IPsec¶

In this page you find:

IPsec
L2TP

The IPsec page contains two tabs (IPsec and L2TP), that allow to set up and configure the IPsec tunnels and to enable the L2TP support, respectively.

IPsec ¶

To enable L2TP on the Endian UTM Appliance, the switch next to the Enable L2TP label should be green . If it is grey , click on it to start the service.

New in version 3.0: Support for Xauth authentication

New in version 3.0: Support for IKEv2 protocol

The IPsec tab contains two boxes: The first one is IPsec settings, which concerns the certificate choice and various options, also for debugging purposes. The second one is Connections, which shows all the connections and allows to manage them.

IPsec, L2TP, and XAuth in a nutshell.

IPsec is a generic standardised VPN solution, in which the encryption and the authentication tasks are carried out on the OSI layer 3 as an extension to the IP protocol. Therefore, IPsec must be implemented in the kernel’s IP stack. Although IPsec is a standardised protocol and it is compatible to most vendors that implement IPsec solutions, the actual implementation may be very different from vendor to vendor, sometimes causing interoperability issues.

Moreover, the configuration and administration of IPsec may become quite difficult due to its complexity and design, while some particular situations might even be impossible to handle, for example when there is the necessity to cope with NAT.

Compared to IPsec, OpenVPN is easier to install, configure, and manage. However, mobile devices rely on IPsec, thus the Endian UTM Appliance implements an easy-to-use administration interface for IPsec, that supports different authentication methods and also two-factor authentication when used together with L2TP or XAuth.

Indeed, IPsec is used to authenticate clients (i.e., tunnels) but not users, so one tunnel can be used by only one client at a time.

L2TP and XAuth add user authentication to IPsec, therefore many clients can connect to the server using the same encrypted tunnel and each client is authenticated by either L2TP or XAuth.

An additional option is available when using XAuth and is called XAuth hybrid mode, which only authenticates the user.

IPsec settings ¶

In this box a few global IPsec options can be set, namely two for Dead peer detection, and quite a lot debugging options. Additionally, configuration of certificates used in IPsec tunnelled connections is also carried out here.

Roadwariors virtual IP pool: The IP interval from which all roadwarrior connections receive their IP address.
Ping delay (in seconds): The amount of seconds between two successive pings, used to detect whether the connection is still active.
Timeout interval (in seconds) - IKEv1 only: The maximum amount in seconds of the exchange interval for the IKEv1 protocol.

Hint

IKEv2 does not need a timeout interval, as it is capable of detecting when the other endpoint does not reply and which actions to take.

Certificate configuration: Certificate configuration and management is carried out exactly like in the case of OpenVPN server (in Menubar ‣ VPN ‣ OpernVPN server), in which all the various management modalities are explained.

Debug options ¶

Debug options are rather advanced settings and usually not needed, as they only will increase the number of events and messages recorded in the log file.

New in version 3.0: IPsec log file. Starting with version 3.0, thee messages produced by IPsec are logged in both file /var/log/messages and in the dedicated file /var/log/ipsec/ipsec.log.

The activation of all those options proves useful when issues are experienced during the establishment of a connection or to produce more precise and technical messages about the normal operations of a tunnel. This way, the log file will contain very detailed options.

Connections ¶

In this table are shown all the already configured IPsec connection, with the following information:

Name. The name given to the connection.
Type. What kind of tunnel is used.
Common Name. The name of the certificate used to authenticate the connection.
Remark. A comment about the connection.
Status. Whether the connection is either Closed, Connecting or Established.
Actions. The possible operations that can be made on each tunnel:
- - the connection is active or not.
- - modify the connection’s configuration
- - restart the connection.
- - download the certificate in PKCS12 format.
- - display detailed information about the connection.
- - remove the connection.

Hint

When a connection is reset from the Endian UTM Appliance, it is necessary for the client to reconnect in order to establich the connection.

Upon clicking on Add new Connection, a panel will appear, which contains all options needed to set up a new IPsec connection.

Name

The name of the connection.

