In this page you find:
The IPsec page contains two tabs, IPsec and L2TP, that allow to set up and configure the IPsec tunnels and to enable the L2TP support, respectively.
To enable IPsec on the Endian UTM Appliance, the switch next to the Enable IPsec label should be green . If it is grey , click on it to start the service.
The IPsec tab contains two boxes: The first one is IPsec settings, in which various common options for all tunnels can be configured, also for debugging purposes. The second one is Connections, which shows all the defined connections and allows to manage them.
IPsec, L2TP, and XAuth in a nutshell.
IPsec is a generic standardised VPN solution, in which the encryption and the authentication tasks are carried out on the OSI layer 3 as an extension to the IP protocol. Therefore, IPsec must be implemented in the kernel’s IP stack. Although IPsec is a standardised protocol and it is compatible to most vendors that implement IPsec solutions, the actual implementation may be very different from vendor to vendor, sometimes causing interoperability issues.
Moreover, the configuration and administration of IPsec may become quite difficult due to its complexity and design, while some particular situations might even be impossible to handle, for example when there is the necessity to cope with NAT.
Compared to IPsec, OpenVPN is easier to install, configure, and manage. However, mobile devices rely on IPsec, thus the Endian UTM Appliance implements an easy-to-use administration interface for IPsec, that supports different authentication methods and also two-factor authentication when used together with L2TP or XAuth.
Indeed, IPsec is used to authenticate clients (i.e., tunnels) but not users, so one tunnel can be used by only one client at a time.
L2TP and XAuth add user authentication to IPsec, therefore many clients can connect to the server using the same encrypted tunnel and each client is authenticated by either L2TP or XAuth.
An additional option is available when using XAuth and is called XAuth hybrid mode, which only authenticates the user.
In this box a few global IPsec options can be set, namely the certificates used for the IPsec tunnels, the Dead Peer Detection, and quite a lot debugging options.
The IP interval from which all roadwarrior connections receive their IP address.
The amount of seconds between two successive pings, used to detect whether the connection is still active.
The maximum amount in seconds of the exchange interval for the IKEv1 protocol.
Hint
IKEv2 does not need a timeout interval, as it is capable of detecting when the other endpoint does not reply and which actions to take.
This drop-down menu is used to select the method of creation of a new certificate. The available options are:
Use selected certificate. Select one certificate from those available, shown on the right-hand side of the drop-down menu. It is possible to see the full details of this certificate by clicking on the View details hyperlink.
Hint
The name of the certificate selected appears right above the hyperlink.
Use an existing certificate. A new drop-down menu on the right-hand side on the left allows to select a certificate that has already been created and stored on the Endian UTM Appliance.
Generate a new certificate. Create a new certificate from scratch. This option is only available if no host certificate has already been generated. A form will open where to specify all options necessary to create a new certificate. These are the same found in the new certificates generation editor, with two slight changes: Common name becomes System hostname and Organizational unit name becomes Department name.
Upload a certificate. By clicking on the Browse… button that appears underneath the drop-down menu it will be possible to select from the workstation and to upload an existing certificate. The password for the certificate, if needed, can be provided in the textfield on the right-hand side.
Upload a certificate signing request. The Browse… button that appears underneath the drop-down menu can be clicked to select from the workstation and upload an existing certificate signing request. The validity of the certificate in days can be provided in the textfield on the right-hand side.
Note
Note that it is currently not possible to generate a Let’s Encrypt CA from here.
On the right of the Certificate configuration drop-down menu, the name of the currently used certificate is shown, above the icon and the View details link. The latter will show all information about the certificate when clicked.
Below the Certificate configuration drop-down menu, there is the icon , with the name of the Certificate Authority and the Download certificate link to download the certificate needed for the client connections.
Debug options are rather advanced settings and usually not needed, as they only will increase the number of events and messages recorded in the log file.
The activation of all those options proves useful when issues are experienced during the establishment of a connection or to produce more precise and technical messages about the normal operations of a tunnel. This way, the log file will contain very detailed options.
In this table are shown all the already configured IPsec connection, with the following information:
Name. The name given to the connection.
Type. What kind of tunnel is used.
Common Name. The name of the certificate used to authenticate the connection.
Remark. A comment about the connection.
Status. Whether the connection is either Closed, Connecting or Established.
Actions. The possible operations that can be made on each tunnel.
Note
The information icon does not appear if the connection is closed.
Hint
When a connection is reset from the Endian UTM Appliance, it is necessary for the client to reconnect in order to establish the connection.
Upon clicking on Add new Connection, a panel will appear, which contains all options needed to set up a new IPsec connection.
The name of the connection.
A comment for the connection.
There are four different connection modalities can be chosen for the IPsec tunnel:
Host-to-Net. The client is connecting to the IPsec server on the Endian UTM Appliance is a single remote workstation, server, or resource.
Net-to-Net. The client is an entire subnet. In other words, the IPsec connection is established between remote subnets.
L2TP Host-to-Net. The client is a single device, using also L2TP.
XAuth Host-to-Net. The client is a single device and authentication is carried out by XAuth.
The options available for each of them are basically same, with only one more option available for Net-to-Net connections.
The option selected from the drop-down menu determines how the client’s authentication is carried out. Available values are:
Password (PSK). The client shall supply the password specified in the Use a pre-shared key textfield situated on the right.
