Jump to:navigation, search
Wiki

IPSec - End to Site / Roadwarrior

From Securepoint Wiki
























































































De.png
En.png
Fr.png









Configuration of an End-to-Site-connection with IPSec for Roadwarrior

Last adaptation to the version: 12.6.2

New:
Last updated: 
    12.7.1
    • Where necessary, only certificates with a private key part are offered
notempty
This article refers to a Resellerpreview
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 VPN IPSec  Area Verbindungen


Introduction

A Roadwarrior connection connects individual hosts to the local network. This allows, for example, a field service employee to connect to the network of the headquarters.
This step-by-step guide shows how to configure an end-to-site connection. The selected connection type is native IPSec with IKEv1.
For native IPSec connections with IKEv1 the client needs a separate program.


Configuration of a native IPSec connection

New connections can be added in the menu VPN IPSec  Area Connections Button + Add IPSec Connection


Wizard

Connection Type
Step 1 - Connection Type
Caption Value Description Add IPSec connection UTMuser@firewall.name.fqdnVPNIPSec UTM v12.6.2 VPN IPSec hinzufügen S1-en.pngWizard step 1
Selection of the connection type The following connections are available:
  • Roadwarrior
  • Site to Site
 For the configuration of an E2S / End-to-Site-connection Roadwarrior is to be selected.
General
Step 2 - General
Name: IPSec Roadwarrior Chose unique name UTM v12.6.2 VPN IPSec hinzufügen S2-en.png
Wizard step 2
Connection Type: IKEv1 - Native Possible connection types:
IKEv1 - XAuth
IKEv1 - Native
IKEv2 - Native
IKEv1 - L2TP

The connection type IKEv1 - L2TP can only be selected if L2TP is set to Autostart or explicitly enabled in the admin interface.
Enable L2TP under: Extras Advanced settings  Area Hidden functions Enable L2TP: Yes Activate hidden menu buttons: Ctrl + Alt + A

Please note which type is supported by the operating system
notempty
In setup step 2, two fundamentally different connection types are available for selection. Depending on whether a connection type of IKEv1, or IKEv2 is selected, the upcoming setup steps 3 and 4 differ:
Local – IKEv1
Step 3 - Local - IKEv1
Local Gateway ID:     The gateway ID is included in the authentication. This can be an IP address, a host name or an interface.
Automatically filled in when an X.509 certificate is selected. 		UTM v12.6.2 VPN IPSec hinzufügen S3 IKEv1-en.png
Wizard step 3 - IKEv1
Authentication method: Pre-Shared Key A pre-shared key is in use
Certificate An existing certificate is being used
RSA An existing private RSA key is in use
X.509 Certificate:
Only certificates with a private key part can be selected

