The IPsec page contains two tabs (IPsec and L2TP), that allow to set up and configure the IPsec tunnels and to enable the L2TP support, respectively.
New in version 3.0: Support for Xauth authentication
New in version 3.0: Support for IKEv2 protocol
The IPsec tab contains two boxes: The first one is IPsec settings, which concerns the certificate choice and various options, also for debugging purposes. The second one is Connections, which shows all the connections and allows to manage them.
IPsec, L2TP, and XAuth in a nutshell.
IPsec is a generic standardised VPN solution, in which the encryption and the authentication tasks are carried out on the OSI layer 3 as an extension to the IP protocol. Therefore, IPsec must be implemented in the kernel’s IP stack. Although IPsec is a standardised protocol and it is compatible to most vendors that implement IPsec solutions, the actual implementation may be very different from vendor to vendor, sometimes causing interoperability issues.
Moreover, the configuration and administration of IPsec may become quite difficult due to its complexity and design, while some particular situations might even be impossible to handle, for example when there is the necessity to cope with NAT.
Compared to IPsec, OpenVPN is easier to install, configure, and manage. However, mobile devices rely on IPsec, thus the Endian UTM Appliance implements an easy-to-use administration interface for IPsec, that supports different authentication methods and also two-factor authentication when used together with L2TP or XAuth.
Indeed, IPsec is used to authenticate clients (i.e., tunnels) but not users, so one tunnel can be used by only one client at a time.
L2TP and XAuth add user authentication to IPsec, therefore many clients can connect to the server using the same encrypted tunnel and each client is authenticated by either L2TP or XAuth.
An additional option is available when using XAuth and is called XAuth hybrid mode, which only authenticates the user.
In this box a few global IPsec options can be set, namely two for Dead peer detection, and quite a lot debugging options. Additionally, configuration of certificates used in IPsec tunnelled connections is also carried out here.
The maximum amount in seconds of the exchange interval for the IKEv1 protocol.
IKEv2 does not need a timeout interval, as it is capable of detecting when the other endpoint does not reply and which actions to take.
Debug options are rather advanced settings and usually not needed, as they only will increase the number of events and messages recorded in the log file.
New in version 3.0: IPsec log file. Starting with version 3.0, thee
messages produced by IPsec are logged in both file
/var/log/messages and in the dedicated file
The activation of all those options proves useful when issues are experienced during the establishment of a connection or to produce more precise and technical messages about the normal operations of a tunnel. This way, the log file will contain very detailed options.
In this table are shown all the already configured IPsec connection, with the following information:
When a connection is reset from the Endian UTM Appliance, it is necessary for the client to reconnect in order to establich the connection.
Upon clicking on Add new Connection, a panel will appear, which contains all options needed to set up a new IPsec connection.
There are four different connection modalities can be chosen for the IPsec tunnel:
The options available for each of them are basically same, with only one more option available for Net-to-Net connections.
The option selected from the drop-down menu determines how the client’s authentication is carried out. Available values are:
The local subnets that will be accessible from the client.
Mobile devices running iOS can not properly connect via XAuth to the Endian UTM Appliance if this value is not set, therefore the special subnet 0.0.0.0/0’ is automatically added when the `Connection type is set to XAuth.
Only when using IKEv2 it is possible to add more than one subnet, one per line, since IKEv1 only supports one subnet.
Only available for Net-to-Net connections, it specifies the remote subnet.
When using IKEv2 it is possible to add more than one subnet.
The IP or FQDN of the remote host.
When a hostname is supplied in this option, it must match the local ID of the remote side.
The IP Address specified in the textfield will be assigned to the remote client.
This IP Address must fall within the pool defined in the IPsec settings below.
This option is available neither for L2TP Host-to-Net connections, as it is L2TP that takes charge of IP address assignment to clients, nor for Net-to-Net connections.
By clicking on the Advanced label, additional options are available, to choose and configure different types of encryption algorithm. For every option, many types of algorithm can be chosen.
It is necessary to change algorithm only in case some remote client uses a given algorithm and can not change it.
On the website help.endian.com, the following tutorials are available:
L2TP, the Layer 2 Tunnelling Protocol, is described in RFC 2661.
To enable L2TP on the Endian UTM Appliance, the switch next to the Enable L2TP label should be green. If it is grey, click on it to start the service.
The following options are available to configure L2TP.
On the website help.endian.com, there are several tutorials available, that help in the set up of the Endian UTM Appliance as IPsec server and smartphones as clients: