Quick links:
Product Overview
Installation
Settings and Administration
ADSL
SIP Support
Telephone ports
Network
Firewall
Wireless
VPN
Misc
Licenses
Troubleshooting
Differences
This shows you the differences between two versions of the page.
|
web_gui:vpn_connection [2010/11/19 15:48] mats |
web_gui:vpn_connection [2010/11/24 09:49] (current) mats |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== VPN Connection Settings ====== | ====== VPN Connection Settings ====== | ||
| - | After clicking “Add connection" the “VPN Connection Settings" page appears. These are the configurations describing the IPSec tunnel you want to establish between your LAN and the remote network. | + | After clicking “Add connection" (in the [[web_gui:vpn_advanced|IPSec - Overview, Advanced]] page) the “VPN Connection Settings" page appears. These are the configurations describing the IPSec tunnel you want to establish between your LAN and the remote network. |
| Many of the fields are pre-configured to suit most common IPSec applications. Some other fields are empty and must be filled in by you before Apply-ing the page: | Many of the fields are pre-configured to suit most common IPSec applications. Some other fields are empty and must be filled in by you before Apply-ing the page: | ||
| Line 26: | Line 26: | ||
| **Processing**: | **Processing**: | ||
| - | * //Apply IPSec// Packets matching the packet selectors shall be processed according to the security algorithms. This choice is the preferred one in almost all cases. | + | * //Apply IPSec//: Packets matching the packet selectors shall be processed according to the security algorithms. This choice is the preferred one in almost all cases. |
| - | * //Bypass// Packets matching the packet selectors shall not by processed by IPSec, but forwarded through the firewall. | + | * //Bypass//: Packets matching the packet selectors shall not by processed by IPSec, but forwarded through the firewall. |
| - | * //Discard// Packets matching the packet selectors shall be ignored, deleted. | + | * //Discard//: Packets matching the packet selectors shall be ignored, deleted. |
| **Order (priority)** When packets arrive the packet selector of the connection with the lowest order number (among all peers) will be checked first, then the second lowest and so on until a match is found. | **Order (priority)** When packets arrive the packet selector of the connection with the lowest order number (among all peers) will be checked first, then the second lowest and so on until a match is found. | ||
| Line 40: | Line 40: | ||
| To enter several different packet filters create several connections and configure one set of packet filter for each. | To enter several different packet filters create several connections and configure one set of packet filter for each. | ||
| - | **Protocol** The packet's protocol. //Any// matches all protocols, and is the choice usually used. To specify a specific protocol select it from the list, or select //Other// and enter the protocol number into the field to the right. | + | **Protocol** The packet's protocol. //Any// matches all protocols, and is the choice usually used. To specify a specific protocol select it from the list, or select //Other// and enter the protocol number into the field to the right. [[wp>List_of_IP_protocol_numbers|Protocol number]] |
| ==== Local Network ==== | ==== Local Network ==== | ||
| Line 49: | Line 49: | ||
| For instance by entering **IP Address** 192.168.2.20, **Mask** 255.255.255.255 and select //web// on the **Port** dropdown, the remote IPSec client can only access your Intranet server at 192.168.2.20 – and nothing else on your LAN. | For instance by entering **IP Address** 192.168.2.20, **Mask** 255.255.255.255 and select //web// on the **Port** dropdown, the remote IPSec client can only access your Intranet server at 192.168.2.20 – and nothing else on your LAN. | ||
| - | If you want to create multiple accesses, for example access to both ET1/2/3 and ET4, then create two VPN Connection settings, both referring to the same remote peer (by setting the Remote Gateway IP Address field to the same IP address). | + | If you want to create multiple accesses, for example access to both ET1/2/3 and ET4, then create two VPN Connection settings, both referring to the same remote peer (by setting the **Remote Gateway IP Address** field to the same IP address). |
| **IP Address**, **Mask** fields: The network behind this unit that should be accessible using VPN. E.g. IP:192.168.0.1,Mask:255.255.255.0 allows the network connected to ET1 to be accessible. "0.0.0.0"/"0.0.0.0" includes all local networks, but be carefull if this setting will not direct more traffic than intended into the VPN tunnel. | **IP Address**, **Mask** fields: The network behind this unit that should be accessible using VPN. E.g. IP:192.168.0.1,Mask:255.255.255.0 allows the network connected to ET1 to be accessible. "0.0.0.0"/"0.0.0.0" includes all local networks, but be carefull if this setting will not direct more traffic than intended into the VPN tunnel. | ||
| Line 56: | Line 56: | ||
| **Port** The ports behind this unit that should be accessible using VPN. //Any// matches all ports, and is the choice usually used. | **Port** The ports behind this unit that should be accessible using VPN. //Any// matches all ports, and is the choice usually used. | ||
