IPSec Site-to-Site

IPSec connections Site-to-Site

Last adaptation to the version: 14.0.0

New:

Description of the networks to be released in Step 3 corrected
Option Group subnet combinations in the setup wizard

Show previous changes (v12.7.1)

notempty

This article refers to a Resellerpreview

12.6 12.5 12.4 12.2.5 12.2.3 12.2 11.7 11.6.12

Introduction

A Site-to-Site connection links two networks together.
For example, the local network of a main office with the local network of a branch office / secondary office.

Public IP addresses, as well as dynamic DNS entries, can be used to connect the two remote gateways.

Preparation

If there is a router (e.g. Fritz!Box or Speedport) in front of the Securepoint appliance, it must be ensured that ESP and UDP 500/ 4500 are active there. See Example configuration with a Fritz!Box.

Configuration of an IPSec Site-to-Site connection

After logging in to the administration interface of the firewall (in the delivery state: https://192.168.175.1:11115), an IPSec connection can be added in the menu VPN IPSec} Button + Add IPSec connection.

Setup Wizard

Step 1 - Connection type
Caption	Value	Description	Add IPSec Connection UTMuser@firewall.name.fqdnVPNIPSec Setup step 1
Selection of the connection type:	The following connections are available. Roadwarrior Site to Site	For the configuration of a Site to Site connection, this one is selected.

Step 2 - General
Name:	IPSec S2S	Name for the connection	Setup step 2
IKE Version:	IKE v1 (deprecated)IKE v2 Default	Selection of the IKE version. notempty IKE v1 is considered deprecated and should no longer be used
Subnetzkombinationen gruppieren: notempty New in the setup wizard Nur bei IKE v2	On	Bei Verwendung von IKE v2 ist es mithilfe dieser Konfiguration möglich, mehrere Subnetze unter einer SA zusammenzufassen. ‍ Ohne diese Option wird für jede Subnetzkombination eine eigene SA ausgehandelt. Dies hat besonders bei vielen SAs deutliche Nachteile und führt durch das Design des IPSec-Protokolls zu Limitierungen und zu Einbußen in der Stabilität der Verbindungen. Diese Option kann auch nachträglich bei der Bearbeitung der Konfiguration der Phase 2 mit dem Eintrag Subnetzkombinationen gruppieren konfiguriert werden. Sollte die Gegenstelle ein Problem mit der Gruppierung der Subnetzkombinationen haben, sollte diese Option deaktiviert werden.

Step 3 - Local
Local Gateway ID:	Any interface	Any string. The gateway ID flows into the authentication. This can be an IP address, a host name or an interface. On the remote gateway, this value must be configured exactly the same way. If an email address should be used as Gateway ID, it is necessary to insert a double @@ in front of the ID (mail@... becomes @@mail@...). Otherwise the ID will be treated as FQDN Automatically filled in for certificate authentication method after certificate selection.	Setup step 3
Authentication method:	Pre-Shared Key	A pre-shared key is in use
Authentication method:	Certificate	A certificate is in use
Pre-Shared Key For authentication method pre-shared key.		An arbitrary PSK
		Creates a very strong key
		Copies the PSK to the clipboard
X.509 Certificate: ‍ Es sind nur Zertifikate mit privatem Schlüssel-Teil auswählbar For authentication method certificate.	Server certificate	Selection of a certificate This certificate must be created beforehand under Authentication Certificates .
Share networks:	»192.168.122.0/24	Lokale Netzwerke der UTM ‍ Angabe korrigiert , auf die Zugriff gewährt werden soll.

Step 4 - Remote Gateway
Remote Gateway:	192.0.2.192	Public IP address (or hostname that can be resolved via DNS) of the remote gateway.	Setup step 4
Remote Gateway ID:	192.0.2.192	ID configured as local ID on the remote gateway (any character string).
Share networks:	»192.168.192.0/24	The local network of the remote gateway to be accessed
Exit the setup wizard with Finish
For S2S connections, it should be checked whether several subnets can be combined via MULTI_TRAFFIC_SELECTOR. This significantly reduces the number of SAs and increases the stability of the connection. To do this, the option Group subnet combinations is activated in phase 2.

