Personal tools

IPsec VPN

From UntangleWiki

Jump to: navigation, search

Image:IPsecVPN_128x128.png     IPsec VPN
Other Links:
IPsec VPN Description Page
IPsec VPN Screenshots
IPsec VPN Forums
IPsec VPN FAQs




Contents

About IPsec VPN

The IPsec VPN service provides secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.


Settings

This section reviews the different settings and configuration options available for IPsec VPN.


IPsec Options

  • NAT Traversal: The IPsec protocol not only protects the data in a packet, it also protects the packet header which ensures the authenticity and security of all data transmitted across the tunnel. Network Address Translation (NAT) works by rewriting the source IP address to be that of the gateway, which breaks the IPsec security chain. The NAT Traversal checkbox can be used to enable a workaround that allows IPsec to encode additional information into each packet, keeping the security chain intact when the Untangle is behind a NAT device.


IPsec Tunnels

The IPsec Tunnels tab is where you create and manage the IPsec VPN configuration. The main tab display shows a summary of all IPsec tunnels that have been created.


Tunnel Editor

When you create a new tunnel, or edit and existing tunnel, the tunnel editor screen will appear with the following configurable settings:


Name Description
Enable This checkbox allows you to set a tunnel to either enabled or disabled.
Description This field should contain a short name or description.
Connection Type This field allows you to set the connection type to any of the following:
  • Select Tunnel to specify a host-to-host, host-to-subnet, or subnet-to-subnet tunnel. This is by far the most common connection type.
  • Select Transport to specify a host-to-host transport mode tunnel. This connection type is much less common, and would generally only be used if you are attempting to establish and IPsec connection to another host which specifically requires this mode.
  • Select Passthrough to disable IPsec processing on packets associated with the tunnel. We can't imagine a scenario where you would use this connection type. I mean seriously, if you don't allow IPsec to process the packets then you don't really have a tunnel, right? Still, the underlying protocol supports this mode, and so here we are.
  • Select Drop to cause the kernel to drop IPsec packets associated with the tunnel.
  • Select Reject to cause the kernel to reject IPsec packets associated with the tunnel.
Auto Mode This field controls how IPsec manages the corresponding tunnel when the IPsec process re-starts:
  • Select Start to have the tunnel automatically loaded, routes inserted, and connection initiated.
  • Select Add to have the tunnel load in standby mode, waiting to respond to an incoming connection request.
  • Select Ignore to have the IPsec process ignore the tunnel completely.
  • Select Route to load the tunnel and insert the routes only. This would only be used for special routing cases.
  • Select Manual to indicate the tunnel will be controlled manually. You probably don't want to select this option, since there isn't really a way to manually control IPsec tunnels on the Untangle appliance.
Interface This field allows you to select the network interface that should be associated with the IPsec tunnel on the Untangle server. When you select a valid interface, the Local IP field (see below) will automatically be configured with the corresponding IP address. If for some reason you want to manually configure an IP address that is not currently active, you can set the Interface to Custom and manually input the IP address below.
External IP Use this field to configure the IP address that is associated with the IPsec VPN on the Untangle server. Normally this field will be read-only and will automatically be populated based on the Interface selected above. If you select Custom as the interface, you can then manually enter the local IP address.
Remote IP This field should contain the public IP address of the host to which the IPsec VPN will be connected.
Local Network This field is used to configure the local network that will be reachable from hosts on the other side of the IPsec VPN.
Local IP This field is used to configure the IP address of the Untangle server on the network configured in the Local Network field.
Remote Network This field is used to configure the remote network that will be reachable from hosts on the local side of the IPsec VPN.
Perfect Forward Secrecy This option causes the IPsec protocol to regenerate the encryption seed data every time the tunnel encryption keys are refreshed, increasing the overall security of the encrypted data.
Shared Secret This field should contain the shared secret or PSK (pre-shared key) that is used to authenticate the connection, and must be the same on both sides of the tunnel for the connection to be successful. Because the PSK is actually used as the encryption key for the session, using long strings of a random nature will provide the highest level of security.


Event Logs

Use the following terms and definitions to understand the Event Logs:


IPsec State

The IPsec State tab allows you to see the status of all established IPsec connections. There will typically be two entries per tunnel, one with details about the local side of the connection, and another with details about the remote side of the connection.


IPsec Policy

The IPsec Policy tab allows you to see the routing table rules associated with each IPsec VPN that is active.


IPsec Log

The IPsec Log tab allows you to see the low level status messages that are generated by the underlying IPsec protocol components. This information can be very helpful when attempting to diagnose connection problems or other IPsec issues.