Only for authentication method
  • Certificate and
  • EAP-TLS
 Server Certificate Selection of a certificate
Privater RSA-Schlüssel: IPSec Key Selecting an RSA key
Share networks:
Only for IKEv1 - Native		 »192.168.250.0/24 Enable networks for the IPSec connection
Local – IKEv2
Step 3 - Local - IKEv2
Local Gateway ID:     The gateway ID is included in the authentication. This can be an IP address, a host name or an interface.
Automatically filled in when an X.509 certificate is selected. 		UTM v12.6.2 VPN IPSec hinzufügen S3 IKEv2-en.png
Wizard step 3 - IKEv2
Authentication method Pre-Shared Key A pre-shared key is in use
Certificate An existing certificate is being used
RSA An existing private RSA key is in use
EAP-TLS Only with IKEv2 EAP-TLS is used. Required for MSCHAPv2.
X.509 Certificate:
Only for authentication method
  • Certificate and
  • EAP-TLS
 Server Certificate Selection of a certificate
Private RSA key: IPSec Key Selecting an RSA key
Share networks: 192.168.250.0/24 Enable networks for the IPSec connection
Remote terminal – IKEv1
Step 4 - Remote terminal - IKEv1
Public RSA key:
Only for authentication method RSA		 IPSec Key The required public RSA key of the remote terminal UTM v12.6.2 VPN IPSec hinzufügen S4 IKEv1-en.png
Wizard step 4 - IKEv1
Remote Gateway ID:
Only for IKEv1 - Native		 192.0.2.192
or
My_Roadwarrior		 If more than one IPSec connection is established, a unique ID should be entered here. The password of incoming connections is validated against the ID of the IPSec connection.
If no IP address is specified as ID, further settings must be made for site-to-site connections.
IP address / pool:
Only for IKEv1 - XAuth		 »192.168.22.35/24 IP address, or pool for establishing the IPSec connections
Open user dialog after completion:
Only with
  • IKEv1 - L2TP and
  • IKEv1 - XAuth
 Yes Opens the user dialog of the UTM after the wizard is done.
For the establishment of this connection the input of user data is necessary. The user needs the necessary rights.
IP Address(es):
Only for IKEv1 - Native		 192.168.222.35 Additional IP address for the Roadwarrior with which the IPSec connection is established.
  • For this example, after the wizard has finished, the ip-address just dedicated is edited and for the Remote network the value 192.168.222.0/24 is entered.
    • Remote terminal – IKEv2
    Step 4 - Remote terminal - IKEv2
    Public RSA key:
    Only for authentication method RSA    		 IPSec Key The required public RSA key of the remote terminal UTM v12.6.2 VPN IPSec hinzufügen S4 IKEv2-en.png
    Wizard step 4 - IKEv2
    IP address / pool: 192.168.22.35/24 IP address, or pool for establishing the IPSec connections
    Authentication method
    Only for authentication method
    • Certificate or
    • EAP-TLS
         		Certificate An existing certificate is being used
    EAP-MSCHAPV2 EAP-MSCHAPV2 is in use
    EAP-TLS EAP-TLS is used. Required for MSCHAPv2.
    X.509 Certificate:
    Only for authentication method
    • Certificate or
    • EAP-TLS
    		 IPSec Cert The certificate for the remote terminal.
    Two different certificates must be selected for the local and remote side.
    User groups:
    Only for EAP-MSCHAPv2    		 IPSec User groups Selection of the authorized user group. This must be created beforehand.


    Set of rules

    To grant access to the internal network, the connection must be allowed.

    Implied rules

    notempty
    It is possible but not recommended to do this with implied rules in Firewall Implied Rules section VPN and IPSec Traffic. However, these implied rules enable the ports used for IPSec connections on all interfaces.
    Implied rules UTMuser@firewall.name.fqdnFirewall UTM v12.6.2 Firewall Implizite Regeln VPN IPSec S2E-en.png Implied rules, VPN section
    UTM v12.6.2 Firewall Implizite Regeln IPSec traffic-en.png
    Implied rules, section IPSec Traffic
    Creating a network object
    In the Menu under Firewall Network objects  Button + Add object
    Caption Value Description Add network object UTMuser@firewall.name.fqdnFirewallNetwork objects UTM v12.6.2 Firewall Netzwerkobjekte hinzufügen IPSec-en.pngNetwork objects
    Name: ngrp-IPSec-Roadwarrior Chose unique name
    Type: VPN network Type to be selected
    Address: 192.168.222.0/24 Roadwarrior IP address or the Roadwarrior pool entered in the Installation Wizard in step 4 (or subsequently adjusted in phase 2).
    In this example the network 192.168.222.0/24.
    Zone: vpn-ipsec Zone to be selected
    Groups:     Optional


    Packetfilter rules

    Add portfilter rule at Firewall Packetfilter  Button + Add Rule.
    The first rule allows the IPSec tunnel to be built at all.
    A second rule allows the Roadwarrior to access the desired network, host or network group.

    # Source Destination Service NAT Action Active
    Dragndrop.png 4 World.svg internet Interface.svg external-interface Service-group.svg ipsec Accept On
    Dragndrop.png 5 Vpn-network.svg IPSec Roadwarrior Network.svg dmz1-network Service-group.svg Accept On

    Now a connection with a Roadwarrior can be established.
    A client may have to be used for this. It must be ensured that the parameters on both sides are identical in all phases of the connection.
    Necessary changes, when using an NCP client:

    • UTM
      • Diffie-Hellman Group (Phase 1)
      • DH-Group (PFS) (Phase 2)
        or
    • NCP- or Greenbow-Client:
      • IKE-DH-Group

    Additionally when using IKEv1:

    • NCP- or Greenbow-Client:
      • Exchange mode: Main Mode (IKEv1)
      • Activate Config_mode


    Additional settings

    In addition to the settings that have already been set in the wizard, further parameters can be configured:


