IPSec Server

In this scenario several “clients” connect to a central “server”. For example employees connecting from their homes to the company's local network.

For this scenario you are recommended to use the Internet Gate's EasyServer feature for the Internet Gate located at the “server” position, and the Internet Gate's EasyClient feature for Internet Gate-s located at the “client” positions.

On the “server” Internet Gate change ET1/2/3 subnet to other than the default (you can change it to for example As the “client” and “server” ends of an IPSec connection are not allowed to share the same subnet, they cannot both be on the subnet.

Read more at EasyServer or create server manually.


The “server” Internet Gate (C) must have a static global IP address.

The clients connecting to it can have dynamic IP addresses.

Clients (F), (H), (J) must be on separate subnets than (A) and (B). Thus if for example (A) and (B) is on subnet then neither (F), (H) nor (J) is allowed to be on the subnet.

You are strongly advised to change the ET1 subnet to something else than the default on a VPN server Internet Gate such as (C) above.

None of (A), (B), (F), (H) nor (J) need to have any IPSec client software running, as IPSec gateways (C), (E), (G) and (I) terminate each IPSec connection. PC (D) must have an IPSec client software running as it is connected directly to the Internet, without any IPSec gateway between.

If clients (E), (G), (I) do not use the EasyClient feature then they must each be on different unique subnets. Thus (F) cannot be on the same subnet as (H) or (J).

If clients use the EasyClient feature they can be on the same subnet.

If (E) uses EasyClient then (F) can connect to (A), but (B) cannot connect to (F). If (E) does not use EasyClient then (B) can connect to (F).

Clients do not have to be Internet Gate-s. Client (D) is a PC with a global IP address connected to the Internet running Windows' own IPSec client, or a third part IPSec software. Client (E) might be any brand IPSec gateway. If gateway (I) is not Internet Gate then it must support IPSec NAT-T to work (as it is behind a NAT). Internet Gate supports IPSec NAT-T.

vpn/server.txt · Last modified: 2010/11/22 13:10 by mats
CC Attribution-Noncommercial-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0