Related Topics

OpenVPN


IPsec VPN FAQs

What's the difference between tunnel and transport mode?

When using tunnel mode, you can think of the payload packet as being completely encased in another packet. In addition, IPsec can allow or deny packets access to the tunnel depending on policies. When using transport mode, communication is limited between two hosts. Only one IP header is present, with the rest of the packet being encrypted. Unless you have very specific needs, you'll most likely want to use tunnel mode.


What devices can I connect to with Untangle's IPsec VPN?

We have currently verified that IPsec VPN can successfully connect to other Untangle boxes and pfSense. We have user-submitted settings for other devices below, but please be aware Untangle Support cannot debug tunnels between Untangle and a 3rd party device. We only support IPsec tunnels between two Untangle boxes.


If I install Untangle behind a NAT device, what do I need to forward to Untangle for IPsec VPN to connect?

You will need to forward ESP, AH, and UDP port 500 from the public IP to the Untangle server. You may also need to enable NAT traversal. It is recommended to give Untangle a public IP if you want to set up IPsec tunnels.


Can I use IPsec on a server that uses DHCP to get its external address?

It is recommended use IPsec VPN on Untangle servers configured with static IPs. However, technically it can work with DHCP, but you will need to reconfigure the tunnel whenever the IP address actually changes. On some ISPs this is rare and servers will often have the same IP for months. On other ISPs IPs change daily.


Does IPsec tunnel traffic go through other Untangle applications?

No. Currently all traffic coming and entering an IPsec tunnel is bypassed. The other apps will not see this traffic.


How do I connect IPsec between Untangle and my IPsec Device?

IPsec should work with any compatible endpoint, but unfortunately Untangle doesn't have the resources to test against specific devices. Use the Untangle/pfSense settings below as a guide; the pfSense settings are pretty standard Phase 1/Phase 2 configurations which should have similar settings on any device. If those settings do not work against an Untangle tunnel then the devices might not be compatible.


How do I connect IPsec between Untangle and pfSense?

These settings have been verified by Untangle Support:

Untangle Settings:

  • Enable: (check if you want the tunnel up)
  • Description: (whatever you want)
  • Connection Type: Tunnel
  • Auto Mode: Start
  • Interface: (pick your interface)
  • External IP: (will be automatically set from the WAN you choose)
  • Remote IP: The WAN IP of the pfSense box
  • Local Network: The LAN of the Untangle box (eg 192.168.1.0/24)
  • Local IP: Untangle's LAN IP (eg 192.168.1.1)
  • Remote Network: The LAN of the pfSense box (eg 192.168.2.0/24)
  • PFS: Checked
  • Shared Secret: (must match the Pre-Shared Key secret on the pfSense box)


pfSense Settings:

Phase 1:

  • Disabled: (unchecked)
  • Interface: WAN
  • Remote Gateway: Untangle's WAN IP
  • Description: (whatever you want)
  • Authentication: Mutual PSK
  • Negotiation Mode: main
  • My identifier: My IP address
  • Peer identifier: Peer IP address
  • Pre-Shared Key: (must match the Shared Secret on the pfSense box)
  • Policy Generation: Default
  • Proposal: Default
  • Encryption algorithm: 3DES
  • Hash algorishm: SHA1
  • DH key group: 2
  • Lifetime: 28800
  • NAT Traversal: Enable
  • Dead Peer Detection: (checked)


Phase 2:

  • Disabled (unchecked)
  • Mode: Tunnel
  • Local Network: LAN Subnet
  • Remote Network: Network, Address: The LAN of the Untangle box (eg 192.168.1.0/24)
  • Description: (whatever you want)
  • Protocol: ESP
  • Encryption algorithm: check AES, 128 bits
  • Hash algorithm: check SHA1
  • PFS key group: 2
  • Lifetime: 28800


How can I connect IPsec from Untangle to M0n0wall?

These settings have not been verified by Untangle Support (thanks random person):

  • Local subnet : M0n0wall LAN subnet
  • Remote subnet: x.x.x.0 / xx (fill in your Remote Untangle's subnet address and netmask with .0 on the end)
  • Remote gateway: <Remote Untangle's External IP address>

Phase 1:

  • Negotiation mode : main
  • Encryption algorithm : 3DES
  • Hash algorithm : SHA1
  • DH key group : 2 = 1024 bit
  • Authentication method : Pre-shared key

Phase 2:

  • Protocol : ESP
  • Encryption algorithm : 3DES
  • Hash algorithm : SHA1
  • PFS key group : 2 = 1024 bit


How can I connect IPsec from Untangle to Cisco RV series?