    IKEv1

    Step-by-step.png

























































    {{var | DH-Gruppe (PFS) | DH-Gruppe (PFS): | DH-Group (PFS):




























    De.png
    En.png
    Fr.png


    Phase 1
    VPN IPSec  Area Connections Button Phase 1
    General


    General
    Caption Value Description Edit Phase 1 UTMuser@firewall.name.fqdnVPNIPSec UTM v12.6.2 VPN Ipsec RW IKEv1 Phase 1 Allgemein-en.pngPhase 1 Genereal
    Allow any remote addresses: On
    Default    		 Disable this option for site-to-site connections with DynDNS hosts if multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured.
    Startup behavior: Outgoing The tunnel is initiated by the UTM even if no packets are sent.
    Incoming requests are accepted.
    Incoming Default if Remote Host is any The UTM accepts incoming tunnel requests.
    No outgoing connection is created.
    Route Default if Remote Host known The tunnel is initiated by the UTM only when packets are to be sent.notempty
    Only set as default value if Any remote station is not selected as Remote Host / Gateway.
    Route Default if Remote Host known The tunnel is initiated by the UTM only when packets are to be sent.notempty
    Only set as default value if Any remote station is not selected as Remote Host / Gateway.
    Ignore Deactivates the tunnel
    Generate traffic:
    For Initiate Connection Route    		 On Prevents unwanted disconnections when no data traffic is taking place
    Dead Peer Detection: On Checks at a set interval whether the tunnel still exists.
    If the tunnel was terminated unexpectedly, the SAs are dismantled.
    (Only then it is also possible to reestablish a new tunnel).
  • When deactivated, the option Restart after abort in phase 2 is also automatically deactivated.
    • DPD Timeout: 30Link= seconds Period before the state under Startup behavior is restored.
  • Under IKEv2 this parameter is not available.
    The same values are used here as for regular packets.
    • DPD Interval: 10Link= seconds Testing interval
    Compression: Off Compression is not supported by all remote stations
    Enable MOBIKE: Yes Used to deactivate the MOBIKE option
    Deactivation prevents encrypted data from a remote station from being additionally encapsulated in 4500udp, which leads to problems in communication.
    Section IKE Settings that must be identical in the UTM and in the client:
    IKE
    Caption Default UTM Default NCP Client UTM v12.6.2 VPN Ipsec RW IKEv1 Phase 1 IKE-en.png
    Phase 1 IKEv1     		UTM v12.6 IPSec IKEv2 Phase1 IKE-en.png
    Phase 1 IKEv2
    Encryption: »aes128 AES 128 Bit
    Authentication: »sha2_256 Hash: SHA2 256 Bit
    Diffie-Hellman Group: »ecp521 IKE DH-Gruppe: DH2 (modp1024)
    Aktuelle Kombinationen: aes128-sha2_256-ecp521
    Section IKE More settings:
    Caption Value Description
    Strict: Off The configured parameters (authentication and encryption algorithms) are preferred for connections
    On No further proposals are accepted. A connection is only possible with the configured parameters.
    IKE Life time: Out 3Link= hours Validity period of the Security Association: Agreement between two communicating entities in computer networks. It describes how the two parties apply security services to communicate securely with each other. When using multiple services, multiple security connections must also be established. (Source: Wikipedia 2022) in phase 1
    Can be activated On in addition to IKE Rekeytime. If the Lifetime is set, the value must be greater than the Rekeytime.
    IKE Life time: 1 hour Validity period of the Security Association: Agreement between two communicating entities in computer networks. It describes how the two parties apply security services to communicate securely with each other. When using multiple services, multiple security connections must also be established. (Source: Wikipedia 2022) in phase 1
    IKE Rekeytime: 2Link= hours The validity period in which the connection is established (initial or after termination)
    notempty
    Starting with version 12.5.0, for already existing' connections that have no rekeytime' set, the value of the lifetime is entered at this point and the value of the lifetime is set to 0.
    This significantly increases the stability of the connection and should not bring any disadvantages.
    If a value has already been set for the rekeytime (possible from v12.4) no change is made.

