IPsec VPN FAQs
- 1 What's the difference between tunnel and transport mode?
- 2 What devices can I connect to with Untangle's IPsec VPN?
- 3 How do I configure MacOS IKEv2 VPN
- 4 If I install Untangle behind a NAT device, what do I need to forward to Untangle for IPsec VPN to connect?
- 5 Can I use IPsec on a server that uses DHCP to get its external address?
- 6 Does IPsec traffic go through other Untangle applications?
- 7 How do I connect IPsec between Untangle and my IPsec Device?
What's the difference between tunnel and transport mode?
When using tunnel mode, you can think of the payload packet as being completely encased in another packet. In addition, IPsec can allow or deny packets access to the tunnel depending on policies. When using transport mode, communication is limited between two hosts. Only one IP header is present, with the rest of the packet being encrypted. Unless you have very specific needs, you'll most likely want to use tunnel mode.
What devices can I connect to with Untangle's IPsec VPN?
We have currently verified that IPsec VPN can successfully connect to other Untangle boxes and pfSense. We have user-submitted settings for other devices below, but please be aware Untangle Support cannot debug tunnels between Untangle and a 3rd party device. We only support IPsec tunnels between two Untangle boxes.
How do I configure MacOS IKEv2 VPN
- Install the root certificate from the Untangle. This is available on your Untangle at
/admin/index.do#config/administration/certificates. More detail on installing the root CA at link: Installing root CA on MacOSX
- Once the root CA is installed, configure the VPN in network setting of the Mac.
- Server Address is either the IP or the DNS resolvable naem of the Untangle.
- Remote ID is the hostname given in the certificate installed.
- Local ID can be anything since it is ignored.
- Authentication Settings should use the Username method with the login and password from local directory of the Untangle or RADIUS.
If I install Untangle behind a NAT device, what do I need to forward to Untangle for IPsec VPN to connect?
You will need to forward ESP, AH, and UDP port 500 from the public IP to the Untangle server. You may also need to enable NAT traversal. It is recommended to give Untangle a public IP if you want to set up IPsec tunnels.
Can I use IPsec on a server that uses DHCP to get its external address?
It is generally recommended to use IPsec VPN only on Untangle servers configured with static IPs. However, technically it can work with DHCP, but you will need to reconfigure the tunnel whenever the IP address actually changes. On some ISPs this is rare and servers will often have the same IP for months. On other ISPs IPs change daily.
Does IPsec traffic go through other Untangle applications?
Yes and Maybe. IPsec tunnel traffic and traffic from L2TP and Xauth clients will pass through all the other apps just like any other LAN traffic. However, if you want IPsec tunnel traffic to bypass scanning by other applications you can add a bypass rule.
Note: In versions prior to 11.2, the default was to bypass all IPsec tunnel traffic (but not L2TP or Xauth). You may still have a bypass rule in place to Bypass all IPsec traffic which will cause the traffic to not be scanned by other apps.
How do I connect IPsec between Untangle and my IPsec Device?
IPsec on Untangle should work with any compatible endpoint, but unfortunately Untangle doesn't have the resources to test against all known IPSec devices. Untangle recommends documenting the Phase1/Phase2 settings of the 3rd party IPSec device then matching those settings on Untangle, which can be entered under the Manual Configuration available in all tunnel configurations. Untangle support has successfully deployed IPSec connections to various models from the following 3rd party manufacturers:
- and many others....