====== IPSec Server ====== ^ :!: Your Internet Gate does not have VPN license. ^ | You need to purchase a VPN [[:license]] to be able to activate the VPN termination in your unit.\\ Only VPN pass-through is available otherwise. | In this scenario several “clients" connect to a central “server". For example employees connecting from their homes to the company's local network. For this scenario you are recommended to use the Internet Gate's [[VPN:EasyServer]] feature for the Internet Gate located at the “server" position, and the Internet Gate's [[VPN:EasyClient]] feature for Internet Gate-s located at the “client" positions. On the “server" Internet Gate change ET1/2/3 subnet to other than the default 192.168.0.1 (you can change it to for example 192.168.5.1). As the “client" and “server" ends of an IPSec connection are not allowed to share the same subnet, they cannot both be on the 192.168.0.1 subnet. Read more at [[VPN:EasyServer]] or [[vpn:configure_server_manually|create server manually]]. ===== Example ===== {{:vpn:vpn_ipsec_ix78server.gif|}} The “server" Internet Gate (C) must have a static global IP address. The clients connecting to it can have dynamic IP addresses. Clients (F), (H), (J) must be on separate subnets than (A) and (B). Thus if for example (A) and (B) is on subnet 192.168.5.0/255.255.255.0 then neither (F), (H) nor (J) is allowed to be on the 192.168.5.0/255.255.255.0 subnet. You are strongly advised to change the ET1 subnet to something else than the default 192.168.0.1/255.255.255.0 on a VPN server Internet Gate such as (C) above. None of (A), (B), (F), (H) nor (J) need to have any IPSec client software running, as IPSec gateways (C), (E), (G) and (I) terminate each IPSec connection. PC (D) must have an IPSec client software running as it is connected directly to the Internet, without any IPSec gateway between. If clients (E), (G), (I) do not use the EasyClient feature then they must each be on different unique subnets. Thus (F) cannot be on the same subnet as (H) or (J). If clients use the EasyClient feature they can be on the same subnet. If (E) uses EasyClient then (F) can connect to (A), but (B) cannot connect to (F). If (E) does not use EasyClient then (B) can connect to (F). Clients do not have to be Internet Gate-s. Client (D) is a PC with a global IP address connected to the Internet running Windows' own IPSec client, or a third part IPSec software. Client (E) might be any brand IPSec gateway. If gateway (I) is not Internet Gate then it must support IPSec NAT-T to work (as it is behind a NAT). Internet Gate supports IPSec NAT-T. ====== ====== \\ [[vpn:start|VPN Overview]]