Select VPN from the menu bar at the top of the screen.
Virtual private networks (VPNs) allow networks to connect directly to each other over potentially unsafe networks such as the internet. All network traffic through the VPN connection is transmitted securely, inside an encrypted tunnel, hidden from prying eyes. Such a configuration is called a Gateway-to-Gateway VPN. Similarly, a single computer somewhere on the internet can use a VPN tunnel to connect to a trusted LAN. The remote computer, sometimes called a Road Warrior, appears to be directly connected to the trusted LAN while the VPN tunnel is active.
Endian UTM Appliance can create VPNs based on the IPsec protocol supported by most operating systems and network equipment, as well as VPNs based on the OpenVPN service.
Unfortunately, the tools needed to set up IPsec vary greatly among different systems, may be complicated to use or may have interoperability issues. Therefore, Endian recommends OpenVPN in situations where there is no need to support an existing IPsec infrastructure. Endian UTM Appliance includes a user friendly OpenVPN client for Microsoft Windows, Linux and MacOS X.
Following is a list of links that appear in the submenu on the left side of the screen and that allow setting up VPNs of any of the types mentioned:
Each link will be explained individually in the following sections.
Select VPN from the menu bar at the top of the screen, then select OpenVPN server from the submenu on the left side of the screen.
In this panel you can enable the OpenVPN server and define in which zone it should run.
If you want to run the OpenVPN server in one of the existing zones check this box. .. note:
If the OpenVPN server is not bridged you must set the
firewall rules in the VPN firewall to make sure clients
can access any zone - unless you do not want them to.
Note
Traffic directed to this IP pool has to be filtered using the VPN firewall.
Click on Save to save the settings and start the OpenVPN service. The first time the service is started a new (self-signed) certificate for this OpenVPN server is generated. Click on the Download CA certificate link to download it. You will need it later when setting up the clients.
The following panel shows a list of currently connected clients, once OpenVPN is up and running. It is possible to kill and ban connections. The difference between killing and banning is that banned users are not able to reconnect after their connection has been killed.
This panel contains the list of OpenVPN accounts.
Cick on Add account to add an account. The following parameters can be specified for each account:
Account information
Client routing
Custom push configuration
Note
In all of these fields, addresses and networks must be given in CIDR notation (e.g. 192.168.0.0/24).
Click the Save button to save the account settings. You can at any moment disable/enable, edit or delete accounts by clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom).
If you are planning to have two or more branch offices connected through a Gateway-to-Gateway VPN it is good advice to choose different subnets for the LANs in the different branches. For example, one branch might have a GREEN zone with the 192.168.1.0/24 subnet while the other branch uses 192.168.2.0/24. This way, correct routes will be assigned in a fully automatic way and you do not have to deal with pushing custom routes.
Use this panel to change advanced settings. Among other things, certificate-based authentication (as opposed to password-based) can be set up in this section.
The first section has some generic settings regarding the server:
Note
All addresses and network addresses must be given in CIDR notation (such as 192.168.0.0/24).
The third section lets you specify the authentication method:
Endian UTM Appliance‘s default method is PSK (username/password). If you want to use this method, you do not have to change the settings here.
The Download CA certificate link lets you download the certificate for this OpenVPN server as it is needed by the clients (this is the public certificate, which is used to verify the authenticity of the server). Furthermore, the Export CA as PKCS#12 file link lets you download the certificate in PKCS#12 format (keep it private!), which can be imported into any OpenVPN server that you wish to use as a fall back server.
Finally, should this system be a fallback system, you can upload the PKCS#12 file that you exported from your primary server (leave “Challenge password” empty if the file came from an Endian UTM Appliance).
If you would rather use a X.509-certificate-based method here (either certificate only or certificate plus password), things get a bit more complicated. It is assumed (and required) that you use an independent certificate authority (CA) for this purpose. It is neither possible nor desired to host such a certificate authority on Endian UTM Appliance.
You need to generate and sign certificates for the server and for every client using your certificate authority. The certificates type must be explicitly specified and be one of “server” and “client” (“netscape certificate type” field).
The server certificate file in PKCS#12 format must be uploaded in this section (specify the “Challenge password” if you supplied one to the certificate authority before or during the creation of the certificate).
The client certificates need to have the common name fields equal to their OpenVPN user names.
Warning
If you use certificate-only authentication a client that has a valid certificate can connect even if there is no corresponding OpenVPN user account!
