SSL-VPN Site-to-Site

notempty

Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty

Der Artikel für die neueste Version steht hier

notempty

Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Reseller-Preview bezieht

}}

Configuration of SSL-VPN site-to-site connections

Last adaptation to the version: 12.7.1

New:

Where necessary, only certificates with a private key part are offered

Show previous changes (12.6.2)

Last updated:

Note, that the static SSL-VPN key must be identical on both sides
Note regarding the address range of the transfer network

notempty

This article refers to a Resellerpreview

12.4.1 11.8.7 11.7.3 11.7 11.6.12

Introduction

SSL-VPN can also be used to establish site-to-site connections. Since this requires the corresponding instance of the service to run explicitly in client or server mode, it is possible to create multiple instances of the SSL-VPN service.

Site-to-Site Server

S2S Server

This method is used when the remote terminal is the initiator of the connection. For this, the service must explicitly start in server mode.

Site-to-Site Client

S2S Client

This method is used when the UTM itself is the initiator of the connection. For this, the service must explicitly start in client mode.

Site-to-Site Server Configuration

notempty

For the S2S server setup, a CA, a server certificate and a client certificate are required.

SSL-VPN Connection

Set up the connection under VPN SSL-VPN Button + Add SSL-VPN connection menu.

Installation wizard

Step 1 S2S Server

Add SSL-VPN Connection UTMuser@firewall.name.fqdnVPNSSL-VPN Installation step 1

In installation step 1 the connection type is selected, the following connections are available:

Roadwarrior Server
Site-to-Site Server
Site-to-Site Client

For the configuration of the Site-to-Site server this is selected.

Step 2 S2S Server

Installation step 2

If a local IPv6 network is to be connected, the option Use IPv6 over IPv4: must be enabled Yes.

Step 3 S2S Server

Local settings for the site-to-site server

Caption	Value	Description	Installation step 3
Name:	S2S-server	Unique name
Protocol:	UDP	Choose desired protocol
Port:	1194	Default port for the first SSL VPN connection. May not be used for any other purpose. For further connections, the next free port is selected.
Server certificate: ‍ Only certificates with a private key can be selected	cs-ttt-point	Selection of the certificate with which the server authenticates itself If a server certificate does not yet exist, it can be created (and if necessary also a CA) in the certificate management. Open with Create a CA in the CA section using the + Add CA button Create a server certificate in the Certificates section using the + Add certificate button. Please note: Server certificate: enable Create the client certificate with the + Add certificate button Both certificates must be created with the same CA! The Client certificate and the associated CA are also needed to configure the remote terminal (client). They must be exported with the button. For use with a UTM as client, the PEM-format is required. Further notes in the Wiki article on the use of certificates.
Share server networks:	» 192.168.175.0/24	Network located at this appliance (VPN server) that is to be accessible via SSL-VPN.

Step 4 S2S Server

In installation step 4, the transfer network for the site-to-site server is entered.

Caption	Value	Description	Installation step 4
Transfer network:	192.168.190.0/24	A network address must be specified that is not used in any network of the involved appliances. The last IP before the broadcast address cannot be used as a client's IP address because it is reserved by the virtual DHCP server.
Server tunnel address:	192.168.190.1/32	The server and client tunnel address is determined automatically.
IPv4 client tunnel address:	192.168.190.2/24

Step 5 S2S Server

Caption	Value	Description	Installation step 5
Name:	S2S-client	Is automatically generated from the name defined in step 3
Client certificate:	.ttt-point.de	Certificate of the client network
Share client networks:	»192.168.174.0/24	Networks of the remote terminal that are to be released. (Input by clicking in the click box and then using the keyboard).
notempty The selected certificate should not be used with any other client / network.

Section General General S2S Server

Already created SSL VPN connections can be edited under VPN SSL-VPN Button .

Caption	Value	Description	Edit SSL-VPN Connection UTMuser@firewall.name.fqdnVPNSSL-VPN Section General
Name:	S2S-Server	Name of the SSL connection
Interface:	tun0	Used interface
Modus:	SERVER	Depending on connection type
Protocol:	UDP (Default) TCP	Select preferred protocol (UDP and TCP can each be limited to IPv4 or IPv6).
Port:	1194	Default port for the first SSL VPN connection. May not be used for any other purpose. For further connections, the next free port is selected.
Authentication:	NONE (Default) LOCAL RADIUS	Select the appropriate authentication method
Certificate:	cs-ttt-point	The certificate used can be changed here
Static SSL-VPN key type:	Off tls-authtls-crypt	Activation of tls-auth causes additional authentication of the control channel tls-crypt causes additional authentication and encryption of the control channel
Static SSL-VPN key: notempty New as of v12.6.1	SSL-VPN S2S	Key for securing the connection The key must be of type OVPN_STATIC_KEY notempty The remote terminal must use the same key! ‍ The key is created on one side and then must be copied to the other side
Static SSL-VPN key: notempty New as of v12.6.1	Open key management	Opens the key management interface to create a key
Data Connection Cipher:	Default	Default settings of OpenSSL are used. notempty The remote terminal must use the same cipher!
Data Connection Cipher:	BF-CBC DES-EDE-CBC DES-EDE3-CBC CAST5-CBC AES-128-CBC AES-192-CBC AES-256-CBC AES-128-GCM AES-192-GCM AES-256-GCM
Data Connection Hash:	Default	Default settings of OpenSSL are used. notempty The remote terminal must use the same hash!
Data Connection Hash:	SHA1 SHA224 SHA256 SHA384 SHA512 whirlpool
Allowed ciphers for auto-negotiation (NCP):		Individual ciphers can be selected from a list
IPv4 Transfer network:	192.168.190.0/24	Enter pool address
IPv6 Transfer network:	/64	Enter pool address
Share server networks globally:		Network IP for networks behind the UTM that are supposed to be accessible via the SSL VPN connection can be edited.
Search Domain:		It only makes sense to specify a search domain for a Roadwarrior connection! Expand Alternatives: 1. Always write out the domain in full 2. Enter the domain in the DHCP server so that it can be assigned 3. Use an Active Directory
Renegotiation:	never 1 hour (Default) 2 hours 4 Stunden 8 Stunden 12 Stunden	Period of time from which the connection is rebrokered

