UTM/VPN/IPSec-S2S

14.1.0 (08.2025)

14.0 12.6 12.5 12.4 12.2.5 12.2.3 12.2 11.7 11.6.12


		[[Datei: ]] 1



Name:	IPSec S2S	[[Datei: ]] 2
IKE Version:	IKE v1 ()IKE v2 Default
\|\| \|\|


Local Gateway ID:		[[Datei: ]] 3
\|\| Pre-Shared Key \|\|
\|\| Pre-Shared Key \|\|
Pre-Shared Key '


X.509 : '
\|\| »192.168.122.0/24 \|\|


Remote Gateway:	192.0.2.192	[[Datei: ]] 4
Remote Gateway ID:	192.0.2.192
\|\| class=mw11 \| »192.168.192.0/24 \|\|

IKEv1


1.	2.	3.


Abb.1	Abb.2	Abb.3


Abbildungen


Phase 1
VPN Phase 1
			[[Datei: ]]	[[Datei: ]]	[[Datei: ]]	[[Datei: ]]
\|\| Default \|\|
\|\| Outgoing \|\|
	Incoming
	Route
	Route
Ignore
' *\|\| \|\|*
Dead Peer Detection:
DPD Timeout:	30
\|\| 10 \|\|
Compression:

notempty v14.1.0

IKE IKE
	Default UTM	Default NCP Client	[[Datei: ]] 1	[[Datei: ]] 2
	»aes128	AES 128 Bit
	»sha2_256	Hash: SHA2 256 Bit
	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
Aktuelle Kombinationen:	aes128-sha2_256-ecp521

IKE :
Strict:
Strict:
	3
	1
IKE Rekeytime:	2
IKE Rekeytime:	notempty ike_lifetime = 2 ike_rekeytime = 0 ike_lifetime = 0 ike_rekeytime = 2 ---- ike_lifetime = 2 ike_rekeytime = 1 ike_lifetime =2 ike_rekeytime = 1
Rekeying:

Phase 2
VPN Phase 2
	Default UTM	Default NCP Client	[[Datei: ]] / IKEv1 / Roadwarrior	[[Datei: ]] / IKEv2 / Roadwarrior	[[Datei: ]] / IKEv1 / S2S	[[Datei: ]] / IKEv2 / S2S
	»aes128	AES 128 Bit
	»sha2_256	SHA2 256 Bit
	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
Aktuelle Kombinationen:	aes128-sha2_256-ecp521
\|\| 8 \|\|
\|\| Main Mode () \|\| Aggressive Mode (IKEv1)
\|\| \|\|

DHCP:


		[[Datei: ]]
\|\| 192.168.250.0/24 \|\|
	192.168.22.35/24


	' `root@firewall:~# swanctl --list-conns` `IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` `root@firewall:~# swanctl --list-conns` IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24 IPSec$20S2S_7: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.193.0/24		[[Datei: ]]

	' `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24`		[[Datei: ]]

Troubleshooting

IKEv2


1.	2.	3.


Abb.1	Abb.2	Abb.3


Abbildungen


Phase 1
VPN Phase 1
			[[Datei: ]]	[[Datei: ]]	[[Datei: ]]	[[Datei: ]]
\|\| Default \|\|
\|\| Outgoing \|\|
	Incoming
	Route
	Route
Ignore
' *\|\| \|\|*
Dead Peer Detection:
DPD Timeout:	30
\|\| 10 \|\|
Compression:

notempty v14.1.0

IKE IKE
	Default UTM	Default NCP Client	[[Datei: ]] 1	[[Datei: ]] 2
	»aes128	AES 128 Bit
	»sha2_256	Hash: SHA2 256 Bit
	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
Aktuelle Kombinationen:	aes128-sha2_256-ecp521

IKE :
Strict:
Strict:
	3
	1
IKE Rekeytime:	2
IKE Rekeytime:	notempty ike_lifetime = 2 ike_rekeytime = 0 ike_lifetime = 0 ike_rekeytime = 2 ---- ike_lifetime = 2 ike_rekeytime = 1 ike_lifetime =2 ike_rekeytime = 1
Rekeying:

Phase 2
VPN Phase 2
	Default UTM	Default NCP Client	[[Datei: ]] / IKEv1 / Roadwarrior	[[Datei: ]] / IKEv2 / Roadwarrior	[[Datei: ]] / IKEv1 / S2S	[[Datei: ]] / IKEv2 / S2S
	»aes128	AES 128 Bit
	»sha2_256	SHA2 256 Bit
	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
Aktuelle Kombinationen:	aes128-sha2_256-ecp521
\|\| 8 \|\|
\|\| Main Mode () \|\| Aggressive Mode (IKEv1)
\|\| \|\|

DHCP:


		[[Datei: ]]
\|\| 192.168.250.0/24 \|\|
	192.168.22.35/24


	' `root@firewall:~# swanctl --list-conns` `IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` `root@firewall:~# swanctl --list-conns` IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24 IPSec$20S2S_7: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.193.0/24		[[Datei: ]]

	' `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24`		[[Datei: ]]

Troubleshooting

			[[Datei: ]]


Name:	IPSec-S2S		[[Datei: ]]
\|\| \|\|
\|\| 192.168.192.0/24 \|\|
Zone:	vpn-ipsec
\|\| \|\|




'
\|\| internal-network \|\|	[[Datei: ]]
\|\| \|\|
\|\| benötigter Dienst \|\|
NAT:		Hidenat Exclude
\|\| external-interface \|\|

'
\|\| \|\|
\|\| internal-network \|\|
\|\| benötigter Dienst \|\|
NAT:

[[Datei: ]]

Troubleshooting

'

extc-Variable	Default
CONNECTION_RATE_LIMIT_TCP	0
CONNECTION_RATE_LIMIT_TCP_PORTS
CONNECTION_RATE_LIMIT_UDP	20 / 0
CONNECTION_RATE_LIMIT_UDP_PORTS		[ 1194 1195 ]


extc value get application securepoint_firewall spcli extc value get application securepoint_firewall \| grep RATE	application \|variable \|value --------------------+-------------------------------+----- securepoint_firewall \|… \|… \|CONNECTION_RATE_LIMIT_TCP \|0 \|CONNECTION_RATE_LIMIT_TCP_PORTS\| \|CONNECTION_RATE_LIMIT_UDP \|20 \|CONNECTION_RATE_LIMIT_UDP_PORTS\|
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20 system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 0 system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ] system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ ] system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20 system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 0 system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ 1194 1195 ] system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ] system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20 extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ] extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20 extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ] system update rule

IKEv1

Phase 1

IKE

Phase 2

Troubleshooting

IKEv2

Phase 1

IKE

Phase 2

Troubleshooting

Troubleshooting