Add IPSec Host to Host Connection

Page describes how you can create an IPSec Host to Host Connection

  1. Go to Device Configuration > Configure > VPN > IPSec and click Add under IPSec Connections. Select Connection Type as Host to Host.
  2. Enter the parameter values as below.
    Banner Settings
    Name

    Specify a unique name to identify IPSec Connection.

    Description

    Provide description for IPSec VPN Connection.

    Connection Type
    Select Host to Host.
    Policy

    Select policy to be used for connection.

    Policy can also be added by clicking “Create New” link.

    Action on VPN Restart

    Select the Action to be taken on the connection when VPN services or Device restarts.

    Available Options

    Respond Only – Keeps connection ready to respond to any incoming request.

    Initiate – Activates connection on system/service start so that the connection can be established whenever required.

    Disable – Keeps connection disabled till the user activates.

    Figure: Banner Settings
    Authentication Details
    Authentication Type

    Select Authentication Type. Authentication of user depends on the type of connection.

    Available Options:

    Preshared Key

    Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the Preshared Key. Remote peer uses the Preshared Key for decryption. On selecting this option the user shall require to provide the following details:

    Preshared Key – Specify the Preshared Key to be used. Preshared Key should be of minimum 5 characters.

    Confirm Preshared Key – Provide the same Preshared Key to confirm it.

    This Preshared Key will have to be shared or communicated to the peer at the remote end. At the remote end, client will have to specify this key for authentication. Refer to VPN Client guide, Phase 1 Configuration.

    If there is a mismatch in the key, user will not be able to establish the connection.

    Digital Certificate

    Digital Certificate authentication is a mechanism whereby sender and receiver both use Digital Certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority.

    Local Certificate – Select the local certificate that should be used for authentication by the Device.

    Remote Certificate – Select the remote certificate that should be used for authentication by remote peer.

    RSA Key

    RSA Key authentication is a mechanism whereby two keys – Local and Remote RSA - are used for encryption and decryption.

    Local RSA Key – It is known only to the owner and never transmitted over network. Displays automatically generated key which cannot be modified.

    Remote RSA Key – It can be regenerated from CLI Console. Refer to Console guide for more details.

    Figure: Authentication Details
    Endpoint Details
    Local

    Select Local WAN port from the list.

    IP Aliases created for WAN interfaces will be listed along with the default WAN interfaces.

    Remote

    Specify an IP Address or domain name of the remote peer.

    Click Add icon against the option “Remote” to add new endpoint pairs or click Remove icon to remove the endpoint pairs.

    Figure: Endpoints Details
    Network Detail
    IP Family

    IP family will be enabled automatically according to the IP selected in Local WAN port.

    Local ID

    For Preshared Key and RSA Key, select any type of ID from the available options and specify its value.

    Available Options:

    DNS IP Address Email Address
    DER ASN1 DN(X.509)
    Note In case of Local Certificate, ID and its value is displayed automatically as specified in the Certificate.
    Allow NAT Traversal

    Enable NAT traversal if a NAT device is located between your VPN endpoints i.e. when remote peer has private/non-routable IP Address.

    At a time only one connection can be established behind one NAT-box.

    Default-Enabled

    Remote LAN Network

    Select IP Addresses and netmask of remote network which is allowed to connect to the Device server through VPN tunnel. Multiple subnets can be specified. Select IP Hosts from the list of IP Hosts available on the Web Admin Console.

    You can also add a new IP Host.

    Remote ID

    For Preshared Key and RSA Key, select any type of ID from the available options and specify its value.

    Available Options:

    DNS IP Address Email Address
    DER ASN1 DN(X.509)
    Note In case of Local Certificate, ID and its value is displayed automatically as specified in the Certificate.
    Figure: Network Detail
    User Authentication
    User Authentication Mode

    Select whether User Authentication is required at the time of connection or not from the available options.

    Available Options:

    Disabled – Click Disable if user authentication is not required.

    Enable as Client – If enabled as client, specify username and password.

    Enable as Server – If enabled as server, add all the users which are to be allowed to connect.

    Figure: User Authentication
    Quick Mode Selectors
    Protocol

    Select all the protocols that are to be allowed for negotiations.

    Tunnel will pass only that data which uses the specified protocol.

    Available Options:

    All ICMP UDP TCP
    Local Port

    Specify Local Port number that the local VPN peer uses to transport the traffic related to TCP or UDP protocol.

    Local port Range: 1 – 65535

    To specify any local port, enter *.

    Remote Port

    Specify Remote Port number that the remote VPN peer uses to transport the traffic related to TCP or UDP protocol.

    Local port Range: 1 – 65535

    To specify any local port, enter *.

    Figure: Quick Mode Selectors
    Advanced Settings
    Disconnect when tunnel is idle

    Click this option to allow SFOS to delete an Idle VPN Session if it exceeds the specified Idle session time interval.

    Default - Disable

    Idle session time interval (Only if Disconnect when tunnel is idle option is “Enabled”)

    Specify the time limit after which an Idle VPN Session will be deleted by SFOS.

    Acceptable Range - 120 to 999

    Figure: Advanced Settings
  3. Click Save to create new connection.