More settings

In addition to the settings that have already been defined in the wizard, further parameters can be configured:

IKEv1

notempty

IKE v1 is considered deprecated and should no longer be used

Show additional settings for IKEv1

Caption	Value	Description
Phase 1
VPN IPSec Area Connections Button Phase 1 General General
Caption	Value	Description	Edit Phase 1 UTMuser@firewall.name.fqdnVPNIPSec Phase 1 Genereal	Edit Phase 1 UTMuser@firewall.name.fqdnVPNIPSec Phase 1 Genereal	Edit Phase 1 UTMuser@firewall.name.fqdnVPNIPSec Phase 1 Genereal	Edit Phase 1 UTMuser@firewall.name.fqdnVPNIPSec Phase 1 Genereal
Allow any remote addresses:	On Default	Disable this option for site-to-site connections with DynDNS hosts if multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured.
Startup behavior:	Outgoing	The tunnel is initiated by the UTM even if no packets are sent. Incoming requests are accepted.
	Incoming Default if Remote Host is any	The UTM accepts incoming tunnel requests. No outgoing connection is created.
	Route Default if Remote Host known	The tunnel is initiated by the UTM only when packets are to be sent.notempty Only set as default value if Any remote station is not selected as Remote Host / Gateway.
	Route Default if Remote Host known	The tunnel is initiated by the UTM only when packets are to be sent.notempty Only set as default value if Any remote station is not selected as Remote Host / Gateway.
Ignore	Deactivates the tunnel
Generate traffic: For Initiate Connection Route	On	Prevents unwanted disconnections when no data traffic is taking place
Dead Peer Detection:	On	Checks at a set interval whether the tunnel still exists. If the tunnel was terminated unexpectedly, the SAs are dismantled. (Only then it is also possible to reestablish a new tunnel). When deactivated, the option Restart after abort in phase 2 is also automatically deactivated.
DPD Timeout:	30 seconds	Period before the state under Startup behavior is restored. Under IKEv2 this parameter is not available. The same values are used here as for regular packets.
DPD Interval:	10 seconds	Testing interval
Compression:	Off	Compression is not supported by all remote stations
Enable MOBIKE:	Yes	Used to deactivate the MOBIKE option Deactivation prevents encrypted data from a remote station from being additionally encapsulated in 4500udp, which leads to problems in communication.

Section IKE Settings that must be identical in the UTM and in the client: IKE
Caption	Default UTM	Default NCP Client	Phase 1 IKEv1	Phase 1 IKEv2
Encryption:	»aes128	AES 128 Bit
Authentication:	»sha2_256	Hash: SHA2 256 Bit
Diffie-Hellman Group:	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
Aktuelle Kombinationen:	aes128-sha2_256-ecp521

Section IKE More settings:
Strict:	Off	The configured parameters (authentication and encryption algorithms) are preferred for connections
Strict:	On	No further proposals are accepted. A connection is only possible with the configured parameters.
IKE Life time:	Out 3 hours	Validity period of the SAs in phase 1 Can be activated On in addition to IKE Rekeytime. If the Lifetime is set, the value must be greater than the Rekeytime.
IKE Life time:	1 hour	Validity period of the SAs in phase 1
IKE Rekeytime:	2 hours	The validity period in which the connection is established (initial or after termination)
IKE Rekeytime:	notempty Starting with version 12.5.0, for already existing' connections that have no rekeytime' set, the value of the lifetime is entered at this point and the value of the lifetime is set to 0. ‍ This significantly increases the stability of the connection and should not bring any disadvantages. If a value has already been set for the rekeytime (possible from v12.4) no change is made. Example: Current version: ike_lifetime = 2 ike_rekeytime = 0 After update: ike_lifetime = 0 ike_rekeytime = 2 ---- Current version: ike_lifetime = 2 ike_rekeytime = 1 After update: (without change) ike_lifetime =2 ike_rekeytime = 1
Rekeying:	unlimited (recommended)	Number of attempts to establish the connection (initial or after abort). ‍ For E2S connections (Roadwarrior), the setting 3 times can avoid endless attempts to connect to devices that are not correctly logged out.

