Personal tools

IPsec VPN

From UntangleWiki

Jump to: navigation, search

Image:IPsecVPN_128x128.png     IPsec VPN
Other Links:
IPsec VPN Description Page
IPsec VPN Screenshots
IPsec VPN Forums
IPsec VPN FAQs



Contents

About IPsec VPN

The IPsec VPN service provides secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.

Settings

This section reviews the different settings and configuration options available for IPsec VPN.

Status

The Status tab shows the status of the different components of the IPsec application.

  • Enabled IPsec Tunnels
This section shows a list of all IPsec tunnels that have been created and enabled. For tunnels that are active, the status will display the connection details reported by the IPsec subsystem. For inactive tunnels, the configuration information will be displayed.
  • Active L2TP Sessions
This section shows a list of all active L2TP connections. In addition to the connection details, there is a Disconnect column that can be used to forcefully disconnect an active session. Please note that there is no confirmation when you click the Disconnect icon. The corresponding session will be immediately terminated.

IPsec Options

  • NAT Traversal
The IPsec protocol not only protects the data in a packet, it also protects the packet header which ensures the authenticity and security of all data transmitted across the tunnel. Network Address Translation (NAT) works by rewriting the source IP address to be that of the gateway, which breaks the IPsec security chain. The NAT Traversal checkbox can be used to enable a workaround that allows IPsec to encode additional information into each packet, keeping the security chain intact when the Untangle is behind a NAT device.

IPsec Tunnels

The IPsec Tunnels tab is where you create and manage the IPsec VPN configuration. The main tab display shows a summary of all IPsec tunnels that have been created.

  • Tunnel Editor
When you create a new tunnel, or edit and existing tunnel, the tunnel editor screen will appear with the following configurable settings:
Name Description
Enable This checkbox allows you to set a tunnel to either enabled or disabled.
Description This field should contain a short name or description.
Connection Type This field allows you to set the connection type to any of the following:
  • Select Tunnel to specify a host-to-host, host-to-subnet, or subnet-to-subnet tunnel. This is by far the most common connection type.
  • Select Transport to specify a host-to-host transport mode tunnel. This connection type is much less common, and would generally only be used if you are attempting to establish an IPsec connection to another host which specifically requires this mode.
Auto Mode This field controls how IPsec manages the corresponding tunnel when the IPsec process re-starts:
  • Select Start to have the tunnel automatically loaded, routes inserted, and connection initiated.
  • Select Add to have the tunnel load in standby mode, waiting to respond to an incoming connection request.
Interface This field allows you to select the network interface that should be associated with the IPsec tunnel on the Untangle server. When you select a valid interface, the Local IP field (see below) will automatically be configured with the corresponding IP address. If for some reason you want to manually configure an IP address that is not currently active, you can set the Interface to Custom and manually input the IP address below.
External IP Use this field to configure the IP address that is associated with the IPsec VPN on the Untangle server. Normally this field will be read-only and will automatically be populated based on the Interface selected above. If you select Custom as the interface, you can then manually enter the local IP address.
Remote Host This field should contain the public IP address or DNS name of the host to which the IPsec VPN will be connected.
Local Network This field is used to configure the local network that will be reachable from hosts on the other side of the IPsec VPN.
Local IP This field is used to configure the IP address of the Untangle server on the network configured in the Local Network field.
Remote Network This field is used to configure the remote network that will be reachable from hosts on the local side of the IPsec VPN.
Perfect Forward Secrecy This option causes the IPsec protocol to regenerate the encryption seed data every time the tunnel encryption keys are refreshed, increasing the overall security of the encrypted data.
SA Lifetime This field sets the lifetime for the Phase 1 encryption keys. The default of 28800 seconds is reasonable and fairly standard in the industry.
IKE Lifetime This field sets the lifetime for the Phase 2 encryption keys. The default of 3600 seconds is reasonable and fairly standard in the industry.
Shared Secret This field should contain the shared secret or PSK (pre-shared key) that is used to authenticate the connection, and must be the same on both sides of the tunnel for the connection to be successful. Because the PSK is actually used as the encryption key for the session, using long strings of a random nature will provide the highest level of security.

L2TP Options

The L2TP Options tab allows you to enable and configure the L2TP server.

  • Enable L2TP Server
Use this checkbox to enable or disable the L2TP server.
  • Address Pool
This fields configures the pool of IP addresses that will be assigned to L2TP clients while they are connected to the server. The default 192.18.0.0/16 is a private network that is generally reserved for internal network testing. It was chosen as the default because it is used less frequently than other RFC-1918 address blocks, and thus is less likely to conflict with existing address assignments on your network.
  • IPsec Secret
This is the shared secret that will be used between the client and server to establish the IPsec channel that will secure all L2TP communications.
  • Configure Local Directory
In addition to the IPsec Secret configured above, L2TP clients will also need to authenticate with a username and password. These credentials can be created and managed by clicking the Configure Local Directory button.
  • Server Listen Addresses
This list is used to configure one or more of your server IP addresses to listen for inbound L2TP connection requests from remote clients. Clicking the add button will display a pop-up list of all WAN interfaces available on your server. Addresses that have already been added to the list will appear grayed. If for some reason you need to add a non-WAN address, you can select Manual Address Input to create the listen address manually.

