UTM/VPN/IPSec-S2S

12.6.2

(v12.6.1)
(v12.6.1)
(v12.5)

12.5 12.4 12.2.5 12.2.3 12.2 11.7 11.6.12


		[[Datei: ]] 1



Name:	IPSec S2S	[[Datei: ]] 2
IKE Version:	IKE v1 ()IKE v2 Default


Local Gateway ID:		[[Datei: ]] 3
\|\| Pre-Shared Key \|\|
\|\| Pre-Shared Key \|\|
Pre-Shared Key '


X.509 : '
\|\| » ✕192.168.122.0/24 \|\|


Remote Gateway:	192.0.2.192	[[Datei: ]] 4
Remote Gateway ID:	192.0.2.192
\|\| » ✕192.168.192.0/24 \|\|

IKEv1


Phase 1
VPN Phase 1
			[[Datei: ]]	[[Datei: ]]	[[Datei: ]]	[[Datei: ]]
\|\| Default \|\|
\|\| Outgoing \|\|
	Incoming
	Route
	Route
Ignore
' *\|\| \|\|*
Dead Peer Detection:
DPD Timeout:	30
\|\| 10 \|\|
Compression:


IKE IKE
	Default UTM	Default NCP Client	[[Datei: ]] 1	[[Datei: ]] 2
	» ✕aes128	AES 128 Bit
	» ✕sha2_256	Hash: SHA2 256 Bit
	» ✕ecp521	IKE DH-Gruppe: DH2 (modp1024)
Aktuelle Kombinationen:	aes128-sha2_256-ecp521

IKE :
Strict:
Strict:
	3
	1
IKE Rekeytime:	2
IKE Rekeytime:	notempty ike_lifetime = 2 ike_rekeytime = 0 ike_lifetime = 0 ike_rekeytime = 2 ---- ike_lifetime = 2 ike_rekeytime = 1 ike_lifetime =2 ike_rekeytime = 1
Rekeying:

Phase 2
VPN Phase 2
	Default UTM	Default NCP Client	[[Datei: ]] / IKEv1 / Roadwarrior	[[Datei: ]] / IKEv2 / Roadwarrior	[[Datei: ]] / IKEv1 / S2S	[[Datei: ]] / IKEv2 / S2S
	» ✕aes128	AES 128 Bit
	» ✕sha2_256	SHA2 256 Bit
	» ✕ecp521	IKE DH-Gruppe: DH2 (modp1024)
	» ✕ecp521	IKE DH-Gruppe: DH2 (modp1024)
Aktuelle Kombinationen:	aes128-sha2_256-ecp521
\|\| 8 \|\|
\|\| Main Mode () \|\| Aggressive Mode (IKEv1)
\|\| \|\|

DHCP:


		[[Datei: ]]
\|\| 192.168.250.0/24 \|\|
	192.168.22.35/24


	' `root@firewall:~# swanctl --list-conns` `IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` `root@firewall:~# swanctl --list-conns` IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24 IPSec$20S2S_7: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.193.0/24		[[Datei: ]]

	' `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24`		[[Datei: ]]

Troubleshooting

IKEv2


Phase 1
VPN Phase 1
			[[Datei: ]]	[[Datei: ]]	[[Datei: ]]	[[Datei: ]]
\|\| Default \|\|
\|\| Outgoing \|\|
	Incoming
	Route
	Route
Ignore
' *\|\| \|\|*
Dead Peer Detection:
DPD Timeout:	30
\|\| 10 \|\|
Compression:


IKE IKE
	Default UTM	Default NCP Client	[[Datei: ]] 1	[[Datei: ]] 2
	» ✕aes128	AES 128 Bit
	» ✕sha2_256	Hash: SHA2 256 Bit
	» ✕ecp521	IKE DH-Gruppe: DH2 (modp1024)
Aktuelle Kombinationen:	aes128-sha2_256-ecp521

IKE :
Strict:
Strict:
	3
	1
IKE Rekeytime:	2
IKE Rekeytime:	notempty ike_lifetime = 2 ike_rekeytime = 0 ike_lifetime = 0 ike_rekeytime = 2 ---- ike_lifetime = 2 ike_rekeytime = 1 ike_lifetime =2 ike_rekeytime = 1
Rekeying:

Phase 2
VPN Phase 2
	Default UTM	Default NCP Client	[[Datei: ]] / IKEv1 / Roadwarrior	[[Datei: ]] / IKEv2 / Roadwarrior	[[Datei: ]] / IKEv1 / S2S	[[Datei: ]] / IKEv2 / S2S
	» ✕aes128	AES 128 Bit
	» ✕sha2_256	SHA2 256 Bit
	» ✕ecp521	IKE DH-Gruppe: DH2 (modp1024)
	» ✕ecp521	IKE DH-Gruppe: DH2 (modp1024)
Aktuelle Kombinationen:	aes128-sha2_256-ecp521
\|\| 8 \|\|
\|\| Main Mode () \|\| Aggressive Mode (IKEv1)
\|\| \|\|

DHCP:


		[[Datei: ]]
\|\| 192.168.250.0/24 \|\|
	192.168.22.35/24


	' `root@firewall:~# swanctl --list-conns` `IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` `root@firewall:~# swanctl --list-conns` IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24 IPSec$20S2S_7: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.193.0/24		[[Datei: ]]

	' `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24`		[[Datei: ]]

Troubleshooting

			[[Datei: ]]


Name:	IPSec-S2S		[[Datei: ]]
\|\| \|\|
\|\| 192.168.192.0/24 \|\|
Zone:	vpn-ipsec
\|\| \|\|




'
\|\| internal-network \|\|	[[Datei: ]]
\|\| \|\|
\|\| benötigter Dienst \|\|
NAT:		Hidenat Exclude
\|\| external-interface \|\|

'
\|\| \|\|
\|\| internal-network \|\|
\|\| benötigter Dienst \|\|
NAT:

[[Datei: ]]

Troubleshooting

'

extc-Variable	Default
CONNECTION_RATE_LIMIT_TCP	0
CONNECTION_RATE_LIMIT_TCP_PORTS
CONNECTION_RATE_LIMIT_UDP	20 / 0
CONNECTION_RATE_LIMIT_UDP_PORTS		[ 1194 1195 ]


extc value get application securepoint_firewall spcli extc value get application securepoint_firewall \| grep RATE	application \|variable \|value --------------------+-------------------------------+----- securepoint_firewall \|… \|… \|CONNECTION_RATE_LIMIT_TCP \|0 \|CONNECTION_RATE_LIMIT_TCP_PORTS\| \|CONNECTION_RATE_LIMIT_UDP \|20 \|CONNECTION_RATE_LIMIT_UDP_PORTS\|
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20 system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 0 system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ] system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ ] system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20 system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 0 system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ 1194 1195 ] system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ] system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20 extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ] extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20 extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ] system update rule

IKEv1

Phase 1

IKE

Phase 2

Troubleshooting

IKEv2

Phase 1

IKE

Phase 2

Troubleshooting

Troubleshooting