SSL-VPN Roadwarrior

Configuration of SSL-VPN Roadwarrior connections

Last adaptation to the version: 12.7.3

New:

New user authentication: Local OTP

notempty

This article refers to a Resellerpreview

12.6.2 12.5.1 12.4 12.2.2 12.2 11.8.7 11.7.1 11.7 11.6.12

Introduction

A roadwarrior connection links individual hosts to the local network. This allows, for example, a field worker to connect to the headquarters network.
SSL-VPN uses the TLS/SSL standard to encrypt the connection.

notempty

Multiple clients can be connected with a SSL-VPN Roadwarrior connection on the UTM.

There is a separate article for creating certificates on the UTM: Certificates

Preparations

A CA, a server certificate and a user certificate are required for setting up the roadwarrior.
These certificates can also be created during setup if necessary.

Internal hostname resolution in SSL-VPN

If servers in the SSL-VPN are to be accessible to Roadwarrior under their host name, the following settings are required:

Push DNS/WINS

In order for DNS/WINS to be transmitted, the configured VPN connection must be edited and enabled in the Advanced tab.

UTM v12.6 SSL-VPN Roadwarrior Globale VPN-Einstellungen-en.png

Enter the IP of the DNS server in the UTM network as the primary DNS server / WINS server.

UTM v12.6 SSL-VPN Roadwarrior DNS-WINS aktiviert-en.png

In order for DNS/WINS to be transmitted, the configured VPN connection must be edited and enabled in the Advanced tab.

Search Domain

If available, enter domain.

Predefine Search Domain

Block Outside DNS

For some Windows 10 clients, it may be necessary to set the "block-outside-dns" option in the configuration of the SSL-VPN client:
Right click on the desired connection in the Securepoint SSL-VPN Client, menu Settings Advanced button tab OS Entry DNS Block Outside DNS

Roadwarrior configuration

Setup Wizard

After the login on the firewall's administration interface (by default: https://192.168.175.1:11115), the setup wizard can be called up with VPN SSL-VPN Button Add SSL-VPN connection.

Step 1

UTM v12.6 SSL-VPN Roadwarrior Schritt1-en.png

Setup step 1

In installation step 1, the connection type is selected.
The following connections are available.

Roadwarrior Server
Site to Site Server
Site to Site Client

For the configuration of the Roadwarrior Server this one is selected.

Step 2

UTM v12.6 SSL-VPN Roadwarrior Schritt2-en.png

Setup step 2

If IPv6 is to be used in the source and destination network, this must be enabled here.

Step 3

Local settings for the Roadwarrior server can be made in step 3.

Caption	Value	Description
Name:	RW-Securepoint	Distinctive label, freely selectable
Protocol:	UDP	Desired protocol
Port:	1194	Default port for the first SSL-VPN connection. May not be used for any other purpose. For further connections, the next free port is selected.
Server certificate: Only certificates with a private key part can be selected	CS-RW-Securepoint-Server	Selection of the certificate with which the server authenticates itself. If there is no server certificate yet, this (and if necessary also a CA) can be created in the certificate management. Call with Creation of a CA in the tab CA with the button Add CA Create a server certificate in the Certificates tab using the Add Certificate. Please note: activate Server certificate: Enable Creation of the client certificate with the button Add certificate A separate user certificate should be created for each user . Both certificates (server CS and client CC) must be created with the same CA! The client certificate and the associated CA are also needed to configure the remote peer (client). They must be exported using the button. Further notes in the wiki article on the use of Certificates.
Share server networks	»192.168.175.0/24	Network IP for networks behind the UTM that should be reachable via the SSL-VPN connection (as specified in the wizard in step 3) can be edited.

UTM v12.6 SSL-VPN Roadwarrior Schritt3-en.png

Setup step 3

Step 4

UTM v12.6 SSL-VPN Roadwarrior Schritt4-en.png

Setup step 4

In installation step 4, the transfer network for the Roadwarrior is entered.
The transfer network can be freely selected, but must be otherwise unused on the UTM.

The IP addresses are assigned to the clients in ascending order (starting with .2)

error in the description of the order corrected

If clients are to be assigned fixed IP addresses, these should begin with .254 in descending order

The network for the pool must be large enough to provide all clients with a tunnel IP and to exclude overlapping (fixed IP addresses from below and dynamic allocation from above)

Step 5

UTM v12.6 SSL-VPN Roadwarrior Schritt5-en.png

Setup step 5

User authentication is selected in the last step.
The setup wizard can then be completed.