    Example:
    Current version:
    ike_lifetime = 2
    ike_rekeytime = 0

    After update:
    ike_lifetime = 0
    ike_rekeytime = 2

    ----

    Current version:
    ike_lifetime = 2
    ike_rekeytime = 1

    After update: (without change)
    ike_lifetime =2
    ike_rekeytime = 1
    Rekeying: unlimited (recommended) Number of attempts to establish the connection (initial or after abort).
    For E2S connections (Roadwarrior), the setting 3 times can avoid endless attempts to connect to devices that are not correctly logged out.
    Phase 2
    VPN IPSec  Area Connections Button Phase 2
    General

    Section General Settings that must be identical in the UTM and in the client:

    Caption Default UTM Default NCP Client Edit Phase 2 UTMuser@firewall.name.fqdnVPNIPSec UTM v12.6.2 VPN Ipsec RW IKEv1 Phase 2 Allgemein-en.pngPhase 2 / Section General with / IKEv1 / Roadwarrior Edit Phase 2 UTMuser@firewall.name.fqdnVPNIPSec UTM v12.6.2 VPN Ipsec RW IKEv2 Phase 2 Allgemein-en.pngPhase 2 / Section General with / IKEv2 / Roadwarrior Edit Phase 2 UTMuser@firewall.name.fqdnVPNIPSec UTM v12.6 IPSec S2S IKEv1 Phase2 Allgemein-en.pngPhase 2 / Section General with / IKEv1 / S2S Edit Phase 2 UTMuser@firewall.name.fqdnVPNIPSec UTM v12.6 IPSec S2S IKEv2 Phase2 Allgemein-en.pngPhase 2 / Section General with / IKEv2 / S2S
    Encryption: »aes128 AES 128 Bit
    Authentication: »sha2_256 SHA2 256 Bit
    Diffie-Hellman Group: »ecp521 IKE DH-Gruppe: DH2 (modp1024)
    Diffie-Hellman Group: »ecp521 IKE DH-Gruppe: DH2 (modp1024)
    Aktuelle Kombinationen: aes128-sha2_256-ecp521
    Key service life: 8 hours Validity period of the key in phase 2
    Exchange mode: Main Mode (Not configurable) Aggressive Mode (IKEv1)
  • Must be changed to Main Mode in the NCP client!
    The UTM does not support Aggressive Mode for security reasons.
    • Restart on abort: No If the connection was terminated unexpectedly, activating will restore the state configured under Startup behavior in phase 1.
     The Dead Peer Detection is automatically activated in phase 1.
    Group subnet combinations: Yes
  • If grouping is not supported by the remote station, only the first subnet is connected despite the status display in the overview to the contrary.
    		•  If more than one network is configured on the local side or at the remote gateway, a separate SA is negotiated for each subnet combination when it is deactivated.
    This results in numerous subnet combinations and thus many SAs, especially with multiple subnets, and leads to limitations and losses in the stability of the connections due to the design of the IPSec protocol.
    DHCP: Out When enabled clients receive IP addresses from a local network.
     This requires further configurations, see wiki article on DHCP for IPSec.
    Address-Pool:
    Address-Pool:
    Caption Value Description UTM v12.6.2 VPN Ipsec RW IKEv2 Phase 2 Adress-Pool.png
    Local network: 192.168.250.0/24 The local network to be accessed via the VPN connection (as configured in the wizard in step 3).
    Address-Pool:
    Not with IPSec DHCP    		 192.168.22.35/24 The IP address (e.g.: 192.168.22.35/32), or pool in the form of a subnet (e.g.: 192.168.22.35/26 for the pool of 192.168.22.0 -192.168.22.63) which is used under IPSec.
    Subnets

    Section Subnets
    Scenario: All subnets have access to each other

  • The wizard automatically connects each local network to each remote network.

    • With an SSH login as root, the behavior can be understood particularly well.
    Example with two subnets each.
    Group subnet combinations Enabled On

    root@firewall:~# swanctl --list-conns 

    IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s
 local:  %any
 remote: 192.0.2.192
 local pre-shared key authentication:
   id: 192.168.175.218
 remote pre-shared key authentication:
   id: 192.0.2.192
 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart
   local:  192.168.218.0/24 192.168.219.0/24
   remote: 192.168.192.0/24 192.168.193.0/24


    Group subnet combinations Disabled Off
    root@firewall:~# swanctl --list-conns 

     IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s
   local:  %any
   remote: 192.0.2.192
   local pre-shared key authentication:
     id: 192.168.175.218
   remote pre-shared key authentication:
     id: 192.0.2.192
   IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart
     local:  192.168.218.0/24
     remote: 192.168.192.0/24
   IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart
     local:  192.168.218.0/24
     remote: 192.168.193.0/24
   IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart
     local:  192.168.219.0/24
     remote: 192.168.192.0/24
   IPSec$20S2S_7: TUNNEL, rekeying every 28260s, dpd action is restart
     local:  192.168.219.0/24
     remote: 192.168.193.0/24