L2TP Events

The L2TP Events page displays details about L2TP client sessions. Entries are created when users connect, and will initially show only the information that is available while the connection is active, such as the username and IP address assigned. When the session terminates, the event will be updated with additional details, including the elapsed connect time and number of bytes sent and received. These values are presented from the perspective of the client, thus the RX Bytes column represents the number of bytes the client recieved, and TX Bytes shows the number of bytes the client transmitted.

Event Logs

Use the following terms and definitions to understand the Event Logs:


IPsec State

The IPsec State tab allows you to see the status of all established IPsec connections. There will typically be two entries per tunnel, one with details about the local side of the connection, and another with details about the remote side of the connection.


IPsec Policy

The IPsec Policy tab allows you to see the routing table rules associated with each IPsec VPN that is active.


IPsec Log

The IPsec Log tab allows you to see the low level status messages that are generated by the underlying IPsec protocol components. This information can be very helpful when attempting to diagnose connection problems or other IPsec issues.


Related Topics

OpenVPN


IPsec VPN FAQs

What's the difference between tunnel and transport mode?

When using tunnel mode, you can think of the payload packet as being completely encased in another packet. In addition, IPsec can allow or deny packets access to the tunnel depending on policies. When using transport mode, communication is limited between two hosts. Only one IP header is present, with the rest of the packet being encrypted. Unless you have very specific needs, you'll most likely want to use tunnel mode.


What devices can I connect to with Untangle's IPsec VPN?

We have currently verified that IPsec VPN can successfully connect to other Untangle boxes and pfSense. We have user-submitted settings for other devices below, but please be aware Untangle Support cannot debug tunnels between Untangle and a 3rd party device. We only support IPsec tunnels between two Untangle boxes.


If I install Untangle behind a NAT device, what do I need to forward to Untangle for IPsec VPN to connect?

You will need to forward ESP, AH, and UDP port 500 from the public IP to the Untangle server. You may also need to enable NAT traversal. It is recommended to give Untangle a public IP if you want to set up IPsec tunnels.


Can I use IPsec on a server that uses DHCP to get its external address?

It is generally recommended to use IPsec VPN only on Untangle servers configured with static IPs. However, technically it can work with DHCP, but you will need to reconfigure the tunnel whenever the IP address actually changes. On some ISPs this is rare and servers will often have the same IP for months. On other ISPs IPs change daily.


Does IPsec traffic go through other Untangle applications?

Yes and No. Traffic from L2TP clients will pass through all the other apps just like any other LAN traffic. Traffic received from or transmitted to an IPsec tunnel is bypassed, and will not be processed by any other apps.


How do I connect IPsec between Untangle and my IPsec Device?

IPsec should work with any compatible endpoint, but unfortunately Untangle doesn't have the resources to test against specific devices. Use the Untangle/pfSense settings below as a guide; the pfSense settings are pretty standard Phase 1/Phase 2 configurations which should have similar settings on any device. If those settings do not work against an Untangle tunnel then the devices might not be compatible.


How do I connect IPsec between Untangle and pfSense?

These settings have been verified by Untangle Support:

Untangle Settings:

  • Enable: (check if you want the tunnel up)
  • Description: (whatever you want)
  • Connection Type: Tunnel
  • Auto Mode: Start
  • Interface: (pick your interface)
  • External IP: (will be automatically set from the WAN you choose)
  • Remote IP: The WAN IP of the pfSense box
  • Local Network: The LAN of the Untangle box (eg 192.168.1.0/24)
  • Local IP: Untangle's LAN IP (eg 192.168.1.1)
  • Remote Network: The LAN of the pfSense box (eg 192.168.2.0/24)
  • PFS: Checked
  • Shared Secret: (must match the Pre-Shared Key secret on the pfSense box)


pfSense Settings:

Phase 1:

  • Disabled: (unchecked)
  • Interface: WAN
  • Remote Gateway: Untangle's WAN IP
  • Description: (whatever you want)
  • Authentication: Mutual PSK
  • Negotiation Mode: main
  • My identifier: My IP address
  • Peer identifier: Peer IP address
  • Pre-Shared Key: (must match the Shared Secret on the pfSense box)
  • Policy Generation: Default
  • Proposal: Default
  • Encryption algorithm: 3DES
  • Hash algorishm: SHA1
  • DH key group: 2
  • Lifetime: 28800
  • NAT Traversal: Enable
  • Dead Peer Detection: (checked)


Phase 2:

  • Disabled (unchecked)
  • Mode: Tunnel
  • Local Network: LAN Subnet
  • Remote Network: Network, Address: The LAN of the Untangle box (eg 192.168.1.0/24)
  • Description: (whatever you want)
  • Protocol: ESP
  • Encryption algorithm: check AES, 128 bits
  • Hash algorithm: check SHA1
  • PFS key group: 2
  • Lifetime: 28800


How can I connect IPsec from Untangle to M0n0wall?