None = Authentication only via the certificates
Local = Local users and AD groups
Radius = Radius Server
Local OTP = Local users and AD groups with mandatory OTP for this tunnel notempty
New as of v12.7.3

Completion

UTM v12.6 SSL-VPN Roadwarrior Schritt6-en.png

Setup completion

In the SSL-VPN overview all configured connections are displayed.
In order for the connection to become active, the SSL-VPN service must be restarted: Restart

This will interrupt all SSL-VPN tunnels!

Only one Roadwarrior server is needed to connect multiple VPN users!

In order for DNS/WINS to be transmitted, the configured VPN connection must be edited and enabled in the Advanced tab.

Edit connection

Allgemein Allgemein
Caption	Value	Description	Edit SSL-VPN connection UTMuser@firewall.name.fqdnVPNSSL-VPN
Name:	RW Securepoint	Name of the SSL connection
Interface:	tun1	Used interface
Modus:	Server	Depending on the connection type (as selected in step 1 of the wizard)
Protocol:	UDP (Default) TCP	Select preferred protocol (UDP and TCP can be limited to IPv4 or IPv6 respectively).
Port:	1194	Default port for the first SSL-VPN connection. May not be used for any other purpose. For further connections, the next free port is selected.
Authentication:	NONE LOCAL (Default) RADIUS	Select appropriate authentication method
Certificate:	CS-RW-Securepoint-Server	The used certificate can be changed here
Static SSL-VPN key type:	Off tls-authtls-crypt	Activation of tls-auth causes additional authentication of the control channel tls-crypt causes additional authentication and' Encryption of the control channel
Static SSL-VPN key: notempty New as of v12.6.1	SSL-VPN RW-Securepoint	Securing the connection with tls-auth. The key must have the type OVPN_STATIC_KEY.
Cipher for data connections:	AES-128-CBC	AES-128-CBC is used by default. All remote peers must use the same cipher!
Cipher for data connections:	Default BF-CBC DES-EDE-CBC DES-EDE3-CBC CAST5-CBC AES-192-CBC AES-256-CBC AES-128-GCM AES-192-GCM AES-256-GCM
Hash for data connection:	SHA256	Default settings of OpenSSL are used. All remote stations must use the same hash procedure!
Hash for data connection:	Default SHA1 SHA224 SHA384 SHA512 whirlpool
Allowed ciphers for automatic negotiation (NCP):		Individual ciphers can be selected from a list
IPv4 Pool:	192.168.192.0/24	Enter pool address
IPv6 Pool:	/64	Enter pool address
Share server networks:		Network IP for networks behind the UTM that should be reachable via the SSL-VPN connection (as specified in the wizard in step 3) can be edited.
Search Domain:		If available, enter domain.
Renegotiation:	Never 1 Hour (Default) 2 Hours 4 Hours 8 Hours 12 Hours	Time period from which the connection will be rebrokered.
The settings can be saved with .

Erweitert Erweitert
MTU:	1500	Maximum transmission unit of the largest packet (byte)	Edit SSL-VPN connection UTMuser@firewall.name.fqdnVPNSSL-VPN
Maximum Clients:	1024	Maximum number of clients If no value is specified, the default value of 1024 applies
Allow duplicate clients:	No	When activated, duplicate clients can connect simultaneously with the same credentials. Should not be enabled if the user has been assigned a fixed IP Configuration under Authentication User Area User Button VPN tab SSL-VPN section
Transmit DNS:	No	Allows DNS transmission
Transmit WINS:	No	Allows the WINS transmission
Multihome:	On	Allows the use of multiple default routes
LZO:	Off	LZO compression After changing this option, the corresponding client remote stations must adjust their configuration!
Disabled:	No
Pass TOS:	Off	Passes the original Type of Service header of the data packet to the tunnel packet
Ping Intervall:	10 Seconds	Interval of the ping requests
Ping waiting time:	120 Seconds
Outgoing buffer size:	65536 Bytes	Controls the size of the buffer for the socket The larger, the more can be stored between. But this can also increase the latency.
Incoming buffer size:	65536 Bytes	see above
Replay window sequence size:	64	Number of packets within which even older sequence numbers are accepted.
Replay window waiting time:	15 Seconds	Time frame in which the sequence size is applied maximally
The settings can be saved with .

