Skip to content

Create a site-to-site SSL VPN

You want to establish secure, site-to-site VPN tunnels using an SSL connection. This VPN allows a branch office to connect to the head office. Users in the branch office will be able to connect to the head office LAN.

Objectives

When you complete this unit, you'll know how to do the following:

  • Define LANs.
  • Add a site-to-site SSL VPN server connection.
  • Download the client configuration file.
  • Add a site-to-site SSL VPN client connection.
  • Troubleshoot SSL VPN settings.

Prerequisites

Before getting started, select a firewall to be the server. It's good practice to select the more powerful unit if there's a difference in models. If you have a firewall with a dynamic IP address and another with a static IP address, use the one with the static IP address.

Define LANs

You create hosts for the head office and branch office networks.

Do the following on the head office firewall:

  1. Go to Hosts and services > IP host and click Add.
  2. Create a host for the head office LAN.

    Create an IP host.

  3. Click Save.

  4. Click Add.
  5. Create a host for the branch LAN.

    Create an IP host.

  6. Click Save.

Add an SSL VPN site-to-site server connection

You create a connection and download the file that will be used to configure the client system.

Do the following on the head office firewall:

  1. Go to Site-to-site VPN > SSL VPN.
  2. In the Server section, click Add.
  3. Specify a name for the tunnel and the networks to be accessed through the tunnel.

    Configure a site-to-site SSL VPN connection.

  4. Click Save. The connection is created and it appears in the server list.

  5. Click Download Download button. and save the file that will be used to configure the client system.

    Download the configuration file.

    You can supply a password to encrypt the file, if required. The file format is .apc.

Add SSL VPN site-to-site client connection

You use the file that was created on the server to create and configure the client connection.

Do the following on the client firewall:

  1. Go to Site-to-site VPN > SSL VPN.
  2. In the Client section, click Add.
  3. Specify the settings.

    Name Setting
    Connection name HQ_to_branch_client
  4. Click Choose file and select the file that you downloaded from the SSL VPN server.

    Upload the SSL VPN configuration file.

  5. Click Save.

    The new connection appears in the client list. The tunnel is operational when the status indicator shows green.

    Active connection.

Troubleshooting VPN settings

SSL VPN settings are generally left in default status. Here are some of the most common changes that you may need to make:

  • Protocol: This is almost never changed from TCP, but the VPN will still work if both sides use UDP.
  • Override hostname: If your system has a hostname that is not publicly routable, add your public IP address here.
  • Cryptographic settings: You can alter the cryptographic settings. This won’t affect the tunnel’s operation if both sides of the tunnel match.
  • Compress SSL VPN traffic: If you would like to compress packets through the tunnel to conserve bandwidth, enable this option.
  • Enable debug mode: If you are having difficulties with the connection, you can enable debug mode to output extra information into the log file.

More resources