Peer is identified by either IPV4_ADDR, FQDN, USER_FQDN or DER_ASN1_DN string in remote ID field. The client is authenticated by its IP address, domain name, or by other unique information of the IPsec tunnel.
Use an existing certificate. The certificate chosen from the drop-down menu on the right shall be used.
Generate a new certificate. Additional options will be shown to create a new certificate.
Upload a certificate. Select from the local workstation a certificate to use.
Upload a certificate request. Select from the local workstation a certificate request to obtain a new certificate.
XAUTH hybrid. Only available for XAuth Host-to-Net connections: The user needs to authenticate, while the encryption tunnel must not.
A string that identifies the client within the local network.
The interface through which the host is connecting.
The local subnets that will be accessible from the client.
Note
Mobile devices running iOS can not properly connect via XAuth to the Endian UTM Appliance if this value is not set, therefore the special subnet 0.0.0.0/0’ is automatically added when the `Connection type is set to XAuth.
Hint
Only when using IKEv2 it is possible to add more than one subnet, one per line, since IKEv1 only supports one subnet.
The ID that identifies the remote host of the connection.
The IP or FQDN of the remote host.
Note
When a hostname is supplied in this option, it must match the local ID of the remote side.
Only available for Net-to-Net connections, it specifies the remote subnet.
Hint
When using IKEv2 it is possible to add more than one subnet.
The IP address specified in the textfield will be assigned to the remote client.
Hint
This IP address must fall within the pool defined in the IPsec settings below.
Note
This option is available neither for Net-to-Net connections, nor for L2TP Host-to-Net connections; in the latter case it is L2TP that takes charge of IP address assignment to clients.
The action to perform if a peer disconnects. Available choices from the drop-down menu are to Clear, to Hold, or to Restart the peer.
By clicking on the Advanced label, additional options are available, to choose and configure different types of encryption algorithm. For every option, many types of algorithm can be chosen.
Warning
The values of the algorithms chosen here must match exactly those that are defined on the other peer, otherwise the connection might not be established correctly.
The encryption methods that should be supported by IKE.
Tick the checkbox to activate the so-called strict mode for IKE: In this mode only the selected algorithm will be accepted upon connection.
New in version 5.0.
The algorithms that should be supported to verify the integrity of packets.
The IKE group type.
How many hours are the IKE packets valid.
Choose from the drop-down menu which version should the connection use. Available values are IKEv1, IKEv2, and Both IKEv1 and IKEv2.
The encryption methods that should be supported by the ESP.
Tick the checkbox to activate the so-called strict mode for ESP: In this mode only the selected algorithm will be accepted upon connection.
New in version 5.0.
The algorithms that should be supported to verify the integrity of packets.
The ESP group type.
How many hours should an ESP key be valid.
Tick the checkbox to allow payload compression.
New in version 5.0.
This option determines how a virtual IP is assigned to the client, either push or pull. This option is relevant for IKEv1 only.
New in version 5.0.
Three options are available for this option, which will determine the tunnel’s behaviour upon connection:
Brings the connection up immediately. The connection starts immediately after the tunnel configuration is loaded into IPsec configuration. This correspond to the auto=start configuration value.
Starts the connection if traffic is detected. The connection is loaded, but the actual connection will be established as soon as some traffic is detected from the tunnel. This correspond to the auto=route configuration value.
Loads the connection without starting it. The connection is only loaded but it will not start. This correspond to the auto=add configuration value.
Hint
If no IPsec traffic is detected even if the connection is established, use the auto=route option, i.e., the second option.
New in version 5.0.
See also
IKE is defined in RFC 5996, which also supersedes the older RFC 2409 (IKEv1) and RFC 4306 (IKEv2).
ESP is described in RFC 4303 (ESP) and RFC 4305 (encryption algorithms for ESP).
See also
On the portal help.endian.com, a number of tutorials about IPsec are available:
IPsec VPN - How to Create a Roadwarrior Connection (with Shrewsoft client).
SSL VPN - How to Create a Net-to-Net Connection.
SSL VPN - How to Create a Roadwarrior Connection.
SSL VPN - How to Create a Net-to-Net Connection (over HTTP).
IPsec VPN - How to Create a Net-to-Net Connection (Endian-to-Endian).
IPsec VPN - How to Create a Net-to-Net Connection (Endian-to-Cisco ASA).
Setup of a VPN with IPsec and an XAuth tunnel.
Connecting to an Endian UTM Appliance Via IPsec XAUTH Using Android.
Connecting to an Endian UTM Appliance Via IPsec XAUTH Using iOS.
To enable L2TP on the Endian UTM Appliance, the switch next to the Enable L2TP label should be green. If it is grey, click on it to start the service.
L2TP, the Layer 2 Tunnelling Protocol, is described in RFC 2661. The following configuration options are available:
The zone to which the L2TP connections are directed. Only the activated zones can be chosen from the drop-down menu.
The IP range from which L2TP users will receive an IP address when connecting to the Endian UTM Appliance.
Tick this checkbox to let L2TP produce more verbose logs.
See also
On the website help.endian.com, there are several tutorials available, that help in the set up of the Endian UTM Appliance as IPsec server and smartphones as clients:
Setup of a VPN with IPsec and an L2TP tunnel
Connecting to an Endian UTM via L2TP (IPSec) using Android
Connecting to an Endian UTM via L2TP (IPSec) using iOS
Connecting to an Endian UTM via L2TP (IPSec) using Windows 7