    		UTM v12.6.2 VPN Ipsec RW IKEv1 Phase 2 Subnetze-en.png
    All subnets have access to each other
    Scenario: Not all subnets may access every network of the remote gateway

    If in phase two a local network is not connected to all remote networks (or a remote network is not connected to all local ones), this will not be taken into account if the option Group subnet combinations is active!

    notempty
    The Group subnet combinations option will connect all local networks to all remote networks!
    notempty
    Port filter rules make it possible to control access.

    With an SSH login as root, the behavior can be understood particularly well.
    Example with two subnets each.
    Group subnet combinations Enabled On root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s 

     local:  %any
 remote: 192.0.2.192
 local pre-shared key authentication:
   id: 192.168.175.218
 remote pre-shared key authentication:
   id: 192.0.2.192
 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart
   local:  192.168.218.0/24 192.168.219.0/24
   remote: 192.168.192.0/24 192.168.193.0/24


    Group subnet combinations Disabled Off
    root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s 

     local:  %any
 remote: 192.0.2.192
 local pre-shared key authentication:
   id: 192.168.175.218
 remote pre-shared key authentication:
   id: 192.0.2.192
 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart
   local:  192.168.218.0/24
   remote: 192.168.192.0/24
 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart
   local:  192.168.218.0/24
   remote: 192.168.193.0/24
 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart
   local:  192.168.219.0/24
   remote: 192.168.192.0/24

    		Datei:UTM v12.6.2 VPN Ipsec RW IKEv1 Phase 2 reduzierte Subnetze-enpng
    The second local subnet is connected only to one remote subnet
    Troubleshooting

    Detailed Troubleshooting instructions can be found in the Troubleshooting Guide.
    If an email address should be used as gateway ID, it is necessary to insert a double @@ in front of the ID (mail@... becomes @@mail@...). Otherwise the ID will be treated as FQDN.



    IKEv2

    Step-by-step.png

























































    {{var | DH-Gruppe (PFS) | DH-Gruppe (PFS): | DH-Group (PFS):




























