Add IPSec Site to Site Connection

Page describes how you can create an IPSec Site to Site Connection

  1. Go to Device Configuration > Configure > VPN > IPSec and click Add under IPSec Connections. Select Connection Type as Site to Site.
  2. Enter the parameter values as below.
    Banner Settings
    Name

    Specify a unique name to identify IPSec Connection.

    Description

    Provide description for IPSec VPN Connection.

    Connection Type
    Select Site to Site.
    Bind With an Interface

    Enable to bind the IPSec VPN tunnel with an interface for configuring Route-based VPN.

    In Route-based VPN approach, routing decides which packets to route through the VPN tunnel.

    On creation of an interface-based tunnel, a virtual tunnel interface will be created which will be displayed along with other interfaces for configuring Static and Dynamic routes.

    Policy

    Select policy to be used for connection.

    Policy can also be added by clicking “Create New” link.

    Action on VPN Restart

    Select the Action to be taken on the connection when VPN services or Device restarts.

    Available Options

    Respond Only – Keeps connection ready to respond to any incoming request.

    Initiate – Activates connection on system/service start so that the connection can be established whenever required.

    Disable – Keeps connection disabled till the user activates.

    Route-based IP Address Details (Only if Bind With an Interface is enabled)
    Local IP Address

    Specify local IP Address for the tunnel interface.

    You must configure this interface detail, if you want to use the interface in configuring dynamic routing.

    Remote IP Address

    Specify remote IP Address for the tunnel interface.

    You must configure this interface detail, if you want to use the interface in configuring dynamic routing.

    Figure: Banner Settings
    Authentication Details
    Authentication Type

    Select Authentication Type. Authentication of user depends on the type of connection.

    Available Options:

    Preshared Key

    Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the Preshared Key. Remote peer uses the Preshared Key for decryption. On selecting this option the user shall require to provide the following details:

    Preshared Key – Specify the Preshared Key to be used. Preshared Key should be of minimum 5 characters.

    Confirm Preshared Key – Provide the same Preshared Key to confirm it.

    This Preshared Key will have to be shared or communicated to the peer at the remote end. At the remote end, client will have to specify this key for authentication. Refer to VPN Client guide, Phase 1 Configuration.

    If there is a mismatch in the key, user will not be able to establish the connection.

    Digital Certificate

    Digital Certificate authentication is a mechanism whereby sender and receiver both use Digital Certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority.

    Local Certificate – Select the local certificate that should be used for authentication by the Device.

    Remote Certificate – Select the remote certificate that should be used for authentication by remote peer.

    RSA Key

    RSA Key authentication is a mechanism whereby two keys – Local and Remote RSA - are used for encryption and decryption.

    Local RSA Key – It is known only to the owner and never transmitted over network. Displays automatically generated key which cannot be modified.

    Remote RSA Key – It can be regenerated from CLI Console. Refer to Console guide for more details.

    Figure: Authentication Details
    Endpoint Details
    Local

    Select Local WAN port from the list.

    IP Aliases created for WAN interfaces will be listed along with the default WAN interfaces.

    Remote

    Specify an IP Address or domain name of the remote peer.

    Click Add icon against the option “Remote” to add new endpoint pairs or click Remove icon to remove the endpoint pairs.

    Figure: Endpoints Details
    Network Detail
    IP Family

    Select IP family to configure IPSec VPN tunnels with mixed IP families.

    Available Options:

    IPv4 IPv6

    By default, IPv4 will be selected.

    Four types of IPSec VPN tunnels can be created:

    4 in 4 (IPv4 subnets with IPv4 gateway)

    6 in 6 (IPv6 subnets with IPv6 gateway)

    4 in 6 (IPv4 subnets with IPv6 gateway)

    6 in 4 (IPv6 subnets with IPv4 gateway)

    Local Subnet

    Select Local LAN Address.

    Add and Remove LAN Address using Add Button and Remove Button.

    NAT Local LAN

    Enable to NAT the LAN IP Address.

    NATed LAN (only if NAT Local LAN is configured)

    Select IP Host or Network Host from the available list. The Device assigns the configured IP address to differentiate between LANs at both the ends of VPN tunnel.

    IP Host can also be added by clicking “Add IP Host” link.

    Local ID

    For Preshared Key and RSA Key, select any type of ID from the available options and specify its value.

    Available Options:

    DNS IP Address Email Address
    DER ASN1 DN(X.509)
    Note In case of Local Certificate, ID and its value is displayed automatically as specified in the Certificate.
    Allow NAT Traversal

    Enable NAT traversal if a NAT device is located between your VPN endpoints i.e. when remote peer has private/non-routable IP Address.

    At a time only one connection can be established behind one NAT-box.

    Remote LAN Network

    Select IP Addresses and netmask of remote network which is allowed to connect to the Device server through VPN tunnel. Multiple subnets can be specified. Select IP Hosts from the list of IP Hosts available. You can also add a new IP Host and include in the list.

    Remote ID

    For Preshared Key and RSA Key, select any type of ID from the available options and specify its value.

    Available Options:

    DNS IP Address Email Address
    DER ASN1 DN(X.509)
    Note In case of Local Certificate, ID and its value is displayed automatically as specified in the Certificate.

    In a single connection, same subnet for LAN and Remote Network cannot be configured.

    Figure: Network Detail
    User Authentication
    User Authentication Mode

    Select whether User Authentication is required at the time of connection or not from the available options.

    Available Options:

    Disabled – Click Disable if user authentication is not required.

    Enable as Client – If enabled as client, specify username and password.

    Enable as Server – If enabled as server, add all the users which are to be allowed to connect.

    Figure: User Authentication
    Quick Mode Selectors
    Protocol

    Select all the protocols that are to be allowed for negotiations.

    Tunnel will pass only that data which uses the specified protocol.

    Available Options:

    All ICMP UDP TCP
    Local Port

    Specify Local Port number that the local VPN peer uses to transport the traffic related to TCP or UDP protocol.

    Local port Range: 1 – 65535

    To specify any local port, enter *.

    Remote Port

    Specify Remote Port number that the remote VPN peer uses to transport the traffic related to TCP or UDP protocol.

    Local port Range: 1 – 65535

    To specify any local port, enter *.

    Figure: Quick Mode Selectors
    Advanced Settings
    Disconnect when tunnel is idle

    Click this option to allow Device to delete an Idle VPN Session if it exceeds the specified Idle session time interval.

    Default - Disable

    Idle session time interval (Only if Disconnect when tunnel is idle option is “Enabled”)

    Specify the time limit after which an Idle VPN Session will be deleted by Device.

    Acceptable Range - 120 to 999

    Figure: Advanced Settings
  3. Click Save to create connection.