These settings have not been verified by Untangle Support (thanks jcoffin):

  • Keying Mode : IKE with Preshared key
  • Phase1 DH Group : Group 2
  • Phase1 Encryption : 3DES
  • Phase1 Authentication : SHA1
  • Phase1 SA Life Time : 86400 seconds
  • Perfect Forward Secrecy : checked
  • Phase2 DH Group : Group 2
  • Phase2 Encryption : 3DES
  • Phase2 Authentication : SHA1
  • Phase2 SA Life Time 3600 seconds
  • Preshared Key : <same as on UT>
  • Advanced (all unchecked except)
    • AH Hash Algorithm  : SHA1


How can I connect IPsec from Untangle to Endian?

These settings have not been verified by Untangle Support (thanks aboyce):

  • Remote host / IP : Public IP of the Untangle server
  • Local Subnet : Endian LAN subnet
  • Remote Subnet : x.x.x.0 / xx (fill in your Remote Untangle's subnet address and netmask with .0 on the end)
  • Local ID : Public IP of the Endian server
  • Remote ID : Public IP of the Untangle server
  • Dead Peer Detection : Restart
  • Pre-shared Key : <same as on UT>
  • Advanced settings:
  • IKE encryption AES (128 bit) and 3DES
  • IKE integrity : SHA and MD5
  • IKE Group DH group 5 (1536 bits) and DH group 2 (1024 bits)
  • IKE lifetime 1 hours
  • ESP encryption AES (128 bit) and 3DES
  • ESP integrity SHA1 and MD5
  • ESP key life 8 hours
  • IKE Aggresive Mode Allowed : Off
  • Perfect Forward Secrecy (PFS) : On
  • Negotiate Payload : Off


How can I connect IPsec from Untangle to a Cisco 870 series?

These settings have not been verified by Untangle Support (thanks djoey1982):

  • On the Untangle:
  • Connection Type: Tunnel
  • Auto Mode: Start
  • Interface: External
  • External IP: (The external IP address of this server)
  • Remote IP: (The public IP address of the remote IPsec gateway)
  • Local Network: (The private network attached to the local side of the tunnel)
  • Local IP: (The IP address of this server on the local private network)
  • Remote Network: (The private network attached to the remote side of the tunnel)
  • Perfect Forward Secrecy (PFS) : unchecked
  • Shared Secret : <same as Cisco>


How can I connect IPsec from Untangle to a Watchguard Firebox X10/X20?

These settings have not been verified by Untangle Support (thanks snecklifter!)

  • Credential Method: Shared Key
  • Main Mode, IP Address

Phase 1:

  • SHA1-HMAC
  • 3DES-CBC
  • Neg expires in 0kb, 8 hours
  • DH group 2
  • Enabled DPD (Note that this is important, IKE Keep alive is proprietary and does not work)

Phase 2:

  • SHA1-HMAC
  • AES 256
  • Untick TOS for IPSEC
  • Enable PFS
  • key expiry in 128000kb, 24 hours


How can I connect IPsec from Untangle to an eSoft InstaGate?

The default InstaGate and Untangle settings can be used to create a connection.

  • Network: Local Network to Remote Network
  • Key Management: Automatic (Shared Secret)

IKE Settings (Phase 1):

  • 24 hours, 0 KB
  • Strict PFS disabled
  • Aggressive Mode disabled
  • High Security

IPSec Settings (Phase 2):

  • 1 hours, 0 KB
  • PFS Group 2 (DH)
  • High Security

How can I connect IPsec from Untangle to a Sonicwall?

Sonicwall Configuration is listed below.

General:

  • Authentication Method: IKE using Preshared Secret
  • IPsec Primary Gateway Name or Address: WAN IP on Untnagle
  • Enter Shared Secret

Network:

  • Local Networks: Choose local network from list, select predefined network.
  • Destination Networks: Choose local network from list, select predefined network.

Proposals:

IKE (Phase 1) Proposal

  • Exchange: Main Mode
  • DH Group: Group 2
  • Encryption: 3DES
  • Authentication: SHA1
  • Life Time: 28800

Ipsec (Phase 2) Proposal

  • Protocol: ESP
  • Encryption: AES-128
  • Authentication: SHA1
  • Enable Perfect Forward Secrecy: Enabled (checked)
  • DH Group: Group 2
  • Life Time: 28800

Advanced:

  • Enable Keep Alive: Enabled (checked)