Phase 2
VPN IPSec Area Connections Button Phase 2 General Section General Settings that must be identical in the UTM and in the client:
Caption	Default UTM	Default NCP Client	Edit Phase 2 UTMuser@firewall.name.fqdnVPNIPSec Phase 2 / Section General with / IKEv1 / Roadwarrior	Edit Phase 2 UTMuser@firewall.name.fqdnVPNIPSec Phase 2 / Section General with / IKEv2 / Roadwarrior	Edit Phase 2 UTMuser@firewall.name.fqdnVPNIPSec Phase 2 / Section General with / IKEv1 / S2S	Edit Phase 2 UTMuser@firewall.name.fqdnVPNIPSec Phase 2 / Section General with / IKEv2 / S2S
Encryption:	»aes128	AES 128 Bit
Authentication:	»sha2_256	SHA2 256 Bit
Diffie-Hellman Group:	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
Diffie-Hellman Group:	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
Aktuelle Kombinationen:	aes128-sha2_256-ecp521
Key service life:	8 hours	Validity period of the key in phase 2
Exchange mode:	Main Mode (Not configurable)	Aggressive Mode (IKEv1) Must be changed to Main Mode in the NCP client! The UTM does not support Aggressive Mode for security reasons.
Restart on abort:	No	If the connection was terminated unexpectedly, activating will restore the state configured under Startup behavior in phase 1. The Dead Peer Detection is automatically activated in phase 1.
Group subnet combinations:	Yes If grouping is not supported by the remote station, only the first subnet is connected despite the status display in the overview to the contrary.	If more than one network is configured on the local side or at the remote gateway, a separate SA is negotiated for each subnet combination when it is deactivated. This results in numerous subnet combinations and thus many SAs, especially with multiple subnets, and leads to limitations and losses in the stability of the connections due to the design of the IPSec protocol.
DHCP:	Out	When enabled clients receive IP addresses from a local network. This requires further configurations, see wiki article on DHCP for IPSec.

Subnets Section Subnets
	Scenario: All subnets have access to each other The wizard automatically connects each local network to each remote network. Example with root-Login With an SSH login as root, the behavior can be understood particularly well. Example with two subnets each. Group subnet combinations Enabled On `root@firewall:~# swanctl --list-conns` `IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` Group subnet combinations Disabled Off `root@firewall:~# swanctl --list-conns` IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24 IPSec$20S2S_7: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.193.0/24	All subnets have access to each other

	Scenario: Not all subnets may access every network of the remote gateway If in phase two a local network is not connected to all remote networks (or a remote network is not connected to all local ones), this will not be taken into account if the option Group subnet combinations is active! notempty The Group subnet combinations option will connect all local networks to all remote networks! notempty Port filter rules make it possible to control access. Example with root-Login With an SSH login as root, the behavior can be understood particularly well. Example with two subnets each. Group subnet combinations Enabled On `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` Group subnet combinations Disabled Off `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24`	Datei:UTM v12.6.2 VPN Ipsec RW IKEv1 Phase 2 reduzierte Subnetze-enpng The second local subnet is connected only to one remote subnet

Troubleshooting

Detailed Troubleshooting instructions can be found in the Troubleshooting Guide.
If an email address should be used as gateway ID, it is necessary to insert a double @@ in front of the ID (mail@... becomes @@mail@...). Otherwise the ID will be treated as FQDN.

