VPN Peer Settings

After clicking “Add peer” the “VPN peer settings” page appears. These are the configurations describing the remote IPSec gateway you want to connect to and how the IKE negotiation with it should be performed.

Many of the fields are pre-configured to suit most common IPSec applications. Some other fields are empty and must be filled in by you before Apply-ing the page:

Remote Gateway IP Address – here you must enter the global IP address the IPSec gateway you want to access can be reached at. The address must be a static IP address.

Pre-shared key – here you must enter the pre-shared key to be used for authentication.

If you are using certificate for authentication then change authentication method in all three preferences, and select the certificates used in the Identity fields.

To create an EasyServer peer entry specify “0.0.0.0” as “Remote Gateway IP Address” and “Act as: Responder for roaming clients”. Enter pre-shared key or certificates as described above.

The above-mentioned fields are the ones you MUST specify. Other fields are pre-configured to suit most common IPSec applications, but you might need to change them to suit your needs. A rule of thumb is that both ends of an IPSec connection must use the same configuration to be able to connect.

These settings control how your Internet Gate identifies itself to the remote gateway. The values in these fields must match the identity preferences of the remote gateway.

The most common identification type for connections with pre-shared keys is IP Address.

The most common identification type for connections with certificates is ASN.1 Dist name.

These settings control how your Internet Gate verifies that it has connected to the correct remote gateway. The values in these fields must match the way the remote gateway identifies itself.

The most common identification type for connections with pre-shared keys is IP Address. The ID: Remote Gateway IP Address configuration makes your Internet Gate compare the remote gateway's IP address with the one you have specified in the Remote Gateway IP Address field at the top of the page.

The most common identification type for connections with certificates is ASN.1 Dist name.

You can turn off remote gateway identification verification by selecting ID: Any ID (no ID check). Then your Internet Gate will accept any remote gateway regardless of how it has identified itself.

These settings control the IKE (Internet Key Exchange) negotiations between your and the remote IPSec gateway.

By default your Internet Gate acts as both IPSec Initiator and responder, meaning it can initialize an IPSec connection when needed, but also answer to an incoming connection request from the specified remote IPSec gateway. You can change it to just responder: then your Internet Gate becomes more like a “server” only accepting access from the specified “client”, but not trying to connect to it by itself. The Responder for roaming clients setting is for the EasyServer.

NAT Traversal specifies if IPSec NAT-T protocol is allowed to be used when your Internet Gate acts as an Initiator. It is useful if you, or the remote IPSec gateway, are behind a NAT. As an IPSec responder the Internet Gate always accepts IPSec NAT-T packets.

At least one of the preferences listed must be exactly like the remote IPSec gateway's preferences. The default preferences are chosen to be compatible with most IPSec applications, but in some circumstances you might need to alter them to fit the remote IPSec peer's.