IPsec VPN

From UntangleWiki
Jump to: navigation, search

IPsecVPN 128x128.png     IPsec VPN
Other Links:
IPsec VPN Description Page
IPsec VPN Demo
IPsec VPN Forums
IPsec VPN Reports
IPsec VPN FAQs



About IPsec VPN

The IPsec VPN service provides secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.

Settings

This section reviews the different settings and configuration options available for IPsec VPN.

Status

The Status tab shows the status of the different components of the IPsec application.

  • Enabled IPsec Tunnels
This section shows a list of all IPsec tunnels that have been created and enabled. For tunnels that are active, the status will display the connection details reported by the IPsec subsystem. For inactive tunnels, the configuration information will be displayed.
  • Active VPN Sessions
This section shows a list of all active L2TP and Xauth connections. In addition to the connection details, there is a Disconnect column that can be used to forcefully disconnect an active session. Please note that there is no confirmation when you click the Disconnect icon. The corresponding session will be immediately terminated.


IPsec Options

  • Bypass all IPsec traffic
When this checkbox is enabled, traffic from IPsec tunnels will bypass all applications and services on the Untangle server. This was the only behavior available in previous versions of Untangle, so this option is enabled by default to maintain equivalent functionality on upgrade. If you disable this checkbox, traffic from IPsec tunnels can now be filtered through all active applications and services.
Also please note that this only applies to plain IPsec tunnels. Traffic from L2TP and Xauth VPN clients will always pass through all active applications and services.


IPsec Tunnels

The IPsec Tunnels tab is where you create and manage the IPsec VPN configuration. The main tab display shows a summary of all IPsec tunnels that have been created.

  • Tunnel Editor
When you create a new tunnel, or edit and existing tunnel, the tunnel editor screen will appear with the following configurable settings:
Name Description
Enable This checkbox allows you to set a tunnel to either enabled or disabled.
Description This field should contain a short name or description.
Connection Type This field allows you to set the connection type to any of the following:
  • Select Tunnel to specify a host-to-host, host-to-subnet, or subnet-to-subnet tunnel. This is by far the most common connection type.
  • Select Transport to specify a host-to-host transport mode tunnel. This connection type is much less common, and would generally only be used if you are attempting to establish an IPsec connection to another host which specifically requires this mode.
Auto Mode This field controls how IPsec manages the corresponding tunnel when the IPsec process re-starts:
  • Select Start to have the tunnel automatically loaded, routes inserted, and connection initiated.
  • Select Add to have the tunnel load in standby mode, waiting to respond to an incoming connection request.
Interface This field allows you to select the network interface that should be associated with the IPsec tunnel on the Untangle server. When you select a valid interface, the Local IP field (see below) will automatically be configured with the corresponding IP address. If for some reason you want to manually configure an IP address that is not currently active, you can set the Interface to Custom and manually input the IP address below.
External IP Use this field to configure the IP address that is associated with the IPsec VPN on the Untangle server. Normally this field will be read-only and will automatically be populated based on the Interface selected above. If you select Custom as the interface, you can then manually enter the local IP address.
Remote Host This field should contain the public IP address or DNS name of the host to which the IPsec VPN will be connected.
WARNING - Using host names with IPsec tunnels can often cause problems, especially if you have also enabled the L2TP/Xauth VPN server. We strongly recommend the use of IP addresses in the Remote Host field.
Local Identifier This field is used to configure the local identifier used for authentication. When this field is blank the value in the *External IP* field will be used.
Remote Identifier This field is used to configure the remote identifier used for authentication. When this field is blank, the value in the Remote Host field will be used.
IMPORTANT - If the remote host is located behind any kind of NAT device, you may need to use the value %any in this field for a connection to be successfully established.
Local Network This field is used to configure the local network that will be reachable from hosts on the other side of the IPsec VPN.
Remote Network This field is used to configure the remote network that will be reachable from hosts on the local side of the IPsec VPN.
Shared Secret This field should contain the shared secret or PSK (pre-shared key) that is used to authenticate the connection, and must be the same on both sides of the tunnel for the connection to be successful. Because the PSK is actually used as the encryption key for the session, using long strings of a random nature will provide the highest level of security.
DPD Interval The number of seconds between R_U_THERE messages. Enter 0 to disable this feature.
DPD Timeout The number of seconds for a dead peer tunnel to be restarted.
Authentication and SA/Key Exchange If you leave the Phase 1 and Phase 2 manual configuration checkboxes disabled, IPsec will attempt to automatically negotiate the encryption protocol with the remote peer when creating the tunnel. Given the number of different IPsec implementations and versions, as well as the overall complexity of the protocol, best results can often be achieved by enabling manual configuration of these two options, and selecting Encryption, Hash, DH Key Group, and Lifetime values that exactly match the settings configured on the peer device.