Remark

A comment for the connection.

Connection type

There are four different connection modalities can be chosen for the IPsec tunnel:

Host-to-Net. The client is connecting to the IPsec server on the Endian UTM Appliance is a single remote workstation, server, or resource.
Net-to-Net. The client is an entire subnet. In other words, the IPsec connection is established between remote subnets.
L2TP Host-to-Net. The client is a single device, using also L2TP.
XAuth Host-to-Net. The client is a single device and authentication is carried out by XAuth.

The options available for each of them are basically same, with only one more option available for Net-to-Net connections.

Authentication Type

The option selected from the drop-down menu determines how the client’s authentication is carried out. Available values are:

Password (PSK). The client shall supply the password specified in the Use a pre-shared key textfield situated on the right.
Peer is identified by either IPV4_ADDR, FQDN, USER_FQDN or DER_ASN1_DN string in remote ID field. The client is authenticated by its IP Address, domain name, or by other unique information of the IPsec tunnel.
Use an existing certificate. The certificate chosen from the drop-down menu on the right shall be used.
Generate a new certificate. Additional options will be shown to create a new certificate.
Upload a certificate. Select from the local workstation a certificate to use.
Upload a certificate request. Select from the local workstation a certificate request to obtain a new certificate.
XAUTH hybrid. Only available for XAuth Host-to-Net connections: The user will authenticate, while the encryption tunnel must not.

Local ID

A string that identifies the client within the local network.

Interface

The interface through which the host is connecting.

Local subnets

The local subnets that will be accessible from the client.

Note

Mobile devices running iOS can not properly connect via XAuth to the Endian UTM Appliance if this value is not set, therefore the special subnet 0.0.0.0/0’ is automatically added when the `Connection type is set to XAuth.

Hint

Only when using IKEv2 it is possible to add more than one subnet, one per line, since IKEv1 only supports one subnet.

Remote ID

The ID that identifies the remote host of the connection.

Remote subnet

Only available for Net-to-Net connections, it specifies the remote subnet.

Hint

When using IKEv2 it is possible to add more than one subnet.

Remote host/IP

The IP or FQDN of the remote host.

Note

When a hostname is supplied in this option, it must match the local ID of the remote side.

Roadwarrior virtual IP

The IP Address specified in the textfield will be assigned to the remote client.

Hint

This IP Address must fall within the pool defined in the IPsec settings below.

Note

This option is available neither for L2TP Host-to-Net connections, as it is L2TP that takes charge of IP address assignment to clients, nor for Net-to-Net connections.

Dead peer detection action

The action to perform if a peer disconnects. Available choices from the drop-down menu are to Clear, to Hold, or to Restart the peer.

By clicking on the Advanced label, additional options are available, to choose and configure different types of encryption algorithm. For every option, many types of algorithm can be chosen.

Note

It is necessary to change algorithm only in case some remote client uses a given algorithm and can not change it.

IKE encryption: The encryption methods that should be supported by IKE.
IKE integrity: The algorithms that should be supported to verify the integrity of packets.
IKE group type: The IKE group type.
IKE lifetime: How many hours are the IKE packets valid.
ESP encryption: The encryption methods that should be supported by the ESP.
ESP integrity: The algorithms that should be supported to verify the integrity of packets.
ESP group type: The ESP group type.
ESP lifetime: How many hours should an ESP key be valid.
Negotiate payload compression: Tick the checkbox to allow payload compression.

L2TP ¶

L2TP, the Layer 2 Tunnelling Protocol, is described in RFC 2661.

To enable L2TP on the Endian UTM Appliance, the switch next to the Enable L2TP label should be green. If it is grey, click on it to start the service.

The following options are available to configure L2TP.

Zone: The zone to which the L2TP connections are directed. Only the activated zones can be chosen from the drop-down menu.
L2TP IP pool start address, L2TP IP pool end address: The IP range from which L2TP users will receive an IP address when connecting to the Endian UTM Appliance.
Enable debug: Tick this checkbox to let L2TP produce more verbose logs.

IPsec¶