IKEv2

Show additional settings for IKEv2

Caption	Value	Description
Phase 1
VPN IPSec Area Connections Button Phase 1 General General
Caption	Value	Description	Edit Phase 1 UTMuser@firewall.name.fqdnVPNIPSec Phase 1 Genereal	Edit Phase 1 UTMuser@firewall.name.fqdnVPNIPSec Phase 1 Genereal	Edit Phase 1 UTMuser@firewall.name.fqdnVPNIPSec Phase 1 Genereal	Edit Phase 1 UTMuser@firewall.name.fqdnVPNIPSec Phase 1 Genereal
Allow any remote addresses:	On Default	Disable this option for site-to-site connections with DynDNS hosts if multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured.
Startup behavior:	Outgoing	The tunnel is initiated by the UTM even if no packets are sent. Incoming requests are accepted.
	Incoming Default if Remote Host is any	The UTM accepts incoming tunnel requests. No outgoing connection is created.
	Route Default if Remote Host known	The tunnel is initiated by the UTM only when packets are to be sent.notempty Only set as default value if Any remote station is not selected as Remote Host / Gateway.
	Route Default if Remote Host known	The tunnel is initiated by the UTM only when packets are to be sent.notempty Only set as default value if Any remote station is not selected as Remote Host / Gateway.
Ignore	Deactivates the tunnel
Generate traffic: For Initiate Connection Route	On	Prevents unwanted disconnections when no data traffic is taking place
Dead Peer Detection:	On	Checks at a set interval whether the tunnel still exists. If the tunnel was terminated unexpectedly, the SAs are dismantled. (Only then it is also possible to reestablish a new tunnel). When deactivated, the option Restart after abort in phase 2 is also automatically deactivated.
DPD Timeout:	30 seconds	Period before the state under Startup behavior is restored. Under IKEv2 this parameter is not available. The same values are used here as for regular packets.
DPD Interval:	10 seconds	Testing interval
Compression:	Off	Compression is not supported by all remote stations
Enable MOBIKE:	Yes	Used to deactivate the MOBIKE option Deactivation prevents encrypted data from a remote station from being additionally encapsulated in 4500udp, which leads to problems in communication.

Section IKE Settings that must be identical in the UTM and in the client: IKE
Caption	Default UTM	Default NCP Client	Phase 1 IKEv1	Phase 1 IKEv2
Encryption:	»aes128	AES 128 Bit
Authentication:	»sha2_256	Hash: SHA2 256 Bit
Diffie-Hellman Group:	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
Aktuelle Kombinationen:	aes128-sha2_256-ecp521

Section IKE More settings:
Strict:	Off	The configured parameters (authentication and encryption algorithms) are preferred for connections
Strict:	On	No further proposals are accepted. A connection is only possible with the configured parameters.
IKE Life time:	Out 3 hours	Validity period of the SAs in phase 1 Can be activated On in addition to IKE Rekeytime. If the Lifetime is set, the value must be greater than the Rekeytime.
IKE Life time:	1 hour	Validity period of the SAs in phase 1
IKE Rekeytime:	2 hours	The validity period in which the connection is established (initial or after termination)
IKE Rekeytime:	notempty Starting with version 12.5.0, for already existing' connections that have no rekeytime' set, the value of the lifetime is entered at this point and the value of the lifetime is set to 0. ‍ This significantly increases the stability of the connection and should not bring any disadvantages. If a value has already been set for the rekeytime (possible from v12.4) no change is made. Example: Current version: ike_lifetime = 2 ike_rekeytime = 0 After update: ike_lifetime = 0 ike_rekeytime = 2 ---- Current version: ike_lifetime = 2 ike_rekeytime = 1 After update: (without change) ike_lifetime =2 ike_rekeytime = 1
Rekeying:	unlimited (recommended)	Number of attempts to establish the connection (initial or after abort). ‍ For E2S connections (Roadwarrior), the setting 3 times can avoid endless attempts to connect to devices that are not correctly logged out.

