Add IPSec Remote Access Connection

Page describes how you can create an IPSec Remote Access Connection

  1. Go to Device Configuration > Configure > VPN > IPSec Connections and click Add under IPSec Connections. Select Connection Type as Remote Access.
  2. Enter the parameter values as below.
    Banner Settings
    Name

    Specify a unique name to identify IPSec Connection.

    Description

    Provide description for IPSec VPN Connection.

    Connection Type
    Select Remote Access.
    Policy

    Select policy to be used for connection.

    Policy can also be added by clicking on “Create New” link.

    Action on VPN Restart

    Select the Action to be taken on the connection when VPN services or Device restarts.

    Available Options

    Respond Only – Keeps connection ready to respond to any incoming request.

    Disable – Keeps connection disabled till the user activates.

    Figure: Banner Settings
    Authentication Details
    Authentication Type

    Select Authentication Type. Authentication of user depends on the type of connection.

    Available Options:

    Preshared Key

    Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the Preshared Key. Remote peer uses the Preshared Key for decryption. On selecting this option the user shall require to provide the following details:

    Preshared Key – Specify the Preshared Key to be used. Preshared Key should be of minimum 5 characters.

    Confirm Preshared Key – Provide the same Preshared Key to confirm it.

    This Preshared Key will have to be shared or communicated to the peer at the remote end. At the remote end, client will have to specify this key for authentication.

    If there is a mismatch in the key, user will not be able to establish the connection.

    Digital Certificate

    Digital Certificate authentication is a mechanism whereby sender and receiver both use Digital Certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority.

    Local Certificate – Select the local certificate that should be used for authentication by the Device.

    Remote Certificate – Select the remote certificate that should be used for authentication by remote peer.

    Figure: Authentication Details
    Endpoint Details
    Local

    Select Local WAN port from the list.

    IP Aliases created for WAN interfaces will be listed along with the default WAN interfaces.

    Remote

    Specify an IP Address or domain name of the remote peer.

    Figure: Endpoints Details
    Network Detail
    IP Family

    IP family will be enabled automatically according to the IP selected in Local WAN port.

    Local Subnet

    Select Local LAN Address.

    Add and Remove LAN Address using Add Button and Remove Button.

    Local ID

    For Preshared Key and RSA Key, select any type of ID from the available options and specify its value.

    Available Options:

    DNS IP Address Email Address

    DER ASN1 DN(X.509)

    Note In case of Local Certificate, ID and its value is displayed automatically as specified in the Certificate.
    Allow NAT Traversal

    Enable NAT traversal if a NAT device is located between your VPN endpoints i.e. when remote peer has private/non-routable IP Address.

    At a time only one connection can be established behind one NAT-box.

    Remote LAN Network

    Select IP Hosts from the list of IP Hosts available. You can also add a new IP Host and include in the list by clicking on “Add New Item” link.

    Remote ID

    For Preshared Key and RSA Key, select any type of ID from the available options and specify its value.

    Available Options:

    DNS IP Address Email Address
    DER ASN1 DN(X.509)
    Note In case of Local Certificate, ID and its value is displayed automatically as specified in the Certificate.
    Figure: Network Detail
    User Authentication
    User Authentication Mode

    Select whether User Authentication is required at the time of connection or not from the available options.

    Available Options:

    Disabled – Click Disable if user authentication is not required.

    Enable as Client – If enabled as client, specify username and password.

    Enable as Server – If enabled as server, add all the users which are to be allowed to connect.

    Figure: User Authentication
    Quick Mode Selectors
    Protocol

    Select all the protocols that are to be allowed for negotiations.

    Tunnel will pass only that data which uses the specified protocol.

    Available Options:

    All ICMP UDP TCP
    Local Port

    Specify Local Port number that the local VPN peer uses to transport the traffic related to TCP or UDP protocol.

    Local port Range: 1 – 65535

    To specify any local port, enter *.

    Remote Port

    Specify Remote Port number that the remote VPN peer uses to transport the traffic related to TCP or UDP protocol.

    Local port Range: 1 – 65535

    To specify any local port, enter *.

    Figure: Quick Mode Selectors
    Advanced Settings
    Disconnect when tunnel is idle

    Click this option to allow Device to delete an Idle VPN Session if it exceeds the specified Idle session time interval.

    Default - Disable

    Idle session time interval (Only if Disconnect when tunnel is idle option is “Enabled”)

    Specify the time limit after which an Idle VPN Session will be deleted by Device.

    Acceptable Range - 120 to 999

    Figure: Advanced Settings
  3. Click Save to create connection.