VPN Config

The VPN Config tab allows you to enable and configure the L2TP/Xauth server.

  • Enable L2TP/Xauth Server
Use this checkbox to enable or disable the L2TP/Xauth server.
  • L2TP Address Pool
This field configures the pool of IP addresses that will be assigned to L2TP clients while they are connected to the server. The default 198.18.0.0/16 is a private network that is generally reserved for internal network testing. It was chosen as the default because it is used less frequently than other RFC-1918 address blocks, and thus is less likely to conflict with existing address assignments on your network.
  • Xauth Address Pool
This field configures the pool of IP addresses that will be assigned to Xauth clients while they are connected to the server. The default 198.19.0.0/16 is a private network that is generally reserved for internal network testing. It was chosen as the default because it is used less frequently than other RFC-1918 address blocks, and thus is less likely to conflict with existing address assignments on your network.
  • Custom DNS Servers
Leave both of these fields blank to have L2TP and Xauth clients use the Untangle server for all DNS resolution. Alternatively, if you have other DNS servers you want clients to use, you can enter IP addresses in these fields.
  • IPsec Secret
This is the shared secret that will be used between the client and server to establish the IPsec channel that will secure all L2TP and Xauth communications.
  • User Authentication
In addition to the IPsec Secret configured above, VPN clients will also need to authenticate with a username and password. To use the Local Directory, select this option and click the Configure Local Directory button to manage use credentials. Alternatively, you can use an external RADIUS server for authentication by selecting the RADIUS option, and clicking the Configure RADIUS button to configure the RADIUS server options.
  • Server Listen Addresses
This list is used to configure one or more of your server IP addresses to listen for inbound VPN connection requests from remote clients. Clicking the add button will display a pop-up list of all WAN interfaces available on your server. Addresses that have already been added to the list will appear grayed. If for some reason you need to add a non-WAN address, you can select Manual Address Input to create the listen address manually.


GRE Networks

The GRE Networks tab is where you create and manage connections to remote GRE servers. Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network.

GRE Address Pool

This field configures the pool of IP addresses that will be assigned to interfaces created and associated with tunnels added on the GRE Networks tab. The default 198.51.100.0/24 is a private network that is generally reserved for internal network testing. It was chosen as the default because it is used less frequently than other RFC-1918 address blocks, and thus is less likely to conflict with existing address assignments on your network. If you use GRE to connect multiple Untangle servers together, you may need to configure a different, unused pool on each server.


The main tab display shows a summary of all GRE Networks that have been created.

  • Network Editor
When you create a new GRE Network, or edit and existing network, the network editor screen will appear with the following configurable settings:
Name Description
Enable This checkbox allows you to set a network to either enabled or disabled.
Description This field should contain a short name or description.
Interface This field allows you to select the network interface that should be associated with the GRE Network on the Untangle server. When you select a valid interface, the Local IP field (see below) will automatically be configured with the corresponding IP address. If for some reason you want to manually configure an IP address that is not currently active, you can set the Interface to Custom and manually input the IP address below.
External IP Use this field to configure the IP address that is associated with the GRE Network on the Untangle server. Normally this field will be read-only and will automatically be populated based on the Interface selected above. If you select Custom as the interface, you can then manually enter the local IP address.
Remote Host This field should contain the public IP address of the host to which the GRE tunnel will be connected.
Remote Networks This field is used to configure the list of remote network traffic that should be routed across this GRE tunnel. Networks should be entered one per line in CIDR (192.168.123.0/24) format.