Phase 2
VPN IPSec Area Connections Button Phase 2 General Section General Settings that must be identical in the UTM and in the client:
Caption	Default UTM	Default NCP Client	Edit Phase 2 UTMuser@firewall.name.fqdnVPNIPSec Phase 2 / Section General with / IKEv1 / Roadwarrior	Edit Phase 2 UTMuser@firewall.name.fqdnVPNIPSec Phase 2 / Section General with / IKEv2 / Roadwarrior	Edit Phase 2 UTMuser@firewall.name.fqdnVPNIPSec Phase 2 / Section General with / IKEv1 / S2S	Edit Phase 2 UTMuser@firewall.name.fqdnVPNIPSec Phase 2 / Section General with / IKEv2 / S2S
Encryption:	»aes128	AES 128 Bit
Authentication:	»sha2_256	SHA2 256 Bit
Diffie-Hellman Group:	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
Diffie-Hellman Group:	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
Aktuelle Kombinationen:	aes128-sha2_256-ecp521
Key service life:	8 hours	Validity period of the key in phase 2
Exchange mode:	Main Mode (Not configurable)	Aggressive Mode (IKEv1) Must be changed to Main Mode in the NCP client! The UTM does not support Aggressive Mode for security reasons.
Restart on abort:	No	If the connection was terminated unexpectedly, activating will restore the state configured under Startup behavior in phase 1. The Dead Peer Detection is automatically activated in phase 1.
Group subnet combinations:	Yes If grouping is not supported by the remote station, only the first subnet is connected despite the status display in the overview to the contrary.	If more than one network is configured on the local side or at the remote gateway, a separate SA is negotiated for each subnet combination when it is deactivated. This results in numerous subnet combinations and thus many SAs, especially with multiple subnets, and leads to limitations and losses in the stability of the connections due to the design of the IPSec protocol.
DHCP:	Out	When enabled clients receive IP addresses from a local network. This requires further configurations, see wiki article on DHCP for IPSec.

Subnets Section Subnets
	Scenario: All subnets have access to each other The wizard automatically connects each local network to each remote network. Example with root-Login With an SSH login as root, the behavior can be understood particularly well. Example with two subnets each. Group subnet combinations Enabled On `root@firewall:~# swanctl --list-conns` `IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` Group subnet combinations Disabled Off `root@firewall:~# swanctl --list-conns` IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24 IPSec$20S2S_7: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.193.0/24	All subnets have access to each other

	Scenario: Not all subnets may access every network of the remote gateway If in phase two a local network is not connected to all remote networks (or a remote network is not connected to all local ones), this will not be taken into account if the option Group subnet combinations is active! notempty The Group subnet combinations option will connect all local networks to all remote networks! notempty Port filter rules make it possible to control access. Example with root-Login With an SSH login as root, the behavior can be understood particularly well. Example with two subnets each. Group subnet combinations Enabled On `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` Group subnet combinations Disabled Off `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24`	Datei:UTM v12.6.2 VPN Ipsec RW IKEv1 Phase 2 reduzierte Subnetze-enpng The second local subnet is connected only to one remote subnet

Troubleshooting

Detailed Troubleshooting instructions can be found in the Troubleshooting Guide.
If an email address should be used as gateway ID, it is necessary to insert a double @@ in front of the ID (mail@... becomes @@mail@...). Otherwise the ID will be treated as FQDN.

Rulebook

To grant access to the internal network, the connection must be allowed.

It is possible, but not recommended to do this with implied rules under Firewall Implied Rules section VPN to configure this. However, these Implied Rules release the ports used for IPSec connections on all interfaces.			Show screenshot Implied rules UTMuser@firewall.name.fqdnFirewall Implied rules
notempty As a general rule: Only what is needed and only for the one who needs it is released!
Create network object A network object must be created for the remote network. Firewall Network Objects Button Add Object If several subnets exist on the remote gateway, a network object must be created for each subnet. If the corresponding authorizations are to be assigned, these can be combined into network groups.
Name:	IPSec-S2S	Name for the IPSec S2S network object	Add network Object UTMuser@firewall.name.fqdnFirewallNetwork Objects
Type:	VPN network	Type to be selected
Address:	192.168.192.0/24	The IP address of the local network of the opposite side, as entered in the Installation Wizard in Step 4 - Remote Gateway in the line Share networks. So in this example the network 192.168.192.0/24.
Zone:	vpn-ipsec	Zone to be selected
Group:		Optional: One or more groups to which the network object belongs.