Policy

Implied rules

The protocol used for the connection can be activated under Firewall Implied rules Area VPN.

In the example On SSL-VPN UDP ➊

This implied rule releases the ports that are used for SSL-VPN connections on all interfaces. Packet filter rules instead of implied rules can regulate this individually for individual interfaces.
If the user is to download the client from the user interface, this must also be enabled here:
On User Interface Portal ➋

UTM v12.6 SSL-VPN Roadwarrior Implizite Regeln-en.png

If necessary, the user interface must be placed on a different port, if port 443 has been forwarded to an internal server.

Network objects

A tun interface was created when the connection was set up. It automatically receives the first IP address from the transfer network configured in the connection and a zone "vpn-ssl-<servername>".

The Roadwarrior clients will receive an IP address from this network and will be located in this zone.
To grant the roadwarriors access to your own network, a network object must be created.

Caption	Value	Description	Add network object UTMuser@firewall.name.fqdnFirewallNetwork objects Network object for the tunnel network
Name:	SSL-VPN-RW-Network	Distinctive label, freely selectable
Type:	VPN network	Select suitable type
Adress:	192.168.192.0/24	The network IP that was specified as the tunnel pool in step 4.
Zone:	vpn-ssl-RW-Securepoint	The zone over which the tunnel network is addressed.
Groups:		Optional assignment to network groups
The settings can be saved with .

Packetfilter rule

Menu Firewall Port Filter Area Port Filter Button Add Rule A rule allows RW clients to access the local network:			Add rule UTMuser@firewall.name.fqdnFirewallPacketfilter
General
Source	SSL-VPN-RW-Network	Inbound rule
Destination	internal-network	The destination must be internal-network
Service	ms-rdp	Only services that are actually needed should be released!
Action	ACCEPT

Creating users and groups

Group

Permissions

UTM v12.6 SSL-VPN Roadwarrior Gruppe hinzufuegen Berechtigung-en.png

Under Area Group Button + Add Group.

The following authorisations must be given:

On Userinterface
On SSL-VPN

SSL-VPN
Client downloadable in the user interface:	Yes	Per default over the port 443, so e.g. under https://192.168.75.1 accessible	SSL-VPN settings for the group
SSL-VPN connection:	RW-Securepoint	Select just created connection
Client-Certificate:	Client-Certificate	Selection of the client certificate described in Step 3 of the setup wizard. Server and client certificate must be created with the same CA!
Remote Gateway:	192.0.2.192	The remote gateway is the address of the external interface. This address must be accessible external.
Redirect Gateway:	Off	When activated, requests from roadwarrior clients to the Internet or networks outside the VPN are also redirected via the local gateway. As a result, these connections also benefit from the protection of the UTM.
Available in the port filter:	Ja	Enables Identity-Based Firewall (IBF) for SSL-VPN

User

If no group assignment was made in the previous step (create a group) in the Directory Service tab, each user must also be created on the UTM.

Area User Button Add User or Edit User .

General
Groups:	RW-SSL-VPN	The user must be assigned the previously created group.
SSL-VPN			Add user UTMuser@firewall.name.fqdnAuthenticationUser SSL-VPN settings for the users
Use settings from the group:	On	If settings have already been made for the group, these can be adopted here instead of individual values.
Installer Portable Client Configuration	If the information has been saved, the corresponding files can already be downloaded by the administrator at this point.
Further information on users can be found in the article on User Management.

The SSL-VPN Client

Downloading the SSL-VPN client in the user interface

Userinterface SSL-VPN

For users who want to connect to the UTM via SSL-VPN, the appliance provides a preconfigured SSL-VPN client:

Access the download via the menu item SSL-VPN .
This client contains the configuration files and all required certificates.
Login to the user interface of the UTM by default via port 443, e.g. under https://192.168.75.1
The user interface is accessed via the internal interface of the Securepoint appliance.

Access from external users is only possible if the Implied SSL rule is enabled under Area VPN Option On User Interface Portal, which allows access from the Internet to the external interface via HTTPS.

The client is offered as:

SSL-VPN Client Installer

The installation must be performed with administrator rights.

- Required processor architecture: x86 / x64

SSL-VPN Portable Client
- The portable version can be copied to a USB stick, for example, and can thus be run on other computers.

