Endian banner

IPsec

The IPsec page contains two tabs, IPsec and L2TP, that allow to set up and configure the IPsec tunnels and to enable the L2TP support, respectively.

IPsec

To enable IPsec on the Endian 4i Edge Appliance, the switch next to the Enable IPsec label should be green swon. If it is grey swoff, click on it to start the service.

The IPsec tab contains two boxes: The first one is IPsec settings, in which various common options for all tunnels can be configured, also for debugging purposes. The second one is Connections, which shows all the defined connections and allows to manage them.

IPsec, L2TP, and XAuth in a nutshell.

IPsec is a generic standardised VPN solution, in which the encryption and the authentication tasks are carried out on the OSI layer 3 as an extension to the IP protocol. Therefore, IPsec must be implemented in the kernel’s IP stack. Although IPsec is a standardised protocol and it is compatible to most vendors that implement IPsec solutions, the actual implementation may be very different from vendor to vendor, sometimes causing interoperability issues.

Moreover, the configuration and administration of IPsec may become quite difficult due to its complexity and design, while some particular situations might even be impossible to handle, for example when there is the necessity to cope with NAT.

Compared to IPsec, OpenVPN is easier to install, configure, and manage. However, mobile devices rely on IPsec, thus the Endian 4i Edge Appliance implements an easy-to-use administration interface for IPsec, that supports different authentication methods and also two-factor authentication when used together with L2TP or XAuth.

Indeed, IPsec is used to authenticate clients (i.e., tunnels) but not users, so one tunnel can be used by only one client at a time.

L2TP and XAuth add user authentication to IPsec, therefore many clients can connect to the server using the same encrypted tunnel and each client is authenticated by either L2TP or XAuth.

An additional option is available when using XAuth and is called XAuth hybrid mode, which only authenticates the user.

IPsec settings

In this box a few global IPsec options can be set, namely the certificates used for the IPsec tunnels, the Dead Peer Detection, and quite a lot debugging options.

Roadwarriors virtual IP pool

The IP interval from which all roadwarrior connections receive their IP address.

Ping delay (in seconds)

The amount of seconds between two successive pings, used to detect whether the connection is still active.

Timeout interval (in seconds) - IKEv1 only

The maximum amount in seconds of the exchange interval for the IKEv1 protocol.

Hint

IKEv2 does not need a timeout interval, as it is capable of detecting when the other endpoint does not reply and which actions to take.

Certificate configuration

This drop-down menu is used to select the method of creation of a new certificate. The available options are:

  • Use selected certificate. Select one certificate from those available, shown on the right-hand side of the drop-down menu. It is possible to see the full details of this certificate by clicking on the View details hyperlink.

    Hint

    The name of the certificate selected appears right above the hyperlink.

  • Use an existing certificate. A new drop-down menu on the right-hand side on the left allows to select a certificate that has already been created and stored on the Endian 4i Edge Appliance.

  • Generate a new certificate. Create a new certificate from scratch. This option is only available if no host certificate has already been generated. A form will open where to specify all options necessary to create a new certificate. These are the same found in the new certificates generation editor, with two slight changes: Common name becomes System hostname and Organizational unit name becomes Department name.

  • Upload a certificate. By clicking on the Browse… button that appears underneath the drop-down menu it will be possible to select from the workstation and to upload an existing certificate. The password for the certificate, if needed, can be provided in the textfield on the right-hand side.

  • Upload a certificate signing request. The Browse… button that appears underneath the drop-down menu can be clicked to select from the workstation and upload an existing certificate signing request. The validity of the certificate in days can be provided in the textfield on the right-hand side.

Note

Note that it is currently not possible to generate a Let’s Encrypt CA from here.

On the right of the Certificate configuration drop-down menu, the name of the currently used certificate is shown, above the info icon and the View details link. The latter will show all information about the certificate when clicked.

Below the Certificate configuration drop-down menu, there is the download icon , with the name of the Certificate Authority and the Download certificate link to download the certificate needed for the client connections.

Debug options

Debug options are rather advanced settings and usually not needed, as they only will increase the number of events and messages recorded in the log file.