Packet filter rule


First rule
Source:	internal-network	Host or network (-pool), which should get access to the internal network	Packetfilter UTMuser@firewall.name.fqdnFirewall Regeln aktualisieren Packet filter rules
Destination:	IPSec network	Host, network or network group to which access is to be granted. Here, for example, a group of rdp servers.
Service:	benötigter Dienst	Service or service group that is needed
NAT:	Hidenat Exclude
Network Objects:	external-interface

Second rule
Source:	IPSec network	Host or network (-pool), which should get access to the internal network
Destination:	internal-network	Destination
Service:	benötigter Dienst	Service or service group that is needed
NAT:		No NAT

Configuration of the second gateway

notempty

It should be noted that the IKE version is identical on both sides.

Use of a Securepoint UTM

On the remote gateway, the settings must be made in a similar way

A new IPSec VPN connection is created using the IPSec wizard
A network object for the IPSec network is created
Port filter rules are created

Remote Gateway step 2

The same authentication method must be selected
The same authentication key (PSK, certificate, RSA key) must be available
The same IKE version must be used

Remote Gateway step 3

As Local Gateway ID the Remote Gateway ID from step 4 of the first UTM must now be used
Under Share Networks the (there remote) network from step 4 of the first UTM must also be used

Remote Gateway step 4

The public IP address (or a hostname that can be resolved via DNS) of the first UTM must be entered as Remote Gateway.
(This address was not required in the wizard of the first UTM).
The Local Gateway ID from step 3 of the first UTM must be used as Remote Gateway ID
Under Share networks the (there local) network from step 3 of the first UTM must also be used.

Create network object of the remote gateway

The network object of the remote gateway represents the network of the first UTM.
Correspondingly, the network address of the local network of the first UTM must be entered under Address.
In the example 192.168.218.0/24

Notes

Add Transparent rule UTMuser@firewall.name.fqdnApplicationsHTTP-Proxy Transparent rule

The transparent HTTP proxy

If a server behind the Site-to-Site connection is to be accessed from the internal network via HTTP, the transparent HTTP proxy may filter the packets.
This can lead to errors while accessing the target.
To prevent this from happening, a rule Exclude must be created in the Applications HTTP Proxy Area Transparent mode Button Add transparent rule menu with source internal-network to target name-vpn-network-object and protocol HTTP.

Troubleshooting

Detailed Troubleshooting instructions can be found in the Troubleshooting Guide.
If an email address should be used as gateway ID, it is necessary to insert a double @@ in front of the ID (mail@... becomes @@mail@...). Otherwise the ID will be treated as FQDN.

Connection Rate Limit

Throttling of access from certain source IPs to recurring ports

notempty

The function is still in the testing phase and will be further expanded.
The function can initially only be configured via the CLI

The function aims to protect against attacks.
SSL-VPN accesses can be protected against aggressive scans or login attempts, for example.

From v12.6.2, the UTM can limit the number of TCP and/or UDP connections from an external IP address to one port.
The following conditions apply:

Only incoming connections for which a default route exists are monitored
The connections from an IP address to a port of the UTM are counted within one minute
When activated, 5 connections / connection attempts per minute are permitted.
The connections are then limited:
- The additionally permitted connections are distributed evenly within 60 seconds of the first connection.
- With a CONNECTION_RATE_LIMIT value of 20, an additional connection is added every 3 seconds.
- 10 seconds after the first login, 3 further connections could be established (each from the same IP address to the same destination port)
Blocking an IP address only affects access to the port that has been used too often.

Other ports can still be accessed.