    De.png
    En.png
    Fr.png


    Phase 1
    VPN IPSec  Area Connections Button Phase 1
    General


    General
    Caption Value Description Edit Phase 1 UTMuser@firewall.name.fqdnVPNIPSec UTM v12.6.2 VPN Ipsec RW IKEv2 Phase 1 Allgemein-en.pngPhase 1 Genereal
    Allow any remote addresses: On
    Default    		 Disable this option for site-to-site connections with DynDNS hosts if multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured.
    Startup behavior: Outgoing The tunnel is initiated by the UTM even if no packets are sent.
    Incoming requests are accepted.
    Incoming Default if Remote Host is any The UTM accepts incoming tunnel requests.
    No outgoing connection is created.
    Route Default if Remote Host known The tunnel is initiated by the UTM only when packets are to be sent.notempty
    Only set as default value if Any remote station is not selected as Remote Host / Gateway.
    Route Default if Remote Host known The tunnel is initiated by the UTM only when packets are to be sent.notempty
    Only set as default value if Any remote station is not selected as Remote Host / Gateway.
    Ignore Deactivates the tunnel
    Generate traffic:
    For Initiate Connection Route    		 On Prevents unwanted disconnections when no data traffic is taking place
    Dead Peer Detection: On Checks at a set interval whether the tunnel still exists.
    If the tunnel was terminated unexpectedly, the SAs are dismantled.
    (Only then it is also possible to reestablish a new tunnel).
  • When deactivated, the option Restart after abort in phase 2 is also automatically deactivated.
    • DPD Timeout: 30Link= seconds Period before the state under Startup behavior is restored.
  • Under IKEv2 this parameter is not available.
    The same values are used here as for regular packets.
    • DPD Interval: 10Link= seconds Testing interval
    Compression: Off Compression is not supported by all remote stations
    Enable MOBIKE: Yes Used to deactivate the MOBIKE option
    Deactivation prevents encrypted data from a remote station from being additionally encapsulated in 4500udp, which leads to problems in communication.
    Section IKE Settings that must be identical in the UTM and in the client:
    IKE
    Caption Default UTM Default NCP Client UTM v12.6.2 VPN Ipsec RW IKEv1 Phase 1 IKE-en.png
    Phase 1 IKEv1     		UTM v12.6 IPSec IKEv2 Phase1 IKE-en.png
    Phase 1 IKEv2
    Encryption: »aes128 AES 128 Bit
    Authentication: »sha2_256 Hash: SHA2 256 Bit
    Diffie-Hellman Group: »ecp521 IKE DH-Gruppe: DH2 (modp1024)
    Aktuelle Kombinationen: aes128-sha2_256-ecp521
    Section IKE More settings:
    Caption Value Description
    Strict: Off The configured parameters (authentication and encryption algorithms) are preferred for connections
    On No further proposals are accepted. A connection is only possible with the configured parameters.
    IKE Life time: Out 3Link= hours Validity period of the Security Association: Agreement between two communicating entities in computer networks. It describes how the two parties apply security services to communicate securely with each other. When using multiple services, multiple security connections must also be established. (Source: Wikipedia 2022) in phase 1
    Can be activated On in addition to IKE Rekeytime. If the Lifetime is set, the value must be greater than the Rekeytime.
    IKE Life time: 1 hour Validity period of the Security Association: Agreement between two communicating entities in computer networks. It describes how the two parties apply security services to communicate securely with each other. When using multiple services, multiple security connections must also be established. (Source: Wikipedia 2022) in phase 1
    IKE Rekeytime: 2Link= hours The validity period in which the connection is established (initial or after termination)
    notempty
    Starting with version 12.5.0, for already existing' connections that have no rekeytime' set, the value of the lifetime is entered at this point and the value of the lifetime is set to 0.
    This significantly increases the stability of the connection and should not bring any disadvantages.
    If a value has already been set for the rekeytime (possible from v12.4) no change is made.

    Example:
    Current version:
    ike_lifetime = 2
    ike_rekeytime = 0

    After update:
    ike_lifetime = 0
    ike_rekeytime = 2

    ----

    Current version:
    ike_lifetime = 2
    ike_rekeytime = 1

    After update: (without change)
    ike_lifetime =2
    ike_rekeytime = 1
    Rekeying: unlimited (recommended) Number of attempts to establish the connection (initial or after abort).
    For E2S connections (Roadwarrior), the setting 3 times can avoid endless attempts to connect to devices that are not correctly logged out.
    Phase 2
    VPN IPSec  Area Connections Button Phase 2
    General

    Section General Settings that must be identical in the UTM and in the client:

    Caption Default UTM Default NCP Client Edit Phase 2 UTMuser@firewall.name.fqdnVPNIPSec UTM v12.6.2 VPN Ipsec RW IKEv1 Phase 2 Allgemein-en.pngPhase 2 / Section General with / IKEv1 / Roadwarrior Edit Phase 2 UTMuser@firewall.name.fqdnVPNIPSec UTM v12.6.2 VPN Ipsec RW IKEv2 Phase 2 Allgemein-en.pngPhase 2 / Section General with / IKEv2 / Roadwarrior Edit Phase 2 UTMuser@firewall.name.fqdnVPNIPSec UTM v12.6 IPSec S2S IKEv1 Phase2 Allgemein-en.pngPhase 2 / Section General with / IKEv1 / S2S Edit Phase 2 UTMuser@firewall.name.fqdnVPNIPSec UTM v12.6 IPSec S2S IKEv2 Phase2 Allgemein-en.pngPhase 2 / Section General with / IKEv2 / S2S
    Encryption: »aes128 AES 128 Bit
    Authentication: »sha2_256 SHA2 256 Bit
    Diffie-Hellman Group: »ecp521 IKE DH-Gruppe: DH2 (modp1024)
    Diffie-Hellman Group: »ecp521 IKE DH-Gruppe: DH2 (modp1024)
    Aktuelle Kombinationen: aes128-sha2_256-ecp521
    Key service life: 8 hours Validity period of the key in phase 2
    Exchange mode: Main Mode (Not configurable) Aggressive Mode (IKEv1)
  • Must be changed to Main Mode in the NCP client!
    The UTM does not support Aggressive Mode for security reasons.
    • Restart on abort: No If the connection was terminated unexpectedly, activating will restore the state configured under Startup behavior in phase 1.
     The Dead Peer Detection is automatically activated in phase 1.
    Group subnet combinations: Yes
  • If grouping is not supported by the remote station, only the first subnet is connected despite the status display in the overview to the contrary.
    		•  If more than one network is configured on the local side or at the remote gateway, a separate SA is negotiated for each subnet combination when it is deactivated.
    This results in numerous subnet combinations and thus many SAs, especially with multiple subnets, and leads to limitations and losses in the stability of the connections due to the design of the IPSec protocol.
    DHCP: Out When enabled clients receive IP addresses from a local network.
     This requires further configurations, see wiki article on DHCP for IPSec.
    Address-Pool:
    Address-Pool:
    Caption Value Description UTM v12.6.2 VPN Ipsec RW IKEv2 Phase 2 Adress-Pool.png
    Local network: 192.168.250.0/24 The local network to be accessed via the VPN connection (as configured in the wizard in step 3).
    Address-Pool:
    Not with IPSec DHCP    		 192.168.22.35/24 The IP address (e.g.: 192.168.22.35/32), or pool in the form of a subnet (e.g.: 192.168.22.35/26 for the pool of 192.168.22.0 -192.168.22.63) which is used under IPSec.
    Subnets

