IPSec - Peers/connections

This unit can simultaneously be connected to several peer security gateways (VPN servers or clients). Towards each peer several "connections" for different networks or types of traffic can be configured.
The peer configuration corresponds to settings for the IKE protocol (Internet Key Exchange) and the connections constitute the SPD (Security Policy Database).

This page shows essential summary information regarding each peer. For detailed configuration and more options click the corresponding button.

Add more VPN peers - press this button to create a new, empty VPN peer. Configure the peer and add connections to it before usage.


NOTE! Press "Save" after your settings!



VPN peer - the VPN endpoint (VPN "server"/"client"). Towards each peer several connections for different networks or types of traffic can be configured.
Name/comment - descriptive note used for easier future references.
Remote gateway IP address - global IP address of peer to connect to, or "0.0.0.0" to allow connection from any address.
Remove this peer - click button to delete the peer and all connections associated with it.
ID:s and key settings - click button to open page for more in-detail peer configuration.


Connections:
Enable - remove mark to temporarily disable a connection without deleting it.
Local network IP address - IP and mask describing the network behind this unit that should be accessible using VPN. E.g. IP:192.168.0.1,mask:255.255.255.0 allows the network connected to ET2 to be accessible. "0.0.0.0"/"0.0.0.0" means "any network".
Remote network IP address - IP and mask describing the network behind the peer at the other end of the VPN connection - the LAN you want to reach. "0.0.0.0"/"0.0.0.0" means "any network".
Comment - descriptive note used for easier future references.
Order - When packets arrive the packet selector of the connection with the lowest order number (among all peers) will be checked first, then the second lowest and so on until a match is found.
The processing will only be applied to the first matching connection.
If no connection matches the packet is sent to the firewall for normal processing (if a VPN pass-through has been configured the firewall will let it through).

To enter more rows than available click Save, and new empty rows will be added.



NOTE! Press "Save" after your settings!









VPN peer settings

Name/comment - descriptive note used for easier future references.

Local (this) gateway - The way this gateway identifies itself towards the remote peer.
Id type - This gateway can identify itself either by its IP Address or by some field of its certificate. Domain name, E-mail (user DN), ASN.1 Dist. name are different fields of a certificate. The selected ID type must correspond to what the peer expects to see. ASN.1 Distinguished name is the most common when using certificates, IP address otherwise.
Certificate - If certificates shall be used for identification, select the one to be used from the list of available self signed certificates. Only certificates generated on this gateway can be used.
Id if no certificate - If "none" was selected as certificate, enter the ID here instead. If "IP address" was selected as ID type enter a global IP address, or leave this field empty to automatically use your unit's own global IP address.


Remote gateway
IP Address - global IP address of peer to connect to, or "0.0.0.0" to allow connection from any address.
Identities - Up to 10 identities to be accepted from the remote gateway can be specified. At least one must be specified.
Id type - The way the remote gateway is expected to identify itself: its IP address or a field of its certificate.
Certificate - If certificates shall be used for identification, select the one to be used from the list of available imported certificates.
Id if no certificate - If "none" was selected as certificate, enter the ID here instead. If "IP address" was selected as ID type enter the global IP address of the remote gateway, or leave this field empty to accept all IP addresses.


Key exchange (IKE)
In IPSec data is encrypted using the algorithms specified under connections. Keys for those are generated using random generators and transfered using the encryption specified here.
Up to three alternative ways of establishing connection and encrypting the keys can be specified.
Act as:
Initiator = VPN client: this unit shall initiate VPN connection as soon as power is turned on, or manually.
Responder = VPN server: this unit shall listen and wait for remote peers to connect to it.
Initiator and responder = both: this unit tries to initiate a VPN connection to the remote peer, but also answers if that remote peer happens to initiate a connection first.

IKE phase1 mode - During the initial security association establishment, one can select between Main mode (a little more secure and requires two more message exchanges) and Aggressive mode (a little less secure but faster, the identities are not protected).

Authentication:
Mode - RSA or DSS signatures are used with certificates, pre-shared key otherwise. RSA is considered to be safer than DSS. "none" means the whole preference line is ignored (not used).
Algorithm - Algorithm used to hash the authentication information. Though SHA1 is considered safer, MD5 is more commonly used.
DH group - The Diffie-Hellman group to be used for this preference. The choices available are listed in increasing security but decreasing performance order in the dropdown list.

Encryption Algorithm - Algorithm used to encrypt the exchange of the randomly generated encryption keys to be used in the connections for data-traffic. The choices available are listed in increasing security but decreasing performance order in the dropdown list.

Life time - A new IKE key exchange is performed after the specified time has passed or the specified kilobytes of data has been transferred, whichever occurs first.

Pre-shared key - if "Pre-shared key" was selected in Authentication Mode: At least 16 preferably random characters, not known by anyone else but you and the remote gateway.



NOTE! Press "Save" after your settings!

Copy - Copy current settings into a temporary clipboard memory.
Paste - Retrieve settings previously copied into the temporary clipboard memory.









VPN connection settings

Name/comment - descriptive note used for easier future references.

Enable this connection - remove mark to temporarily disable a connection without deleting it.
Processing:
Apply IPSec - packets matching the packet selectors shall be processed according to the security algorithms. This choice is the preferred one in almost all cases.
Bypass - packets matching the packet selectors shall not by processed by IPSec, but forwarded through the firewall.
Discard - packets matching the packet selectors shall be ignored, deleted.

Order - When packets arrive the packet selector of the connection with the lowest order number (among all peers) will be checked first, then the second lowest and so on until a match is found.
The processing will only be applied to the first matching connection.
If no connection matches the packet is sent to the firewall for normal processing (if a VPN pass-through has been configured the firewall will let it through).


Packet selectors
Received IP packet protocol, source and destination addresses and ports will be matched against these selectors, and if all match the processing to be applied is executed.
Usually both protocol and port settings are set to "Any" to match all packets.
To enter several different packet filters create several connections on the peers/connections page and configure one set of packet filter for each.
Protocol - The packet's protocol. "Any" matches all protocols, and is the choice usually used. To specify a specific protocol select it from the list, or select "Other" and enter the protocol number into the field to the right.
Local network - IP and mask describing the network behind this unit that should be accessible using VPN. E.g. IP:192.168.0.1,mask:255.255.255.0 allows the network connected to ET2 to be accessible. "0.0.0.0"/"0.0.0.0" means "any network".
Algorithm - IP and mask describing the network behind the peer at the other end of the VPN connection - the LAN you want to reach. "0.0.0.0"/"0.0.0.0" means "any network".


Security algorithms
Up to three algorithm sets can be specified. If "none" is specified for all three algorithms that preference line is ignored (not used).
Authentication - (optional but recommended) can use AH (Authentication Header) and/or ESP (Encapsulating Security Payload) protocol.
Most applications use ESP authentication, but other combinations may be applicable for security or performance reasons. Though SHA1 is considered safer, MD5 is more commonly used.
Encryption - (optional but recommended) is always using the ESP protocol. The choices available are listed in increasing security but decreasing performance order in the dropdown list.
Life time - A new IKE key exchange is performed after the specified time has passed or the specified kilobytes of data has been transferred, whichever occurs first.
PFS (Perfect Forward Secrecy) - A way to enhance security. If PFS is enabled, the IKE security will create new keys (Diffie-Hellman method) when the IPSec life time expires and a new Security Association is negotiated.
This setting must exactly match the one of the remote peer.



NOTE! Press "Save" after your settings!

Copy - Copy current settings into a temporary clipboard memory.
Paste - Retrieve settings previously copied into the temporary clipboard memory.