your browser to http://store.equinux.com and buy additional VPN Tracker Personal Edition Licenses online.