    Section Subnets
    Scenario: All subnets have access to each other

  • The wizard automatically connects each local network to each remote network.

    • With an SSH login as root, the behavior can be understood particularly well.
    Example with two subnets each.
    Group subnet combinations Enabled On

    root@firewall:~# swanctl --list-conns 

    IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s
 local:  %any
 remote: 192.0.2.192
 local pre-shared key authentication:
   id: 192.168.175.218
 remote pre-shared key authentication:
   id: 192.0.2.192
 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart
   local:  192.168.218.0/24 192.168.219.0/24
   remote: 192.168.192.0/24 192.168.193.0/24


    Group subnet combinations Disabled Off
    root@firewall:~# swanctl --list-conns 

     IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s
   local:  %any
   remote: 192.0.2.192
   local pre-shared key authentication:
     id: 192.168.175.218
   remote pre-shared key authentication:
     id: 192.0.2.192
   IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart
     local:  192.168.218.0/24
     remote: 192.168.192.0/24
   IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart
     local:  192.168.218.0/24
     remote: 192.168.193.0/24
   IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart
     local:  192.168.219.0/24
     remote: 192.168.192.0/24
   IPSec$20S2S_7: TUNNEL, rekeying every 28260s, dpd action is restart
     local:  192.168.219.0/24
     remote: 192.168.193.0/24

    		UTM v12.6.2 VPN Ipsec RW IKEv1 Phase 2 Subnetze-en.png
    All subnets have access to each other
    Scenario: Not all subnets may access every network of the remote gateway

    If in phase two a local network is not connected to all remote networks (or a remote network is not connected to all local ones), this will not be taken into account if the option Group subnet combinations is active!

    notempty
    The Group subnet combinations option will connect all local networks to all remote networks!
    notempty
    Port filter rules make it possible to control access.

    With an SSH login as root, the behavior can be understood particularly well.
    Example with two subnets each.
    Group subnet combinations Enabled On root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s 

     local:  %any
 remote: 192.0.2.192
 local pre-shared key authentication:
   id: 192.168.175.218
 remote pre-shared key authentication:
   id: 192.0.2.192
 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart
   local:  192.168.218.0/24 192.168.219.0/24
   remote: 192.168.192.0/24 192.168.193.0/24


    Group subnet combinations Disabled Off
    root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s 

     local:  %any
 remote: 192.0.2.192
 local pre-shared key authentication:
   id: 192.168.175.218
 remote pre-shared key authentication:
   id: 192.0.2.192
 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart
   local:  192.168.218.0/24
   remote: 192.168.192.0/24
 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart
   local:  192.168.218.0/24
   remote: 192.168.193.0/24
 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart
   local:  192.168.219.0/24
   remote: 192.168.192.0/24

    		Datei:UTM v12.6.2 VPN Ipsec RW IKEv1 Phase 2 reduzierte Subnetze-enpng
    The second local subnet is connected only to one remote subnet
    Troubleshooting

    Detailed Troubleshooting instructions can be found in the Troubleshooting Guide.
    If an email address should be used as gateway ID, it is necessary to insert a double @@ in front of the ID (mail@... becomes @@mail@...). Otherwise the ID will be treated as FQDN.


















































    Connection Rate Limit

    Throttling of access from certain source IPs to recurring ports

    notempty

    The function is still in the testing phase and will be further expanded.
    The function can initially only be configured via the CLI

    The function aims to protect against attacks.
    SSL-VPN accesses can be protected against aggressive scans or login attempts, for example.