This requires administration rights, as a virtual TAP device must be installed and routes set.

- Required processor architecture: x86 / x64

Configuration and certificate
- For use in other SSL-VPN clients

In addition to the SSL-VPN client, the compressed folders contain

- a configuration file
- the CA and client certificates
- and a driver for the virtual TAP network interface.
- To install the virtual TAP interface, the user needs administrator rights on the machine being used.

notempty

For security reasons, the latest version should always be used

Installation: Hints for the installation can be found on our wiki page for the VPN client.

Establish SSL-VPN connection as client

Active SSL-VPN connection

Double-click on the lock icon in the taskbar to open the SSL-VPN client.
Start the connection by clicking

Multiple VPN servers as targets for one connection

In the settings of a connection under Advanced/Remote additional VPN servers with IP or hostname can be stored as destination.

Right mouse click on the connection
Context menu Settings

Button Advanced

IP: utm1.anyideas.de
Port: 1194

Enter host name or IP and port used
Apply details with Add
Close window with OK.

Confirm UAC user accounts message.

Use multiple VPN profiles

Multiple VPN profiles can be imported and used at the same time.

Left click on the gear icon in the client window
Context menu Import

By clicking ... in the
source file:
section, a file in .ovpn format can be selected.
In the
Import as:
section, either the filename or any custom identifier can be selected, which will then be displayed in the client window for that connection.
Finish with the Import button.

SSL-VPN Client Einstellungen Allgemein.png

If several VPN profiles are to be used simultaneously, additional TAP drivers must be added:
- Left click on the cogwheel symbol
- Menu {spc

By clicking ... in the
source file:
section, a file in .ovpn format can be selected.
In the
Import as:
section, either the filename or any custom identifier can be selected, which will then be displayed in the client window for that connection.
Finish with the Import button.

Notes

Encryption

By default, an AES128-CBC method is used. The encryption method can be customized in the server or/and client profile.

notempty

Adjustment of the default cipher as of v12.2.2

notempty

As of v12.2.2, the setting of the Cipher for data connection no longer includes Blowfish-CBC.
If the client uses this cipher and is not able to handle NCP, with which the cipher is negotiated automatically, no connection is established. The cipher must be adjusted.
It is strongly recommended to stop using the BF-CBC cipher because it is considered not secure.
If the BF-CBC cipher is to be used anyway, it can be selected explicitly.
Adjustment on the UTM with the button of the respective connection in the General tab in the Cipher for data connection field.

UTM v12.6 SSL-VPN Roadwarrior SSL-VPN bearbeiten Default-en.png

Cipher and hash with default settings
notempty

Not compatible with Blowfish

UTM v12.6 SSL-VPN Roadwarrior SSL-VPN bearbeiten Blowfish-en.png

Cipher with Blowfish compatible settings notempty

Not recommended

UTM v12.6 SSL-VPN Roadwarrior SSL-VPN bearbeiten AES128-en.png

notempty

Recommended setting
Must also be configured on the remote station

notempty

The parameters must be identical on the server and client side. Otherwise data transfer is not possible.

Hash method

By default, a SHA256 hash method is used. The hash method can be customized in the server or/and client profile.

notempty

The parameters must be identical on the server and client side. Otherwise data transfer is not possible.

QoS

For the VPN connection, the TOS fields for automatic QoS can be set in the packets. This setting can be enabled in the VPN connection settings under "Advanced".

Note on upstream routers/modems

There are always problems with the stability of the connection if a router/modem in front of the appliance also has an active firewall. Please do not use any firewall functionality on these devices.

notempty

It must be ensured that the required ports are forwarded.

IPv6 for incoming connections

In the settings of the roadwarrior server , the protocol UDP6 or TCP6 for IPv6 can be activated under General / Protocol.

Troubleshooting

For advice on troubleshooting SSL-VPN, see the Troubleshooting Guide SSL-VPN (pdf document).

Connection Rate Limit

Throttling of access from certain source IPs to recurring ports

notempty

The function is still in the testing phase and will be further expanded.
The function can initially only be configured via the CLI

The function aims to protect against attacks.
SSL-VPN accesses can be protected against aggressive scans or login attempts, for example.