| - | To specify a specific port select it from the list, or select //Other// and enter the port number into the field to the right. | + | To specify a specific port select it from the list, or select //Other// and enter the port number into the field to the right. [[wp>Port_numbers|Port numbers]] |
| ==== Remote network ==== | ==== Remote network ==== | ||
| Line 62: | Line 62: | ||
| "0.0.0.0"/"0.0.0.0" includes any remote network. :!: Be careful, this setting may direct more traffic than intended into the VPN tunnel. | "0.0.0.0"/"0.0.0.0" includes any remote network. :!: Be careful, this setting may direct more traffic than intended into the VPN tunnel. | ||
| - | **Port** The ports behind the remote peer that you want to access using VPN. //Any// matches all ports, and is the choice usually used. To specify a specific port select it from the list, or select //Other// and enter the port number into the field to the right. | + | **Port** The ports behind the remote peer that you want to access using VPN. //Any// matches all ports, and is the choice usually used. To specify a specific port select it from the list, or select //Other// and enter the port number into the field to the right. [[wp>Port_numbers|Port numbers]] |
| ==== VPN client NAT mode (EasyClient) ==== | ==== VPN client NAT mode (EasyClient) ==== | ||
| Line 69: | Line 69: | ||
| If the NAT IP Address field is empty your Internet Gate's own IP address is used (recommended). | If the NAT IP Address field is empty your Internet Gate's own IP address is used (recommended). | ||
| If you for some reason do not want to use that global IP then you can enter any fake IP address to be used. | If you for some reason do not want to use that global IP then you can enter any fake IP address to be used. | ||
| - | Make sure the IP address is not on a subnet used at the remote IPSec gateway, nor any real IP address used on the Internet. [[wp>NAT]] | + | Make sure the IP address is not on a subnet used at the remote IPSec gateway, nor any real IP address used on the Internet. |
| + | See also [[vpn:easyclient|EasyClient]]. [[wp>NAT]] | ||
| **Enable** Here you enable this special mode. | **Enable** Here you enable this special mode. | ||
| Line 85: | Line 86: | ||
| IKE phase 2 tunnel negotiation settings, selects the way data packets are encrypted and authenticated. | IKE phase 2 tunnel negotiation settings, selects the way data packets are encrypted and authenticated. | ||
| - | **Protocol** IPSec encapsulation protocol. Can be //AH// (Authentication Header) and/or //ESP// (Encapsulating Security Payload) protocol. Most applications use ESP, but other combinations may be applicable for security or performance reasons. | + | **Protocol** IPSec encapsulation protocol. Can be //AH// ([[wp>IPsec#Authentication_Header|Authentication Header]]) and/or //ESP// ([[wp>IPsec#Encapsulating_Security_Payload|Encapsulating Security Payload]]) protocol. Most applications use ESP, but other combinations may be applicable for security or performance reasons. |
| **Remote Gateway IP Address** Select the global IP address of the remote peer this connection is connecting to. The dropdown lists the addresses of all remote peers already configured, or select //Other, specify// to enter one manually. (You need to create a matching peer later then.) This is the entry associating this connection with a peer. | **Remote Gateway IP Address** Select the global IP address of the remote peer this connection is connecting to. The dropdown lists the addresses of all remote peers already configured, or select //Other, specify// to enter one manually. (You need to create a matching peer later then.) This is the entry associating this connection with a peer. | ||
| Line 93: | Line 94: | ||
| At least one of the preferences must exactly match the remote IPSec gateway's preferred combinations of algorithms. The default preferences are chosen to be compatible with most IPSec applications, but in some circumstances you might need to alter them to fit the remote IPSec peer's. | At least one of the preferences must exactly match the remote IPSec gateway's preferred combinations of algorithms. The default preferences are chosen to be compatible with most IPSec applications, but in some circumstances you might need to alter them to fit the remote IPSec peer's. | ||
| - | **Authentication** (optional but recommended) The way data packets are authenticated. Though //SHA1// is considered safer, //MD5// is more commonly used. | + | **Authentication** (optional but recommended) The way data packets are authenticated. Though //SHA1// is considered safer, //MD5// is more commonly used. [[wp>SHA1]] [[wp>MD5]] |
| - | **Encryption** (optional but recommended) The way data packets are encrypted. The choices are listed in increasing security but decreasing performance order.\\ | + | **Encryption** (optional but recommended) The way data packets are encrypted. The choices are listed in increasing security but decreasing performance order. [[wp>Data_Encryption_Standard|DES]] [[wp>TripleDES|3DES]] [[wp>Advanced_Encryption_Standard|AES]]\\ |
| :!: If **Protocol**: //AH// is selected (above) no encryption is made regardless of this setting. | :!: If **Protocol**: //AH// is selected (above) no encryption is made regardless of this setting. | ||
| Line 109: | Line 110: | ||
| **Life time** A new IKE key exchange is performed after the specified time (in seconds) has passed. | **Life time** A new IKE key exchange is performed after the specified time (in seconds) has passed. | ||
| + | ====== ====== | ||
| + | \\ | ||
| + | [[vpn:start|VPN Overview]] | ||