You can also upload a revocation list, in case you lost a client certificate and hence have revoked it on your CA.
Click on the link to download the Endian VPN client for Microsoft Windows, MacOS X and Linux from Endian Network.
Select VPN from the menu bar at the top of the screen, then select OpenVPN client (Gw2Gw) from the submenu on the left side of the screen.
In this section you can set up the client side of a Gateway-to-Gateway VPN connection. You have two possibilities to create OpenVPN client connections. You can either click on guilabel:Add tunnel configuration to enter information about the OpenVPN server you want to connect to (there can be more than one) or you, if you have an OpenVPN Access Server, you can import the client settings from there by clicking Import profile from OpenVPN Access Server.
Click on Advanced tunnel configuration to see more options:
Click the Save button to save the tunnel settings. You can at any moment disable/enable, edit or delete tunnels from the list by clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom).
Once you have configured your connection you will find a new section when editing the connection at the bottom of the page. In this section called TLS authentication it is possible to add a TLS key file to be used for the connection.
If you want to import an OpenVPN client configuration from an OpenVPN Access Server you must provide the following information.
Note
Note that Endian UTM Appliance only supports XML-RPC configuration of the OpenVPN Access Server. Typically a URL will therefore look like: https://<SERVERNAME>/RPC2.
After clicking the Import profile button the new client configuration will be stored just like a manually created connection.
Select VPN from the menu bar at the top of the screen, then select IPsec from the submenu on the left side of the screen.
IPsec (IP Security) is a generic standardized VPN solution. As opposed to OpenVPN encryption and authentication are already done on the OSI layer 3 as an extension to the IP protocol. Therefore IPsec must be implemented in the IP stack which is part of the kernel. Since IPSec is a standardized protocol it is compatible to most vendors that implement IPsec. Compared to OpenVPN IPsec’s configuration and administration is usually quite difficult due to its complexity. Because of its design some situations are even impossible to handle, whereas they work well with OpenVPN, especially if you have to cope with NAT. However, Endian UTM Appliance implements an easy to use adminstration interface that supports different authentication methods. We strongly encourage you to use IPSec only if you need to because of interoperability purposes. Use OpenVPN wherever you can, especially if you have to work with NAT.
In the Global settings section you can set the main parameters for your IPsec configuration. The values you can set are:
In the Connection status and control section you can see a list of accounts and their connection status. The list shows Name, Type, Common name, Remark and Status of each connection. By clicking on the icons in the Actions column you can perform various actions as described in the icon legend below the list. You can add a connection by clicking on the Add button. A page will open and you can choose whether you want to add a Host-to-Net Virtual Private Network or a Net-to-Net Virtual Private Network. Submit your choice by clicking on the Add button. On the next page you can specify the details for this connection (you will also see this page when editing an existing connection). You can configure the network parameters in the first section of the page:
In the Authentication section you can configure how authentication is handled.
If you have chosen to edit the advanced settings of this connection, a new page will open after you hit the Save button. In this page you can set Advanced connection settings.
Warning
Unexperienced users should not change the settings here:
Finally save the settings by clicking on the Save button.
Back on the main IPsec page you can generate new certificates and upload existing CA certificates in the Certificate authorities section. To upload a new certificate you have to provide a name in the CA name field. Then click on browse and select the certificate file before clicking the Upload CA certificate button. To generate new root and host certificates just click on the Generate root/host certificates button. You will see a new page where you can enter the required information. If you already created certificates and want to create new certificates you must click on the Reset button. Please note that by doing this not only the certificates but also certificate based connections will be erased.
If you want to generate new root and host certificates some information has to be entered. The fields are described below:
The certificates are created after clicking on the Generate root/host certificates button.
If you already created certificate somewhere else earlier you can upload a PKCS12 file in the lower section of the page instead of generating new certificates.
You can upload the file by clicking on the Upload PKCS12 file button.
Creating a Net-To-Net VPN with IPsec using certificate authentication We have two firewalls A and B, where firewall A is our certification authority. Firewall A - RED IP: 123.123.123.123, GREEN IP: 192.168.15.1/24 Firewall B - RED IP: 124.124.124.124, GREEN IP: 192.168.16.1/24
The following steps have to be performed on firewall A:
The following steps have to be performed on firewall B:
Enter search terms or a module, class or function name.