From v12.6.2, the UTM can limit the number of TCP and/or UDP connections from an external IP address to one port.
The following conditions apply:

Only incoming connections for which a default route exists are monitored
The connections from an IP address to a port of the UTM are counted within one minute
When activated, 5 connections / connection attempts per minute are permitted.
The connections are then limited:
- The additionally permitted connections are distributed evenly within 60 seconds of the first connection.
- With a CONNECTION_RATE_LIMIT value of 20, an additional connection is added every 3 seconds.
- 10 seconds after the first login, 3 further connections could be established (each from the same IP address to the same destination port)
Blocking an IP address only affects access to the port that has been used too often.

Other ports can still be accessed.

The function is activated by default for new installations on 20 UDP connections / minute on all ports
For Updates the function must be manually activated

extc-Variable	Default	Description
CONNECTION_RATE_LIMIT_TCP	0	Number of permitted TCP connections of an IP address per port 0 = Function deactivated, no blocking is performed
CONNECTION_RATE_LIMIT_TCP_PORTS		Ports to be monitored. Empty by default=all ports would be monitored (if activated). Individual ports are separated by spaces: [ 1194 1195 ]
CONNECTION_RATE_LIMIT_UDP	20 / 0 Default setting for new installations from v12.6.2: 20 For update installations the value is 0, so the function is deactivated.	Number of permitted UDP connections of an IP address per port
CONNECTION_RATE_LIMIT_UDP_PORTS		Ports to be monitored. Empty by default=all ports are monitored (only for new installations!). Individual ports are separated by spaces: [ 1194 1195 ]

Configuration with CLI commands

CLI command	Function
extc value get application securepoint_firewall Alternatively as root user: spcli extc value get application securepoint_firewall \| grep RATE	Lists all variables of the securepoint_firewall application. The variables beginning with CONNECTION_RATE_LIMIT_ are responsible for the connection limit. application \|variable \|value --------------------+-------------------------------+----- securepoint_firewall \|… \|… \|CONNECTION_RATE_LIMIT_TCP \|0 \|CONNECTION_RATE_LIMIT_TCP_PORTS\| \|CONNECTION_RATE_LIMIT_UDP \|20 \|CONNECTION_RATE_LIMIT_UDP_PORTS\|
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20 system update rule	Limits the allowed number of TCP connections from a single IP address to a specific port to 20 per minute Eine Änderung wird durch ein Regelupdate direkt durchgeführt. Der Wert muss nicht zuerst auf 0 gesetzt werden!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 0 system update rule	Deactivates the monitoring of TCP connections
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ] system update rule	Restricts the monitoring of TCP connections to ports 443 and 11115 There must be spaces before and after the square brackets [ ]!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ ] system update rule	There must be spaces before and after the square brackets [ ]!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20 system update rule	Limits the allowed number of UDP connections from a single IP address to a specific port to 20 per minute Default setting for new installations from v12.6.2: 20 For update installations the value is 0, so the function is deactivated. Eine Änderung wird durch ein Regelupdate direkt durchgeführt. Der Wert muss nicht zuerst auf 0 gesetzt werden!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 0 system update rule	Deactivates the monitoring of UDP connections
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ 1194 1195 ] system update rule	Restricts the monitoring of UDP connections to ports 1194 and 1195. (Example for 2 created SSL-VPN tunnels). There must be spaces before and after the square brackets [ ]!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ] system update rule	There must be spaces before and after the square brackets [ ]!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20 extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ] extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20 extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ] system update rule notempty Finally, the CLI command system update rule must be entered so that the values in the rules are applied.	For example, to allow a maximum of 20 connections per minute per IP address and port. For TCP, monitoring is restricted to ports 443 and 11115. All ports are monitored for UDP connections.

Introduction

Preparations

Internal hostname resolution in SSL-VPN

Push DNS/WINS

Search Domain

Block Outside DNS

Roadwarrior configuration

Setup Wizard

Step 1

Step 2

Step 3

Step 4

Step 5

Completion

Edit connection

Allgemein

Erweitert

Policy

Implied rules

Network objects

Packetfilter rule

Creating users and groups

Group

User

The SSL-VPN Client

Downloading the SSL-VPN client in the user interface

Establish SSL-VPN connection as client

Multiple VPN servers as targets for one connection

Use multiple VPN profiles

Notes

Encryption

Hash method

QoS

Note on upstream routers/modems

IPv6 for incoming connections

Troubleshooting

Connection Rate Limit

Configuration with CLI commands