IPsec connection settings

Under VPN > IPsec > Connections you can add an IPsec connection or edit an existing connection.

In the Connection editing window you can modify the following parameters:

Input box Description
I/0 A slider button indicates whether the IPsec connection is enabled (I) or disabled (0). Click on the slider button to change the status of this connection. A new connection is enabled by default.
Name Enter a unique name for this connection. This must consist of 1 – 63 alphanumeric characters and underscores.
Template Optionally you can select one of the predefined templates. All settings are then taken from the template. Values that were not set in the template are reset. The template "(empty)" can be used to reset all values.
Security profile Select one of the predefined security profiles.

In the Connection tab you modify the following fields:

Table 1. Connection
Input box Description
Connection By optionally selecting a network or Internet connection, its IP addresses will be used for the IPsec connection.
Listening IP addresses As an alternative to Connection, you can also enter user-specified IP addresses. Click on on the right-hand side to add your entry to the list. If IP addresses are entered here, the Connection setting is ignored. If neither Connection nor Listening IP addresses are set, the IPsec service will automatically use one of the configured IP addresses of all connections.
Remote gateways This address or list of addresses is necessary for the Initiate connection option in order to determine the address of the remote site.
Initiate connection The firewall will connect to the address specified in the Remote gateway field.
Force NAT-T NAT-T is usually set automatically if the connection requires it. If that mechanism fails, this option forces the use of NAT-T on a connection.

In the Tunnels tab you modify the following fields:

Table 2. Tunnels
Input box Description
Local networks Local networks to be connected to the remote site. Click on on the right-hand side to add your entry to the list.
Remote networks Remote networks to connect to the local area networks. Click on on the right-hand side to add your entry to the list.
Important: All of the configured local networks are connected to all of the configured remote networks. For IKEv1 connections and IKEv2 connections with the option IKEv2 compatibility mode enabled, the maximum number of combinations is limited to 25. There is no limit for IKEv2 with the option IKEv2 compatibility mode disabled.
Virtual IP pool The remote site is assigned an IP address from the configured IP pool.
Virtual IP Assign a specific IP address to the remote site.
Important: The options Remote networks. Virtual IP pool and Virtual IP should not be used together
IKEv2 compatibility mode Instead of sending all configured local and remote networks through a single tunnel, a single tunnel is created for each connection between two networks (as with IKEv1). This option only applies to IKEv2 connections.

In the Authentication tab you modify the following fields:

Table 3. Authentication
Input box Description
Authentication type Specify the authentication type. Possible values:
  • Certificate – authentication is based on a local and a remote certificate.
  • Certificate Authority – authentication is performed through a local and a remote certificate signed by the selected CA.
  • PSK (preshared key) – authentication is based on the entry of a password.
  • LTA – in LANCOM Trusted Access mode, a client certificate is always expected and the groups of the connecting user are read from this client certificate in order to activate the matching rules.
PSK (preshared key) For authentication type PSK (preshared key) only – specify the required password here.
Local certificate The certificate of the firewall for authentication. This must contain a private key.
Local identifier If this field is empty, PSK authentication automatically uses the outgoing IP address of the firewall, and certificate authentication automatically uses the distinguished name (DN) of the selected local certificate.
  • For PSK authentication, the following values are allowed: IP addresses, fully qualified domain names (FQDN), e-mail addresses (FQUN), and free text between quotation marks (").
  • For certificate authentication, the following values are allowed: The distinguished name (DN) of the selected certificate, wildcard DN – all DN items must be present (in the correct order), but may be specified as a wildcard (e.g. CN=*) – any subject alternative names (SAN) of the selected certificate.
Extended authentication Enables the optional use of additional user authentication. Once you have selected a security profile, you have the following options:
  • No Extended Authentication – Do not perform extended authentication.
  • XAUTH (IKEv1) – Either the local user database or a RADIUS server is used (depending on whether RADIUS is enabled in the IPsec settings or not).
  • EAP First Round – This uses an external RADIUS server, which must be enabled in the IPsec settings. The RADIUS server is configured in the IPsec settings. The settings in the Local section are used to authenticate the firewall at the remote site. The remote site authenticates via EAP only.
  • EAP Second Round – This uses an external RADIUS server, which must be enabled in the IPsec settings. The RADIUS server is configured in the IPsec settings. The settings in the Local section are used to authenticate the firewall at the remote site. The remote site uses PSK or a certificate to authenticate at the firewall and then performs an EAP authentication.
  • EAP-TLS – Corresponds to the EAP First Round variant with the difference that a TLS certificate is used for EAP authentication.
Note:
  • With IKEv1, the options No extended authentication and XAUTH (IKEv1) are available irrespective of the authentication type.
  • For IKEv2 with certificate or PSK authentication, all of the options are available except for XAUTH (IKEv1).
  • For IKEv2 with CA authentication, the available options are No Extended Authentication and EAP Second Round.
Remote certificate Only with authentication type "Certificate": Certificate of the remote site.
Certificate authority Only with authentication type "Certificate Authority": A CA whose signed certificates can be used for authentication.
Remote identifier If this field is empty, PSK authentication automatically uses the IP address of the remote gateway (if set). For certificate authentication, the distinguished name (DN) of the selected remote certificate.
  • For PSK authentication, the following values are allowed: IP addresses, fully qualified domain names (FQDN), e-mail addresses (FQUN), and free text between quotation marks (").
  • For certificate authentication, the following values are allowed: The distinguished name (DN) of the selected certificate, wildcard DN – all DN items must be present (in the correct order), but may be specified as a wildcard (e.g. CN=*) – any subject alternative names (SAN) of the selected certificate.

In the Routing tab you modify the following fields:

Table 4. Routing
Input box Description
Route-based IPsec This option allows the precise specification of which traffic should be routed through a tunnel, provided that it has been enabled by the exclusively manual setting of routing rules and routing tables (or their entries). This is particularly useful when local or remote networks used on the connection overlap with other networks defined on the device in an undesired way. With this option enabled, the dialogs for the routing configuration (routing rules and tables) allow the selection of IPsec connections that have route-based IPsec enabled, and makes them available under the items where the source/destination interfaces are set. They are marked with a padlock icon to make it easier to distinguish them from other interfaces.
MTU Here you can set the MTU (Maximum Transmission Unit), i.e. the maximum size of an unfragmented data packet. By default, it is 1400.

In the Traffic Shaping tab you modify the following fields:

Input box Description
Traffic Group Optionally select the name of a traffic group. This applies the rules defined for this group to traffic on this connection. See also Traffic shaping.
Note: If it is a route-based IPsec tunnel, traffic within a tunnel can be prioritized using a custom shaping configuration.
Outgoing DSCP From the list, select an optional DSCP value for outbound data traffic. The list contains the designations from the relevant RFCs (e.g. "CS0") and the group (e.g. "Default"). Also, the value is numerically represented in various bases (binary, hexadecimal, and decimal). The list can be searched according to these representations, so that you can quickly find the desired value regardless of your preferred representation.

The buttons available at the bottom right of the edit box depend on whether you are adding a new VPN IPsec connection or editing an existing connection. For a new network connection, click Create to add the connection to the list of available IPsec network connections, or Cancel to cancel the creation of a new network connection.

If you have made changes, you can use the buttons at the bottom right of the edit window to save them (Save) or discard them (Reset). Otherwise you can close the window (Close).

Click Activate in the toolbar at the top of the desktop to apply your configuration changes.

www.lancom-systems.com

LANCOM Systems GmbH | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E-Mail info@lancom.de

LANCOM Logo