VPN Connection Settings

After clicking “Add connection” the “VPN Connection Settings” page appears. These are the configurations describing the IPSec tunnel you want to establish between your LAN and the remote network.

Many of the fields are pre-configured to suit most common IPSec applications. Some other fields are empty and must be filled in by you before Apply-ing the page:

Remote Network – here you must enter the address and mask of the subnet behind the remote IPSec gateway at the other end of the IPSec connection:

If the other end of the IPSec connection is not a gateway but a single PC running IPSec software then enter the PC's global IP address, and mask 255.255.255.255

If the other end of the IPSec connection is an Internet Gate with EasyClient enabled then enter its global IP address and mask 255.255.255.255

If the other end of the IPSec connection is a standard IPSec endpoint then enter the IP address and subnet of the LAN behind it.

You can narrow down the remote network if you do not want all PC-s at the remote network to have access to your network. For instance by entering remote network IP address 192.168.0.31 and mask 255.255.255.255 only that one PC at IP address 192.168.0.31 behind the remote IPSec gateway can access your LAN – no one else.

Remote Gateway IP Address – here you must select the IP address of the corresponding VPN peer you already have created, as described above.

The above-mentioned fields are the ones you MUST specify. Other fields have pre-filled default values that you may alter to suit your specific needs:

Uncheck the checkbox to temporarily disable a connection without deleting it.

Processing:

• Apply IPSec Packets matching the packet selectors shall be processed according to the security algorithms. This choice is the preferred one in almost all cases.
• Bypass Packets matching the packet selectors shall not by processed by IPSec, but forwarded through the firewall.
• Discard Packets matching the packet selectors shall be ignored, deleted.

Order (priority) When packets arrive the packet selector of the connection with the lowest order number (among all peers) will be checked first, then the second lowest and so on until a match is found.

The processing will only be applied to the first matching connection. If no connection matches the packet is sent to the firewall for normal processing (if a VPN pass-through has been configured the firewall will let it through).

Received IP packet protocol, source and destination addresses and ports will be matched against these selectors, and if all match the processing to be applied is executed. Usually both protocol and port settings are set to Any to match all packets. To enter several different packet filters create several connections and configure one set of packet filter for each.

Protocol The packet's protocol. Any matches all protocols, and is the choice usually used. To specify a specific protocol select it from the list, or select Other and enter the protocol number into the field to the right.

By altering this setting you can specify what addresses behind your Internet Gate the remote IPSec client can access. By default it allows full access to all PC-s connected to ET1/2/3 ports.

You can limit access to only certain servers by altering the subnet mask. You can even limit access to just one server on your LAN by entering its local IP address and set mask to 255.255.255.255. For instance by entering IP Address 192.168.2.20, Mask 255.255.255.255 and select web on the Port dropdown, the remote IPSec client can only access your Intranet server at 192.168.2.20 – and nothing else on your LAN.

If you want to create multiple accesses, for example access to both ET1/2/3 and ET4, then create two VPN Connection settings, both referring to the same remote peer (by setting the Remote Gateway IP Address field to the same IP address).

IP Address and Mask of the network behind this unit that should be accessible using VPN. E.g. IP:192.168.0.1,Mask:255.255.255.0 allows the network connected to ET1 to be accessible. “0.0.0.0”/“0.0.0.0” includes all local networks, but be carefull if this setting will not direct more traffic than intended into the VPN tunnel.
Use own WAN IP address No network behind this unit is accesible using VPN, only this unit itself. Port The ports behind this unit that should be accessible using VPN. Any matches all ports, and is the choice usually used. To specify a specific port select it from the list, or select Other and enter the port number into the field to the right.

Enabling this feature NAT-s all your traffic to a global IP address before sent into the IPSec tunnel. By NAT-ing the traffic your local subnet becomes hidden, and thus its IP subnet address becomes unimportant. If the NAT IP Address field is empty your Internet Gate's own IP address is used (recommended). If you for some reason do not want to use that global IP then you can enter any fake IP address to be used. Make sure the IP address is not on a subnet used at the remote IPSec gateway, nor any real IP address used on the Internet. NAT

At least one of the preferences listed must be exactly like the remote IPSec gateway's preferences. The default preferences are chosen to be compatible with most IPSec applications, but in some circumstances you might need to alter them to fit the remote IPSec peer's.

The PFS (Perfect Forward Secrecy) value is used for connections created by the Internet Gate. Incoming connection attempts from remote IPSec gateways are accepted regardless of their PFS configuration. PFS