Create VPN Server Manually
To increase security one can instead create IPSec connections one by one for each client. This increases security:
- By specifying the remote IPSec gateway's global IP address you stop other clients trying to access.
- By specifying different pre-shared keys for each client you limit the damage caused by a pre-shared key on the loose.
- By specifying the remote network you can stop for instance clients connected using wireless at the remote gateway to access your network.
- By using certificates instead of pre-shared keys you make unauthorized connections harder.
- Manually created IPSec connections allow by default only access to ET1/2/3 ports (not ET4 nor AIR), and you can limit access further (down to even a single port on a single server) using the advanced pages if desired.
Manual connections are not suitable for clients with dynamic IP addresses.
To create a VPN server manually you need for each client add a peer and connection on the IPSec Overview page.
For each connection specify:
- No EasyClient, as it would interfere with the connection.
- The global IP address of the client.
- The pre-shared key or certificate to be used.
The local subnet used at the client:
- If the client is an Internet Gate using EasyClient then leave the local subnet field empty.
- If the client is a single PC with IPSec client software running on it then leave the local subnet field empty.
- If the client is an Internet Gate with EasyClient disabled then specify the IP address of the LAN behind that Internet Gate. No two clients are allowed to have the same subnet!
- If the client is an IPSec gateway of another brand then specify the IP address of the LAN behind that client. No two clients are allowed to have the same subnet!