IPsec State

The IPsec State tab allows you to see the status of all established IPsec connections. There will typically be two entries per tunnel, one with details about the local side of the connection, and another with details about the remote side of the connection.


IPsec Policy

The IPsec Policy tab allows you to see the routing table rules associated with each IPsec VPN that is active.


IPsec Log

The IPsec Log tab allows you to see the low level status messages that are generated by the underlying IPsec protocol components. This information can be very helpful when attempting to diagnose connection problems or other IPsec issues.


L2TP Log

The L2TP Log tab allows you to see the low level status messages that are generated by the underlying L2TP protocol daemon. This information can be very helpful when attempting to diagnose connection problems or other L2TP issues.


Reports

The Reports tab provides a view of all reports and events for all connections handled by IPsec VPN.

Reports

This applications reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries:

Report Entry Description
IPsec VPN Summary A summary of IPsec VPN actions.
Hourly Tunnel Traffic The amount of IPsec tunnel traffic over time.
Top Tunnel Traffic The amount of traffic for each IPsec tunnel.
Top Active Users The top IPsec VPN users by number of sessions.
Top Download Users The top IPsec users grouped by amount of data downloaded.
Top Upload Users The top IPsec users grouped by amount of data uploaded.
Top Protocols The top IPsec VPN connections by protocol.
L2TP/Xauth Events Shows all user L2TP/Xauth events.
Tunnel Traffic Events Shows all IPsec tunnel traffic statistics events.


The tables queried to render these reports:



Related Topics

OpenVPN


IPsec VPN FAQs

What's the difference between tunnel and transport mode?

When using tunnel mode, you can think of the payload packet as being completely encased in another packet. In addition, IPsec can allow or deny packets access to the tunnel depending on policies. When using transport mode, communication is limited between two hosts. Only one IP header is present, with the rest of the packet being encrypted. Unless you have very specific needs, you'll most likely want to use tunnel mode.


What devices can I connect to with Untangle's IPsec VPN?

We have currently verified that IPsec VPN can successfully connect to other Untangle boxes and pfSense. We have user-submitted settings for other devices below, but please be aware Untangle Support cannot debug tunnels between Untangle and a 3rd party device. We only support IPsec tunnels between two Untangle boxes.


If I install Untangle behind a NAT device, what do I need to forward to Untangle for IPsec VPN to connect?

You will need to forward ESP, AH, and UDP port 500 from the public IP to the Untangle server. You may also need to enable NAT traversal. It is recommended to give Untangle a public IP if you want to set up IPsec tunnels.


Can I use IPsec on a server that uses DHCP to get its external address?

It is generally recommended to use IPsec VPN only on Untangle servers configured with static IPs. However, technically it can work with DHCP, but you will need to reconfigure the tunnel whenever the IP address actually changes. On some ISPs this is rare and servers will often have the same IP for months. On other ISPs IPs change daily.


Does IPsec traffic go through other Untangle applications?

Yes and Maybe. IPsec tunnel traffic and traffic from L2TP and Xauth clients will pass through all the other apps just like any other LAN traffic. However, if you want IPsec tunnel traffic to bypass scanning by other applications you can add a bypass rule.

Note: In versions prior to 11.2, the default was to bypass all IPsec tunnel traffic (but not L2TP or Xauth). You may still have a bypass rule in place to Bypass all IPsec traffic which will cause the traffic to not be scanned by other apps.

How do I connect IPsec between Untangle and my IPsec Device?

IPsec on Untangle should work with any compatible endpoint, but unfortunately Untangle doesn't have the resources to test against all known IPSec devices. Untangle recommends documenting the Phase1/Phase2 settings of the 3rd party IPSec device then matching those settings on Untangle, which can be entered under the Manual Configuration available in all tunnel configurations. Untangle support has successfully deployed IPSec connections to various models from the following 3rd party manufacturers:

  • Cisco
  • Endian
  • eSoft
  • Firebox
  • Fortinet
  • Juniper
  • M0n0wall
  • pfSense
  • Sonicwall
  • Watchguard
  • and many others....