The function is activated by default for new installations on 20 UDP connections / minute on all ports
For Updates the function must be manually activated

extc-Variable	Default	Description
CONNECTION_RATE_LIMIT_TCP	0	Number of permitted TCP connections of an IP address per port 0 = Function deactivated, no blocking is performed
CONNECTION_RATE_LIMIT_TCP_PORTS		Ports to be monitored. Empty by default=all ports would be monitored (if activated). Individual ports are separated by spaces: [ 1194 1195 ]
CONNECTION_RATE_LIMIT_UDP	20 / 0 ‍ Default setting for new installations from v12.6.2: 20 For update installations the value is 0, so the function is deactivated.	Number of permitted UDP connections of an IP address per port
CONNECTION_RATE_LIMIT_UDP_PORTS		Ports to be monitored. Empty by default=all ports are monitored (only for new installations!). Individual ports are separated by spaces: [ 1194 1195 ]

Configuration with CLI commands

Show configuration with CLI commands

CLI command	Function
extc value get application securepoint_firewall Alternatively as root user: spcli extc value get application securepoint_firewall \| grep RATE	Lists all variables of the securepoint_firewall application. The variables beginning with CONNECTION_RATE_LIMIT_ are responsible for the connection limit. application \|variable \|value --------------------+-------------------------------+----- securepoint_firewall \|… \|… \|CONNECTION_RATE_LIMIT_TCP \|0 \|CONNECTION_RATE_LIMIT_TCP_PORTS\| \|CONNECTION_RATE_LIMIT_UDP \|20 \|CONNECTION_RATE_LIMIT_UDP_PORTS\|
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20 system update rule	Limits the allowed number of TCP connections from a single IP address to a specific port to 20 per minute A change is made directly by a rule update. The value must not be set to 0 first!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 0 system update rule	Deactivates the monitoring of TCP connections
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ] system update rule	Restricts the monitoring of TCP connections to ports 443 and 11115 There must be spaces before and after the square brackets [ ]!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ ] system update rule	There must be spaces before and after the square brackets [ ]!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20 system update rule	Limits the allowed number of UDP connections from a single IP address to a specific port to 20 per minute Default setting for new installations from v12.6.2: 20 For update installations the value is 0, so the function is deactivated. A change is made directly by a rule update. The value must not be set to 0 first!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 0 system update rule	Deactivates the monitoring of UDP connections
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ 1194 1195 ] system update rule	Restricts the monitoring of UDP connections to ports 1194 and 1195. (Example for 2 created SSL-VPN tunnels). There must be spaces before and after the square brackets [ ]!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ] system update rule	There must be spaces before and after the square brackets [ ]!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20 extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ] extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20 extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ] system update rule notempty Finally, the CLI command system update rule must be entered so that the values in the rules are applied.	For example, to allow a maximum of 20 connections per minute per IP address and port. For TCP, monitoring is restricted to ports 443 and 11115. All ports are monitored for UDP connections.

Address-Pool: Address-Pool:
Caption	Value	Description
Local network:	192.168.250.0/24	The local network to be accessed via the VPN connection (as configured in the wizard in step 3).
Address-Pool: Not with IPSec DHCP	192.168.22.35/24	The IP address (e.g.: 192.168.22.35/32), or pool in the form of a subnet (e.g.: 192.168.22.35/26 for the pool of 192.168.22.0 -192.168.22.63) which is used under IPSec.

Address-Pool: Address-Pool:
Caption	Value	Description
Local network:	192.168.250.0/24	The local network to be accessed via the VPN connection (as configured in the wizard in step 3).
Address-Pool: Not with IPSec DHCP	192.168.22.35/24	The IP address (e.g.: 192.168.22.35/32), or pool in the form of a subnet (e.g.: 192.168.22.35/26 for the pool of 192.168.22.0 -192.168.22.63) which is used under IPSec.

Introduction

Preparation

Configuration of an IPSec Site-to-Site connection

Setup Wizard

Step 1 - Connection type

Step 2 - General

Step 3 - Local

Step 4 - Remote Gateway

More settings

IKEv1

Phase 1

General

IKE

Phase 2

General

Address-Pool:

Subnets

Troubleshooting

IKEv2

Phase 1

General

IKE

Phase 2

General

Address-Pool:

Subnets

Troubleshooting

Rulebook

Create network object

Packet filter rule

Configuration of the second gateway

Use of a Securepoint UTM

Remote Gateway step 2

Remote Gateway step 3

Remote Gateway step 4

Create network object of the remote gateway

Notes

The transparent HTTP proxy

Troubleshooting

Connection Rate Limit

Configuration with CLI commands