In this page you find:
The IPsec page contains two tabs (IPsec and L2TP), that allow to set up and configure the IPsec tunnels and to enable the L2TP support, respectively.
To enable L2TP on the Endian UTM Edge Appliance, the switch next to the Enable L2TP label should be green . If it is grey , click on it to start the service.
The IPsec tab contains two boxes: The first one is IPsec settings, which concerns the certificate choice and various options, also for debugging purposes. The second one is Connections, which shows all the connections and allows to manage them.
IPsec, L2TP, and XAuth in a nutshell.
IPsec is a generic standardised VPN solution, in which the encryption and the authentication tasks are carried out on the OSI layer 3 as an extension to the IP protocol. Therefore, IPsec must be implemented in the kernel’s IP stack. Although IPsec is a standardised protocol and it is compatible to most vendors that implement IPsec solutions, the actual implementation may be very different from vendor to vendor, sometimes causing interoperability issues.
Moreover, the configuration and administration of IPsec may become quite difficult due to its complexity and design, while some particular situations might even be impossible to handle, for example when there is the necessity to cope with NAT.
Compared to IPsec, OpenVPN is easier to install, configure, and manage. However, mobile devices rely on IPsec, thus the Endian UTM Edge Appliance implements an easy-to-use administration interface for IPsec, that supports different authentication methods and also two-factor authentication when used together with L2TP or XAuth.
Indeed, IPsec is used to authenticate clients (i.e., tunnels) but not users, so one tunnel can be used by only one client at a time.
L2TP and XAuth add user authentication to IPsec, therefore many clients can connect to the server using the same encrypted tunnel and each client is authenticated by either L2TP or XAuth.
An additional option is available when using XAuth and is called XAuth hybrid mode, which only authenticates the user.
In this box a few global IPsec options can be set, namely two for Dead peer detection, and quite a lot debugging options. Additionally, configuration of certificates used in IPsec tunnelled connections is also carried out here.
The IP interval from which all roadwarrior connections receive their IP address.
The amount of seconds between two successive pings, used to detect whether the connection is still active.
The maximum amount in seconds of the exchange interval for the IKEv1 protocol.
Hint
IKEv2 does not need a timeout interval, as it is capable of detecting when the other endpoint does not reply and which actions to take.
Certificate configuration and management is carried out exactly like in the case of OpenVPN server (in ), in which all the various management modalities are explained.
Debug options are rather advanced settings and usually not needed, as they only will increase the number of events and messages recorded in the log file.
In this table are shown all the already configured IPsec connection, with the following information:
Name. The name given to the connection.
Type. What kind of tunnel is used.
Common Name. The name of the certificate used to authenticate the connection.
Remark. A comment about the connection.
Status. Whether the connection is either Closed, Connecting or Established.
Actions. The possible operations that can be made on each tunnel:
- the connection is active or not.
- modify the connection’s configuration
- restart the connection.
- download the certificate in PKCS12 format.
- display detailed information about the connection.
- remove the connection.
Hint
When a connection is reset from the Endian UTM Edge Appliance, it is necessary for the client to reconnect in order to establich the connection.
Upon clicking on Add new Connection, a panel will appear, which contains all options needed to set up a new IPsec connection.
The name of the connection.
A comment for the connection.
There are four different connection modalities can be chosen for the IPsec tunnel:
Host-to-Net. The client is connecting to the IPsec server on the Endian UTM Edge Appliance is a single remote workstation, server, or resource.
Net-to-Net. The client is an entire subnet. In other words, the IPsec connection is established between remote subnets.
L2TP Host-to-Net. The client is a single device, using also L2TP.
XAuth Host-to-Net. The client is a single device and authentication is carried out by XAuth.
The options available for each of them are basically same, with only one more option available for Net-to-Net connections.
The option selected from the drop-down menu determines how the client’s authentication is carried out. Available values are:
Password (PSK). The client shall supply the password specified in the Use a pre-shared key textfield situated on the right.
Peer is identified by either IPV4_ADDR, FQDN, USER_FQDN or DER_ASN1_DN string in remote ID field. The client is authenticated by its IP Address, domain name, or by other unique information of the IPsec tunnel.
Use an existing certificate. The certificate chosen from the drop-down menu on the right shall be used.
Generate a new certificate. Additional options will be shown to create a new certificate.
Upload a certificate. Select from the local workstation a certificate to use.
Upload a certificate request. Select from the local workstation a certificate request to obtain a new certificate.
XAUTH hybrid. Only available for XAuth Host-to-Net connections: The user will authenticate, while the encryption tunnel must not.
A string that identifies the client within the local network.
The interface through which the host is connecting.
The local subnets that will be accessible from the client.
Note
Mobile devices running iOS can not properly connect via XAuth to the Endian UTM Edge Appliance if this value is not set, therefore the special subnet 0.0.0.0/0’ is automatically added when the `Connection type is set to XAuth.
Hint
Only when using IKEv2 it is possible to add more than one subnet, one per line, since IKEv1 only supports one subnet.
The ID that identifies the remote host of the connection.
Only available for Net-to-Net connections, it specifies the remote subnet.
Hint
When using IKEv2 it is possible to add more than one subnet.
The IP or FQDN of the remote host.
Note
When a hostname is supplied in this option, it must match the local ID of the remote side.
The IP Address specified in the textfield will be assigned to the remote client.
Hint
This IP Address must fall within the pool defined in the IPsec settings below.
Note
This option is available neither for L2TP Host-to-Net connections, as it is L2TP that takes charge of IP address assignment to clients, nor for Net-to-Net connections.
The action to perform if a peer disconnects. Available choices from the drop-down menu are to Clear, to Hold, or to Restart the peer.
By clicking on the Advanced label, additional options are available, to choose and configure different types of encryption algorithm. For every option, many types of algorithm can be chosen.
Note
It is necessary to change algorithm only in case some remote client uses a given algorithm and can not change it.
The encryption methods that should be supported by IKE.
The algorithms that should be supported to verify the integrity of packets.
The IKE group type.
How many hours are the IKE packets valid.
The encryption methods that should be supported by the ESP.
The algorithms that should be supported to verify the integrity of packets.
The ESP group type.
How many hours should an ESP key be valid.
Tick the checkbox to allow payload compression.
See also
IKE is defined in RFC 5996, which also supersedes the older RFC 2409 (IKEv1) and RFC 4306 (IKEv2).
ESP is described in RFC 4303 (ESP) and RFC 4305 (encryption algorithms for ESP).
See also
On the website help.endian.com, the following tutorials are available:
IPsec VPN - How to Create a Roadwarrior Connection (Shrewsoft)
SSL VPN - How to Create a Net-to-Net Connection
SSL VPN - How to Create a Net-to-Net Connection (over HTTP)
IPsec VPN - How to Create a Net-to-Net Connection (Endian-to-Endian)
SSL VPN - How to Create a Roadwarrior Connection
IPsec VPN - How to Create a Net-to-Net Connection (Endian-to-Cisco ASA)
L2TP, the Layer 2 Tunnelling Protocol, is described in RFC 2661.
To enable L2TP on the Endian UTM Edge Appliance, the switch next to the Enable L2TP label should be green. If it is grey, click on it to start the service.
The following options are available to configure L2TP.
The zone to which the L2TP connections are directed. Only the activated zones can be chosen from the drop-down menu.
The IP range from which L2TP users will receive an IP address when connecting to the Endian UTM Edge Appliance.
Tick this checkbox to let L2TP produce more verbose logs.