    Connection Rate Limit.png
    Connection Rate Limit Access.png

    From v12.6.2, the UTM can limit the number of TCP and/or UDP connections from an external IP address to one port.
    The following conditions apply:

    • Only incoming connections for which a default route exists are monitored
    • The connections from an IP address to a port of the UTM are counted within one minute
    • When activated, 5 connections / connection attempts per minute are permitted.
      The connections are then limited:
      • The additionally permitted connections are distributed evenly within 60 seconds of the first connection.
      • With a CONNECTION_RATE_LIMIT value of 20, an additional connection is added every 3 seconds.
      • 10 seconds after the first login, 3 further connections could be established (each from the same IP address to the same destination port)
    • Blocking an IP address only affects access to the port that has been used too often.


    Other ports can still be accessed.

    • The function is activated by default for new installations on 20 UDP connections / minute on all ports
    • For Updates the function must be manually activated
    extc-Variable Default Description
    CONNECTION_RATE_LIMIT_TCP 0 Number of permitted TCP connections of an IP address per port
    0 = Function deactivated, no blocking is performed
    CONNECTION_RATE_LIMIT_TCP_PORTS Ports to be monitored. Empty by default=all ports would be monitored (if activated).
    Individual ports are separated by spaces: [ 1194 1195 ]
    CONNECTION_RATE_LIMIT_UDP 20 / 0
    Default setting for new installations from v12.6.2: 20
    For update installations the value is 0, so the function is deactivated.
    		Number of permitted UDP connections of an IP address per port
    CONNECTION_RATE_LIMIT_UDP_PORTS Ports to be monitored. Empty by default=all ports are monitored (only for new installations!).
    Individual ports are separated by spaces: [ 1194 1195 ]

    Configuration with CLI commands

    CLI command Function
    extc value get application securepoint_firewall
    Alternatively as root user:
    spcli extc value get application securepoint_firewall | grep RATE     		Lists all variables of the securepoint_firewall application.
    The variables beginning with CONNECTION_RATE_LIMIT_ are responsible for the connection limit.

    application |variable |value --------------------+-------------------------------+----- securepoint_firewall |… |… |CONNECTION_RATE_LIMIT_TCP |0 |CONNECTION_RATE_LIMIT_TCP_PORTS| |CONNECTION_RATE_LIMIT_UDP |20 |CONNECTION_RATE_LIMIT_UDP_PORTS|

    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20
    system update rule    		 Limits the allowed number of TCP connections from a single IP address to a specific port to 20 per minute
  • A change is made directly by a rule update.
    The value must not be set to 0 first!
    • extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 0
    system update rule    		 Deactivates the monitoring of TCP connections
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ]
    system update rule     		Restricts the monitoring of TCP connections to ports 443 and 11115
    There must be spaces before and after the square brackets [ ]!
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ ]
    system update rule    		 There must be spaces before and after the square brackets [ ]!
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20
    system update rule    		 Limits the allowed number of UDP connections from a single IP address to a specific port to 20 per minute
    Default setting for new installations from v12.6.2: 20
    For update installations the value is 0, so the function is deactivated.
  • A change is made directly by a rule update.
    The value must not be set to 0 first!
    • extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 0
    system update rule    		 Deactivates the monitoring of UDP connections
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ 1194 1195 ]
    system update rule     		Restricts the monitoring of UDP connections to ports 1194 and 1195.
    (Example for 2 created SSL-VPN tunnels).
    There must be spaces before and after the square brackets [ ]!
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ]
    system update rule    		 There must be spaces before and after the square brackets [ ]!

    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ]
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ]
    system update rule

    notempty

    Finally, the CLI command system update rule must be entered so that the values in the rules are applied.

    		For example, to allow a maximum of 20 connections per minute per IP address and port. For TCP, monitoring is restricted to ports 443 and 11115. All ports are monitored for UDP connections.
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/VPN/IPSec-S2E&oldid=94892"