====== VPN Connection Settings ====== After clicking “Add connection" (in the [[web_gui:vpn_advanced|IPSec - Overview, Advanced]] page) the “VPN Connection Settings" page appears. These are the configurations describing the IPSec tunnel you want to establish between your LAN and the remote network. Many of the fields are pre-configured to suit most common IPSec applications. Some other fields are empty and must be filled in by you before Apply-ing the page: **Remote Network** – here you must enter the address and mask of the subnet behind the remote IPSec gateway at the other end of the IPSec connection: If the other end of the IPSec connection is not a gateway but a single PC running IPSec software then enter the PC's global IP address, and mask 255.255.255.255 If the other end of the IPSec connection is an Internet Gate with EasyClient enabled then enter its global IP address and mask 255.255.255.255 If the other end of the IPSec connection is a standard IPSec endpoint then enter the IP address and subnet of the LAN behind it. You can narrow down the remote network if you do not want all PC-s at the remote network to have access to your network. For instance by entering remote network IP address 192.168.0.31 and mask 255.255.255.255 only that one PC at IP address 192.168.0.31 behind the remote IPSec gateway can access your LAN – no one else. **Remote Gateway IP Address** – here you must select the IP address of the corresponding VPN peer you already have created, as described above. ===== VPN connection settings fields ===== {{ :web_gui:vpn_connection.png?244|VPN Connection in rel 5.30}} The above-mentioned fields are the ones you MUST specify. Other fields have pre-filled default values that you may alter to suit your specific needs: ==== Enable this connection ==== Uncheck the checkbox to temporarily disable a connection without deleting it. **Processing**: * //Apply IPSec//: Packets matching the packet selectors shall be processed according to the security algorithms. This choice is the preferred one in almost all cases. * //Bypass//: Packets matching the packet selectors shall not by processed by IPSec, but forwarded through the firewall. * //Discard//: Packets matching the packet selectors shall be ignored, deleted. **Order (priority)** When packets arrive the packet selector of the connection with the lowest order number (among all peers) will be checked first, then the second lowest and so on until a match is found. The processing will only be applied to the first matching connection. If no connection matches the packet is sent to the firewall for normal processing (if a VPN pass-through has been configured the firewall will let it through). ==== Packet selectors ==== Received IP packet protocol, source and destination addresses and ports will be matched against these selectors, and if all match the processing to be applied is executed. Usually both protocol and port settings are set to //Any// to match all packets. To enter several different packet filters create several connections and configure one set of packet filter for each. **Protocol** The packet's protocol. //Any// matches all protocols, and is the choice usually used. To specify a specific protocol select it from the list, or select //Other// and enter the protocol number into the field to the right. [[wp>List_of_IP_protocol_numbers|Protocol number]] ==== Local Network ==== By altering these settings you can specify what addresses behind your Internet Gate the remote IPSec client can access. By default it allows full access to all PC-s connected to ET1/2/3 ports. You can limit access to only certain servers by altering the subnet mask. You can even limit access to just one server on your LAN by entering its local IP address and set mask to 255.255.255.255. For instance by entering **IP Address** 192.168.2.20, **Mask** 255.255.255.255 and select //web// on the **Port** dropdown, the remote IPSec client can only access your Intranet server at 192.168.2.20 – and nothing else on your LAN. If you want to create multiple accesses, for example access to both ET1/2/3 and ET4, then create two VPN Connection settings, both referring to the same remote peer (by setting the **Remote Gateway IP Address** field to the same IP address). **IP Address**, **Mask** fields: The network behind this unit that should be accessible using VPN. E.g. IP:192.168.0.1,Mask:255.255.255.0 allows the network connected to ET1 to be accessible. "0.0.0.0"/"0.0.0.0" includes all local networks, but be carefull if this setting will not direct more traffic than intended into the VPN tunnel. **Use own WAN IP address** No network behind this unit is accesible using VPN, only this unit itself. **Port** The ports behind this unit that should be accessible using VPN. //Any// matches all ports, and is the choice usually used. To specify a specific port select it from the list, or select //Other// and enter the port number into the field to the right. [[wp>Port_numbers|Port numbers]] ==== Remote network ==== **IP Address**, **Mask** fields: The network behind the remote peer that you want to access using VPN.