The activation of all those options proves useful when issues are experienced during the establishment of a connection or to produce more precise and technical messages about the normal operations of a tunnel. This way, the log file will contain very detailed options.

Connections

In this table are shown all the already configured IPsec connection, with the following information:

  • Name. The name given to the connection.

  • Type. What kind of tunnel is used.

  • Common Name. The name of the certificate used to authenticate the connection.

  • Remark. A comment about the connection.

  • Status. Whether the connection is either Closed, Connecting or Established.

  • Actions. The possible operations that can be made on each tunnel.

Note

The information icon info does not appear if the connection is closed.

Hint

When a connection is reset from the Endian 4i Edge Appliance, it is necessary for the client to reconnect in order to establish the connection.

Upon clicking on Add new Connection, a panel will appear, which contains all options needed to set up a new IPsec connection.

Name

The name of the connection.

Remark

A comment for the connection.

Connection type

There are four different connection modalities can be chosen for the IPsec tunnel:

  • Host-to-Net. The client is connecting to the IPsec server on the Endian 4i Edge Appliance is a single remote workstation, server, or resource.

  • Net-to-Net. The client is an entire subnet. In other words, the IPsec connection is established between remote subnets.

  • L2TP Host-to-Net. The client is a single device, using also L2TP.

  • XAuth Host-to-Net. The client is a single device and authentication is carried out by XAuth.

The options available for each of them are basically same, with only one more option available for Net-to-Net connections.

Authentication Type

The option selected from the drop-down menu determines how the client’s authentication is carried out. Available values are:

  • Password (PSK). The client shall supply the password specified in the Use a pre-shared key textfield situated on the right.

  • Peer is identified by either IPV4_ADDR, FQDN, USER_FQDN or DER_ASN1_DN string in remote ID field. The client is authenticated by its IP address, domain name, or by other unique information of the IPsec tunnel.

  • Use an existing certificate. The certificate chosen from the drop-down menu on the right shall be used.

  • Generate a new certificate. Additional options will be shown to create a new certificate.

  • Upload a certificate. Select from the local workstation a certificate to use.

  • Upload a certificate request. Select from the local workstation a certificate request to obtain a new certificate.

  • XAUTH hybrid. Only available for XAuth Host-to-Net connections: The user needs to authenticate, while the encryption tunnel must not.

Local ID

A string that identifies the client within the local network.

Interface

The interface through which the host is connecting.

Local subnets

The local subnets that will be accessible from the client.

Note

Mobile devices running iOS can not properly connect via XAuth to the Endian 4i Edge Appliance if this value is not set, therefore the special subnet 0.0.0.0/0’ is automatically added when the `Connection type is set to XAuth.

Hint

Only when using IKEv2 it is possible to add more than one subnet, one per line, since IKEv1 only supports one subnet.

Remote ID

The ID that identifies the remote host of the connection.

Remote host/IP

The IP or FQDN of the remote host.

Note

When a hostname is supplied in this option, it must match the local ID of the remote side.

Remote subnet

Only available for Net-to-Net connections, it specifies the remote subnet.

Hint

When using IKEv2 it is possible to add more than one subnet.

Roadwarrior virtual IP

The IP address specified in the textfield will be assigned to the remote client.

Hint

This IP address must fall within the pool defined in the IPsec settings below.

Note

This option is available neither for Net-to-Net connections, nor for L2TP Host-to-Net connections; in the latter case it is L2TP that takes charge of IP address assignment to clients.

Dead peer detection action

The action to perform if a peer disconnects. Available choices from the drop-down menu are to Clear, to Hold, or to Restart the peer.

By clicking on the Advanced label, additional options are available, to choose and configure different types of encryption algorithm. For every option, many types of algorithm can be chosen.

Warning

The values of the algorithms chosen here must match exactly those that are defined on the other peer, otherwise the connection might not be established correctly.

IKE encryption

The encryption methods that should be supported by IKE.

Accept only chosen encryption algorithms

Tick the checkbox to activate the so-called strict mode for IKE: In this mode only the selected algorithm will be accepted upon connection.

