IPsec VPN FAQs: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
No edit summary
 
 
(14 intermediate revisions by 3 users not shown)
Line 3: Line 3:


When using '''tunnel''' mode, you can think of the payload packet as being completely encased in another packet. In addition, IPsec can allow or deny packets access to the tunnel depending on policies. When using '''transport''' mode, communication is limited between two hosts. Only one IP header is present, with the rest of the packet being encrypted. Unless you have very specific needs, you'll most likely want to use '''tunnel''' mode.
When using '''tunnel''' mode, you can think of the payload packet as being completely encased in another packet. In addition, IPsec can allow or deny packets access to the tunnel depending on policies. When using '''transport''' mode, communication is limited between two hosts. Only one IP header is present, with the rest of the packet being encrypted. Unless you have very specific needs, you'll most likely want to use '''tunnel''' mode.
=== What devices can I connect to with Untangle's IPsec VPN? ===
We have currently verified that IPsec VPN can successfully connect to other Untangle boxes and pfSense. We have user-submitted settings for other devices below, but please be aware Untangle Support cannot debug tunnels between Untangle and a 3rd party device. We only support IPsec tunnels between two Untangle boxes.




=== How do I configure MacOS IKEv2 VPN ===
=== How do I configure MacOS IKEv2 VPN ===


Steps:
See [https://support.untangle.com/hc/en-us/articles/360024715334 Configuring An IKEv2 IPsec Connection From macOS To NG Firewall].
# Install the root certificate from the Untangle.  This is available on your Untangle at
<code>/admin/index.do#config/administration/certificates</code>.  More detail on installing the root CA [https://support.untangle.com/hc/en-us/articles/212220648-Manually-installing-root-certificate-on-Mac-OSX Installing root CA on MacOSX]
# Once the root CA is installed, configure the VPN in network setting of the Mac.
## '''Server Address''' is either the IP or the DNS resolvable naem of the Untangle.
## '''Remote ID''' is the hostname given in the certificate installed.
## '''Local ID''' can be anything since it is ignored.
### Authentication Settings should use the Username method with the login and password from local directory of the Untangle or RADIUS.


=== If I install NG Firewall behind a NAT device, what do I need to forward to NG Firewall for IPsec VPN to connect? ===


=== If I install Untangle behind a NAT device, what do I need to forward to Untangle for IPsec VPN to connect? ===
You will need to forward ESP, AH, and UDP port 500 from the public IP to the NG Firewall server. You may also need to enable NAT traversal. It is recommended to give NG Firewall a public IP if you want to set up IPsec tunnels.
 
You will need to forward ESP, AH, and UDP port 500 from the public IP to the Untangle server. You may also need to enable NAT traversal. It is recommended to give Untangle a public IP if you want to set up IPsec tunnels.
 


=== Can I use IPsec on a server that uses DHCP to get its external address? ===
=== Can I use IPsec on a server that uses DHCP to get its external address? ===


It is generally recommended to use IPsec VPN only on Untangle servers configured with static IPs. However, technically it can work with DHCP, but you will need to reconfigure the tunnel whenever the IP address actually changes. On some ISPs this is rare and servers will often have the same IP for months. On other ISPs IPs change daily.
It is generally recommended to use IPsec VPN only on NG Firewall servers configured with static IPs. However, technically it can work with DHCP, but you will need to reconfigure the tunnel whenever the IP address actually changes. On some ISPs this is rare and servers will often have the same IP for months. On other ISPs IPs change daily.


 
=== Does IPsec traffic go through other NG Firewall applications? ===
=== Does IPsec traffic go through other Untangle applications? ===


'''Yes and Maybe'''.  IPsec tunnel traffic and traffic from L2TP and Xauth clients will pass through all the other apps just like any other LAN traffic. However, if you want IPsec tunnel traffic to bypass scanning by other applications you can add a [[Bypass Rules|bypass rule]].  
'''Yes and Maybe'''.  IPsec tunnel traffic and traffic from L2TP and Xauth clients will pass through all the other apps just like any other LAN traffic. However, if you want IPsec tunnel traffic to bypass scanning by other applications you can add a [[Bypass Rules|bypass rule]].  


Note: In versions prior to 11.2, the default was to bypass all IPsec tunnel traffic (but not L2TP or Xauth). You may still have a bypass rule in place to ''Bypass all IPsec traffic'' which will cause the traffic to not be scanned by other apps.
Note: In versions prior to 16.2, the default was to bypass all IPsec tunnel traffic (but not L2TP or Xauth). You may still have a bypass rule in place to ''Bypass all IPsec traffic'' which will cause the traffic to not be scanned by other apps.
 
=== How do I connect IPsec between Untangle and my IPsec Device? ===
 
IPsec on Untangle should work with any compatible endpoint, but unfortunately Untangle doesn't have the resources to test against all known IPSec devices.  Untangle recommends documenting the Phase1/Phase2 settings of the 3rd party IPSec device then matching those settings on Untangle, which can be entered under the Manual Configuration available in all tunnel configurations.  Untangle support has successfully deployed IPSec connections to various models from the following 3rd party manufacturers: 
 
*Cisco
*Endian
*eSoft
*Firebox
*Fortinet
*Juniper
*M0n0wall
*pfSense
*Sonicwall
*Watchguard
*and many others....

Latest revision as of 21:53, 14 September 2023

What's the difference between tunnel and transport mode?

When using tunnel mode, you can think of the payload packet as being completely encased in another packet. In addition, IPsec can allow or deny packets access to the tunnel depending on policies. When using transport mode, communication is limited between two hosts. Only one IP header is present, with the rest of the packet being encrypted. Unless you have very specific needs, you'll most likely want to use tunnel mode.


How do I configure MacOS IKEv2 VPN

See Configuring An IKEv2 IPsec Connection From macOS To NG Firewall.

If I install NG Firewall behind a NAT device, what do I need to forward to NG Firewall for IPsec VPN to connect?

You will need to forward ESP, AH, and UDP port 500 from the public IP to the NG Firewall server. You may also need to enable NAT traversal. It is recommended to give NG Firewall a public IP if you want to set up IPsec tunnels.

Can I use IPsec on a server that uses DHCP to get its external address?

It is generally recommended to use IPsec VPN only on NG Firewall servers configured with static IPs. However, technically it can work with DHCP, but you will need to reconfigure the tunnel whenever the IP address actually changes. On some ISPs this is rare and servers will often have the same IP for months. On other ISPs IPs change daily.

Does IPsec traffic go through other NG Firewall applications?

Yes and Maybe. IPsec tunnel traffic and traffic from L2TP and Xauth clients will pass through all the other apps just like any other LAN traffic. However, if you want IPsec tunnel traffic to bypass scanning by other applications you can add a bypass rule.

Note: In versions prior to 16.2, the default was to bypass all IPsec tunnel traffic (but not L2TP or Xauth). You may still have a bypass rule in place to Bypass all IPsec traffic which will cause the traffic to not be scanned by other apps.