====== Create VPN Server Manually ======
To increase security one can instead create IPSec connections one by one for each client. This increases security:
  * By specifying the remote IPSec gateway's global IP address you stop other clients trying to access.
  * By specifying different pre-shared keys for each client you limit the damage caused by a pre-shared key on the loose.
  * By specifying the remote network you can stop for instance clients connected using wireless at the remote gateway to access your network.
  * By using certificates instead of pre-shared keys you make unauthorized connections harder.
  * Manually created IPSec connections allow by default only access to ET1/2/3 ports (not ET4 nor AIR), and you can limit access further (down to even a single port on a single server) using the advanced pages if desired.
 
:!: Manual connections are not suitable for clients with dynamic IP addresses.

To create a VPN server manually you need for each client add a [[web GUI:VPN peer|peer]] and [[web GUI:VPN connection|connection]] on the [[web_gui:vpn_page|IPSec Overview]] page.

For each connection specify:
  * No EasyClient, as it would interfere with the connection.
  * The global IP address of the client.
  * The pre-shared key or certificate to be used.

The local subnet used at the client:
  * If the client is an Internet Gate using EasyClient then leave the local subnet field empty.
  * If the client is a single PC with IPSec client software running on it then leave the local subnet field empty.
  * If the client is an Internet Gate with EasyClient disabled then specify the IP address of the LAN behind that Internet Gate. :!: No two clients are allowed to have the same subnet!
  * If the client is an IPSec gateway of another brand then specify the IP address of the LAN behind that client. :!: No two clients are allowed to have the same subnet!