New in version 5.0.

IKE integrity

The algorithms that should be supported to verify the integrity of packets.

IKE group type

The IKE group type.

IKE lifetime

How many hours are the IKE packets valid.

IKE version

Choose from the drop-down menu which version should the connection use. Available values are IKEv1, IKEv2, and Both IKEv1 and IKEv2.

ESP encryption

The encryption methods that should be supported by the ESP.

Accept only chosen encryption algorithms

Tick the checkbox to activate the so-called strict mode for ESP: In this mode only the selected algorithm will be accepted upon connection.

New in version 5.0.

ESP integrity

The algorithms that should be supported to verify the integrity of packets.

ESP group type

The ESP group type.

ESP lifetime

How many hours should an ESP key be valid.

Negotiate payload compression

Tick the checkbox to allow payload compression.

New in version 5.0.

Mode config

This option determines how a virtual IP is assigned to the client, either push or pull. This option is relevant for IKEv1 only.

New in version 5.0.

Connection startup

Three options are available for this option, which will determine the tunnel’s behaviour upon connection:

  • Brings the connection up immediately. The connection starts immediately after the tunnel configuration is loaded into IPsec configuration. This correspond to the auto=start configuration value.

  • Starts the connection if traffic is detected. The connection is loaded, but the actual connection will be established as soon as some traffic is detected from the tunnel. This correspond to the auto=route configuration value.

  • Loads the connection without starting it. The connection is only loaded but it will not start. This correspond to the auto=add configuration value.

Hint

If no IPsec traffic is detected even if the connection is established, use the auto=route option, i.e., the second option.

New in version 5.0.

See also

IKE is defined in RFC 5996, which also supersedes the older RFC 2409 (IKEv1) and RFC 4306 (IKEv2).

ESP is described in RFC 4303 (ESP) and RFC 4305 (encryption algorithms for ESP).

See also

On the portal help.endian.com, a number of tutorials about IPsec are available:

  1. IPsec VPN - How to Create a Roadwarrior Connection (with Shrewsoft client).

  2. SSL VPN - How to Create a Net-to-Net Connection.

  3. SSL VPN - How to Create a Roadwarrior Connection.

  4. SSL VPN - How to Create a Net-to-Net Connection (over HTTP).

  5. IPsec VPN - How to Create a Net-to-Net Connection (Endian-to-Endian).

  6. IPsec VPN - How to Create a Net-to-Net Connection (Endian-to-Cisco ASA).

  7. Setup of a VPN with IPsec and an XAuth tunnel.

  8. Connecting to an Endian UTM Appliance Via IPsec XAUTH Using Android.

  9. Connecting to an Endian UTM Appliance Via IPsec XAUTH Using iOS.

L2TP

To enable L2TP on the Endian 4i Edge Appliance, the switch next to the Enable L2TP label should be green. If it is grey, click on it to start the service.

L2TP, the Layer 2 Tunnelling Protocol, is described in RFC 2661. The following configuration options are available:

Zone

The zone to which the L2TP connections are directed. Only the activated zones can be chosen from the drop-down menu.

L2TP IP pool start address, L2TP IP pool end address

The IP range from which L2TP users will receive an IP address when connecting to the Endian 4i Edge Appliance.

Enable debug

Tick this checkbox to let L2TP produce more verbose logs.

See also

On the website help.endian.com, there are several tutorials available, that help in the set up of the Endian 4i Edge Appliance as IPsec server and smartphones as clients:

  1. Setup of a VPN with IPsec and an L2TP tunnel

  2. Connecting to an Endian UTM via L2TP (IPSec) using Android

  3. Connecting to an Endian UTM via L2TP (IPSec) using iOS

  4. Connecting to an Endian UTM via L2TP (IPSec) using Windows 7

Table Of Contents

Previous topic

OpenVPN client (Gw2Gw)

Next topic

Authentication

Documentation archive

Version 5.1
Version 5.0
Version 3.0
Version 2.5
Version 2.4
Version 2.3
Version 2.2
Version 2.1

Other products

Endian UTM 5.2
Endian Hotspot 5.2