Connection templates are useful for pre-defining values for connections that are commonly used. Except for the template name, all values are optional and populate the various fields of a VPN connection created using this template.
Various templates have been predefined, such as the template "LANCOM Advanced VPN Client" to simplify IPSec connections with this client. The template "(empty)" is used if the values of an existing connection should be deleted.
Under IPSec connection template. Use the IPSec connection template windows to view and configure the following information:
you can open the windowInput box | Description |
---|---|
Name | Give the template a descriptive name. |
Security profile | Select one of the predefined security profiles. |
On the Connection tab you can configure the presets for the following fields:
Input box | Description |
---|---|
Connection | By optionally selecting a network or Internet connection, its IP addresses will be used for the IPSec connection. |
Listening IP addresses | As an alternative to Connection, you can also enter user-specified IP addresses. If IP addresses are entered here, the Connection setting is ignored. If neither Connection nor Listening IP addresses are set, the IPSec service will automatically use one of the configured IP addresses of all connections. |
Remote gateways | This address or list of addresses is necessary for the Initiate connection option in order to determine the address of the remote site. |
Initiate connection | The firewall will connect to the address specified in the Remote gateway field. |
Force NAT-T | NAT-T is usually set automatically if the connection requires it. If that mechanism fails, this option forces the use of NAT-T on a connection. |
On the Tunnels tab you can configure the presets for the following fields:
Input box | Description |
---|---|
Local networks | Local networks to be connected to the remote site. |
Remote networks |
Remote networks to connect to the local area networks.
Important: All of the configured local networks are connected to all of the configured remote networks. For IKEv1 connections and IKEv2 connections with the option IKEv2 compatibility mode enabled, the maximum number of combinations is limited to 25. There is no limit for IKEv2 with the option IKEv2 compatibility mode disabled.
|
Virtual IP pool | The remote site is assigned an IP address from the configured IP pool. |
IKEv2 compatibility mode | Instead of sending all configured local and remote networks through a single tunnel, a single tunnel is created for each connection between two networks (as with IKEv1). This option only applies to IKEv2 connections. |
On the Authentication tab you can configure the presets for the following fields:
Input box | Description |
---|---|
Authentication type |
Specify the authentication type. Possible values:
|
PSK (preshared key) | For authentication type PSK (preshared key) only – specify the required password here. |
Local certificate | The certificate of the firewall for authentication. This must contain a private key. |
Local identifier |
If this field is empty, PSK authentication automatically uses the outgoing IP address of the firewall and, for certificate authentication, the distinguished name (DN) of the selected local certificate.
|
Extended authentication |
Enables the optional use of additional user authentication. Once you have selected a security profile, you
have the following options:
Note:
|
Remote certificate | Only with authentication type "Certificate": Certificate of the remote site. |
Certificate authority | Only with authentication type "Certificate Authority": A CA whose signed certificates can be used for authentication. |
Remote identifier |
If this field is empty, PSK authentication automatically uses the IP address of the remote gateway (if set). For certificate authentication, the distinguished name (DN) of the selected remote certificate.
|
In the Routing tab you modify the following fields:
Input box | Description |
---|---|
Route-based IPsec | This option allows the precise specification of which traffic should be routed through a tunnel, provided that it has been enabled by the exclusively manual setting of routing rules and routing tables (or their entries). This is particularly useful when local or remote networks used on the connection overlap with other networks defined on the device in an undesired way. With this option enabled, the dialogs for the routing configuration (routing rules and tables) allow the selection of IPsec connections that have route-based IPsec enabled, and makes them available under the items where the source/destination interfaces are set. They are marked with a padlock icon to make it easier to distinguish them from other interfaces. |
MTU | Here you can set the MTU (Maximum Transmission Unit), i.e. the maximum size of an unfragmented data packet. By default, it is 1400. |
In the Traffic Shaping tab you modify the following fields:
Input box | Description |
---|---|
Traffic Group |
Optionally select the name of a traffic group. This applies the rules defined for this group to traffic on
this connection. See also Traffic shaping.
Note: If it is a route-based IPsec tunnel, traffic within a tunnel can be prioritized using a custom
shaping configuration.
|
Outgoing DSCP | From the list, select an optional DSCP value for outbound data traffic. The list contains the designations from the relevant RFCs (e.g. "CS0") and the group (e.g. "Default"). Also, the value is numerically represented in various bases (binary, hexadecimal, and decimal). The list can be searched according to these representations, so that you can quickly find the desired value regardless of your preferred representation. |
Click on Create.
The IPSec connection template dialog closes. The new template is added to the list of available templates in the object bar.