\\ "0.0.0.0"/"0.0.0.0" includes any remote network. :!: Be careful, this setting may direct more traffic than intended into the VPN tunnel. **Port** The ports behind the remote peer that you want to access using VPN. //Any// matches all ports, and is the choice usually used. To specify a specific port select it from the list, or select //Other// and enter the port number into the field to the right. [[wp>Port_numbers|Port numbers]] ==== VPN client NAT mode (EasyClient) ==== Enabling this feature NAT-s all your traffic to a global IP address before sent into the IPSec tunnel. By NAT-ing the traffic your local subnet becomes hidden, and thus its IP subnet address becomes unimportant. If the NAT IP Address field is empty your Internet Gate's own IP address is used (recommended). If you for some reason do not want to use that global IP then you can enter any fake IP address to be used. Make sure the IP address is not on a subnet used at the remote IPSec gateway, nor any real IP address used on the Internet. See also [[vpn:easyclient|EasyClient]]. [[wp>NAT]] **Enable** Here you enable this special mode. In this mode, only the entered NAT IP address is visible on the other end of the IPSEC tunnel. This may be preferred for clients, but not for servers. The advantage is that you don't need to bother with possible address collisions of different clients subnets. **NAT IP Address** Enter here the NAT IP address which will be visible at the other end of the IPSec connection. If you leave this field empty (recommended), then this device's own IP address of the WAN interface will be used as NAT IP address. Only if your device does not have a real global IP address on its WAN interface (e.g. because it is behind another NAT device) it may be useful to explicitly specify another NAT IP address here. This avoids possible address collisions with other devices in the IPSec network. Choosing an address from a private IP address range (e.g. 10.0.0.0 - 10.255.255.255) is recommended. ==== Security algorithms / tunnel negotiation ==== IKE phase 2 tunnel negotiation settings, selects the way data packets are encrypted and authenticated. **Protocol** IPSec encapsulation protocol. Can be //AH// ([[wp>IPsec#Authentication_Header|Authentication Header]]) and/or //ESP// ([[wp>IPsec#Encapsulating_Security_Payload|Encapsulating Security Payload]]) protocol. Most applications use ESP, but other combinations may be applicable for security or performance reasons. **Remote Gateway IP Address** Select the global IP address of the remote peer this connection is connecting to. The dropdown lists the addresses of all remote peers already configured, or select //Other, specify// to enter one manually. (You need to create a matching peer later then.) This is the entry associating this connection with a peer. **List of algorithm offers**\\ Three alternative Authentication / Encryption preferences can be specified. At least one of the preferences must exactly match the remote IPSec gateway's preferred combinations of algorithms. The default preferences are chosen to be compatible with most IPSec applications, but in some circumstances you might need to alter them to fit the remote IPSec peer's. **Authentication** (optional but recommended) The way data packets are authenticated. Though //SHA1// is considered safer, //MD5// is more commonly used. [[wp>SHA1]] [[wp>MD5]] **Encryption** (optional but recommended) The way data packets are encrypted. The choices are listed in increasing security but decreasing performance order. [[wp>Data_Encryption_Standard|DES]] [[wp>TripleDES|3DES]] [[wp>Advanced_Encryption_Standard|AES]]\\ :!: If **Protocol**: //AH// is selected (above) no encryption is made regardless of this setting. **PFS** (Perfect Forward Secrecy) A way to enhance security. If PFS is enabled, the IKE security will create new keys (Diffie-Hellman method) when the IPSec life time expires and a new Security Association is negotiated. [[wp>Perfect_forward_secrecy|PFS]]\\ The PFS setting (to use or not) determines the connections initiated by the Internet Gate. Incoming connection attempts from remote IPSec gateways are accepted regardless of their PFS configuration.\\ :!: Other IPSec clients/servers may be less forgiving. Since the use of PFS (or not) is not a matter of negotiation, the choice may have to be equal at both endpoints. A frequent source of failed IPSec connections is actually mismatching PFS settings.\\ **Life time** A new IKE key exchange is performed after the specified time (in seconds) has passed. ====== ====== \\ [[vpn:start|VPN Overview]]