VPN-Overview

IPSec is a very secure VPN standard consisting of different protocols that can be used for both site to site and end to site, what we call Roadwarrior, connections.
However, IPSec has some features that can have a negative effect on the establishment and stability of a VPN connection. This is especially true for connections that are routed to other IP address ranges, since the IPSec packets receive a new IP address and a new source port through NAT. This is where IPSec NAT traversal comes into play.
In practical use, however, there are still stability problems with connections where the routers that are to establish the VPN connection are positioned behind a NAT router and thus do not have direct access to the Internet line. Unfortunately, version 2 of the IKE protocol has not changed this.
Despite this, in order to establish the most stable connection possible, the use of RSA keys instead of a pre-shared key (PSK) for authentication has proven successful.

The Securepoint firewall appliances offer an SSL (Secure Socket Layer) encrypted VPN connection based on the open source project OpenVPN. OpenVPN is characterized by high flexibility, a relatively simple configuration and good encryption of the data and thus a very high security.
Furthermore, OpenVPN usually has no problems with nated connections and can therefore also be used as a very stable alternative to IPSec VPN site-to-site connections.

The L2TP (Layer 2 Tunneling Protocol) is a combination of the protocols PPTP (Point to Point Tunneling Protocol) and L2F (Layer 2 Forwarding). Since L2TP only supports user authentication but not encryption, it is used in conjunction with the IPSec protocol. L2TP is used specifically to connect standalone computers to networks.

The following table shows which VPN technology runs most stable in combination with which Internet connection according to our experience.

Table explanation
Due to the properties of SSL VPN or OpenVPN, we have found that a stable VPN connection can almost always be set up with this technology.
RSA keys consist of a private and a public key and provide secure authentication. These key pairs can be generated on any Securepoint appliance and the public keys can be exchanged.
Unfortunately, we repeatedly have to make the experience that connections via LTE (Long Term Evolution) are nated by the Internet provider. The connection runs best with a public IP from the provider. Otherwise, VPN connections via IPSec are usually not stable, if they are established at all.

• IPSec
  • Configuration options of an IPSec connection
  • Configuration of an S2S connection with IPSec

• SSL-VPN
  • Configuration of an SSL VPN S2S connection
  • Configuring an SSL VPN S2S connection with fallback

• Configuring a DNS Relay over an IPSec or SSL VPN Site to Site VPN Connection
• Hints for HTTP connections via VPN connections

• Configuration of VPN connections with identical networks (as of 11.5)

Not all operating systems offer the possibility to use all VPN techniques.

The following table provides an overview.

Table explanation OpenVPN clients are currently available for almost all systems, is easy to set up, stable and secure.
With the Securepoint client, the configuration is already included via the user setup. This must therefore only be installed (Installer) or started (Portable).

For the OpenVPN clients or the "tunnel view", the finished configuration with the required certificates is downloaded and imported into the client. This is also easy to implement. Only for Apple iOS, the certificates have to be copied into the configuration file, so that the OpenVPN client only has to access a single file. You can find the corresponding instructions in the Wiki.
On a Windows Phone 8, IPSec and L2TP VPN are only supported beginning with version 8.1.
For Linux and Unix, it depends heavily on the distribution which IPSec VPN client is included.
Der Hinweis "mit Client" bezieht sich auf unsere Erfahrung mit dem TheGreenbow oder NCP Client. Ansonsten gehen wir, bis auf SSL-VPN, von den bordeigenen VPN-Clients aus, die die Betriebssysteme mitbringen.
There are recurring problems with the stability of a VPN connection if a router/modem in front of the appliance also has an active firewall. Please disable any firewall functionality on these devices.
Since PPTP VPN is too insecure and L2TP/IPSec under Windows terminates after 1 hour each, we do not recommend these two methods.
Windows XP and Windows Vista are no longer supported operating systems by Microsoft, which are usually no longer provided with security updates. Therefore, we also see a risk for the network to which this computer should connect via VPN.
Likewise, Windows 7 should only be used if the extended security updates (ESU) are obtained.
If this is not the case, Windows 7 is also to be classified as insecure and poses a threat to networks.

• Openvpn
  • Configuration of an OpenVPN Roadwarrior connection for Windows
  • Configuration of an OpenVPN Roadwarrior connection for iOS
  • Configuration of an OpenVPN Roadwarrior connection for OS X

• IPSec
  • Configuration of an Xauth connection iOS/Android/Greenbow
  • Configuring a native IPSec connection

• L2TP
  • Configuration of an L2TP VPN connection

• PPTP
  • Configuration of a PPTP VPN connection