These settings have not been verified by Untangle Support (thanks random person):

  • Local subnet : M0n0wall LAN subnet
  • Remote subnet: x.x.x.0 / xx (fill in your Remote Untangle's subnet address and netmask with .0 on the end)
  • Remote gateway: <Remote Untangle's External IP address>

Phase 1:

  • Negotiation mode : main
  • Encryption algorithm : 3DES
  • Hash algorithm : SHA1
  • DH key group : 2 = 1024 bit
  • Authentication method : Pre-shared key

Phase 2:

  • Protocol : ESP
  • Encryption algorithm : 3DES
  • Hash algorithm : SHA1
  • PFS key group : 2 = 1024 bit


How can I connect IPsec from Untangle to Cisco RV series?

These settings have not been verified by Untangle Support (thanks jcoffin):

  • Keying Mode : IKE with Preshared key
  • Phase1 DH Group : Group 2
  • Phase1 Encryption : 3DES
  • Phase1 Authentication : SHA1
  • Phase1 SA Life Time : 86400 seconds
  • Perfect Forward Secrecy : checked
  • Phase2 DH Group : Group 2
  • Phase2 Encryption : 3DES
  • Phase2 Authentication : SHA1
  • Phase2 SA Life Time 3600 seconds
  • Preshared Key : <same as on UT>
  • Advanced (all unchecked except)
    • AH Hash Algorithm  : SHA1


How can I connect IPsec from Untangle to Endian?

These settings have not been verified by Untangle Support (thanks aboyce):

  • Remote host / IP : Public IP of the Untangle server
  • Local Subnet : Endian LAN subnet
  • Remote Subnet : x.x.x.0 / xx (fill in your Remote Untangle's subnet address and netmask with .0 on the end)
  • Local ID : Public IP of the Endian server
  • Remote ID : Public IP of the Untangle server
  • Dead Peer Detection : Restart
  • Pre-shared Key : <same as on UT>
  • Advanced settings:
  • IKE encryption AES (128 bit) and 3DES
  • IKE integrity : SHA and MD5
  • IKE Group DH group 5 (1536 bits) and DH group 2 (1024 bits)
  • IKE lifetime 1 hours
  • ESP encryption AES (128 bit) and 3DES
  • ESP integrity SHA1 and MD5
  • ESP key life 8 hours
  • IKE Aggresive Mode Allowed : Off
  • Perfect Forward Secrecy (PFS) : On
  • Negotiate Payload : Off


How can I connect IPsec from Untangle to a Cisco 870 series?

These settings have not been verified by Untangle Support (thanks djoey1982):

  • On the Untangle:
  • Connection Type: Tunnel
  • Auto Mode: Start
  • Interface: External
  • External IP: (The external IP address of this server)
  • Remote IP: (The public IP address of the remote IPsec gateway)
  • Local Network: (The private network attached to the local side of the tunnel)
  • Local IP: (The IP address of this server on the local private network)
  • Remote Network: (The private network attached to the remote side of the tunnel)
  • Perfect Forward Secrecy (PFS) : unchecked
  • Shared Secret : <same as Cisco>


How can I connect IPsec from Untangle to a Watchguard Firebox X10/X20?

These settings have not been verified by Untangle Support (thanks snecklifter!)

  • Credential Method: Shared Key
  • Main Mode, IP Address

Phase 1:

  • SHA1-HMAC
  • 3DES-CBC
  • Neg expires in 0kb, 8 hours
  • DH group 2
  • Enabled DPD (Note that this is important, IKE Keep alive is proprietary and does not work)

Phase 2:

  • SHA1-HMAC
  • AES 256
  • Untick TOS for IPSEC
  • Enable PFS
  • key expiry in 128000kb, 24 hours


How can I connect IPsec from Untangle to an eSoft InstaGate?

The default InstaGate and Untangle settings can be used to create a connection.

  • Network: Local Network to Remote Network
  • Key Management: Automatic (Shared Secret)

IKE Settings (Phase 1):

  • 24 hours, 0 KB
  • Strict PFS disabled
  • Aggressive Mode disabled
  • High Security

IPSec Settings (Phase 2):

  • 1 hours, 0 KB
  • PFS Group 2 (DH)
  • High Security

How can I connect IPsec from Untangle to a Sonicwall?

Sonicwall Configuration is listed below.

General:

  • Authentication Method: IKE using Preshared Secret
  • IPsec Primary Gateway Name or Address: WAN IP on Untnagle
  • Enter Shared Secret

Network:

  • Local Networks: Choose local network from list, select predefined network.
  • Destination Networks: Choose local network from list, select predefined network.

Proposals:

IKE (Phase 1) Proposal

  • Exchange: Main Mode
  • DH Group: Group 2
  • Encryption: 3DES
  • Authentication: SHA1
  • Life Time: 28800

Ipsec (Phase 2) Proposal

  • Protocol: ESP
  • Encryption: AES-128
  • Authentication: SHA1
  • Enable Perfect Forward Secrecy: Enabled (checked)
  • DH Group: Group 2
  • Life Time: 28800

Advanced:

  • Enable Keep Alive: Enabled (checked)