Advanced S2S Server

Caption	Value	Description	Edit SSL-VPN Connection UTMuser@firewall.name.fqdnVPNSSL-VPN Section Advanced
MTU:	1500	Maximum transmission unit of the largest packet (byte)
Max Clients:	1024	Maximum number of clients. If no value is set, the default value of 1024 applies.
Push DNS:	No	Allows DNS transmission Show menu The DNS and WINS can be transmitted automatically. This setting can be enabled in the menu VPN Global VPN Settings
Push WINS:	No	Allows WINS transmission Show menu The DNS and WINS can be transmitted automatically. This setting can be enabled in the menu VPN Global VPN Settings
Multihome:	On	Allows the use of multiple default routes
Allow configured certificates only:	On	Only allocated certificates can still be accepted
LZO:	Off	LZO compression After changing this option, the corresponding client counterparts must adjust their configuration!
Disabled:	No
Pass TOS:	Off	Allows forwarding of TOS packets
Ping interval:	10 seconds	Interval of ping requests
Ping timeout:	120 seconds	Timeout of ping requests
Outgoing buffer size:	65536 Bytes	Controls the size of the buffer for the socket The larger, the more can be stored between. However, this can also increase the latency.
Incoming buffer size:	65536 Bytes	as above
Replay window sequence size:	64	Number of packages within which even older sequence numbers are accepted.
Replay window waiting time:	15 seconds	Time window in which the sequence size is applied at maximum

Other client remote terminals S2S Server

SSL-VPN UTMuser@firewall.name.fqdnVPN SSL-VPN Log Restart Overview of SSL-VPN connections

Additional remote sites that are to be connected via this site-to-site server can be added via the button.
Display of remote sites by clicking on the folder icon .

SSL-VPN Server-Gegenstelle hinzufügen UTMuser@firewall.name.fqdnVPNSSL-VPN Other remote terminals of the S2S-SSL-.VPNs

Rulebook

Implied rules

S2S Server

Implied rules UTMuser@firewall.name.fqdnFirewall Implied rules

Under Firewall Implied Rules section VPN the protocol used for the connection can be enabled. Here On SSL-VPN UDP. This implicit rule frees the ports used for SSL-VPN connections on the WAN interface.

Network objects

S2S Server

A TUN interface was created when the connection was set up. It automatically receives the first IP from the transfer network configured in the connection and a zone "vpn-ssl-<servername>".
To be able to reach the client network of the remote terminal, a network object must be created under Firewall Network Objects Button + Add Object.
The TUN interface of the site-to-site client also receives an IP from this network. This serves as a gateway to the subnet of the site-to-site client. The subnet of the client must be created as a network object and is located in the zone on the associated TUN interface.

Caption	Value	Description	Add Network Object UTMuser@firewall.name.fqdnFirewallNetwork objects Network object for the tunnel network
Name:	sslvpn-S2S-Client-Network	Unique name
Type:	VPN-Netzwerk	If only a single host is to be shared in the client network, VPN host can also be selected here.
Address:	192.168.174.0/24	The network address that was shared as the client network in step 5 Note for multiple client networks If multiple client networks have been shared, a separate network object must be created for each of these networks. Subsequently, the network objects can then be combined into a group.
Zone:	vpn-ssl-S2S-Server	The zone on the S2S server through which the S2S client network is accessed.
Group:		Optional

Packetfilter rules

S2S Server

Packetfilter UTMuser@firewall.name.fqdnFirewall Regeln aktualisieren Packetfilter rules

Menu Firewall Packetfilter Button + Add Rule
Two rules allow access to or from the S2S client network:

	#	Source	Destination	Service	NAT	Action	Activ
Access from the client to the (internal) server network (remote station initiates the connection)	9	sslvpn-S2S-client-network	internal-network	default-internet		Accept	On
Access to the client network (local UTM initiates the connection)	10	internal-network	sslvpn-S2S-client-network	default-internet		Accept	On

Routen

S2S Server

The routes are set automatically.
However, when using VoIP through the tunnel, routes should be set to ensure that the phones connect correctly to the PBX.
Menu Network Network configuration Area Routing Button + Add route.
A route should be set so that the network of the remote terminal can be found reliably.

Caption	Value	Description	Add Route UTMuser@firewall.name.fqdn Route for remote terminal
Gateway interface:	tun2	A TUN interface was created when the connection was set up and must be specified here.
Target network:	192.168.174.0/24	The network of the remote terminal (S2S Client)
Route nur bei aufgebauter Verbindung Ausgangslage Es kann gewünscht sein, die Routen für VPN-Verbindungen Nur für interne Prüfzwecke erst dann zu setzen, wenn die Verbindung wirklich steht. Dadurch wird verhindert das Pakete in das Internet geroutet und vom Conntrack gespeichert werden und so einen korrekten Aufbau der Verbindung verhindern. Dies kann von Vorteil sein wenn zum Beispiel VoIP durch den Tunnel gehen soll. Load Balancing über eine zweite Firewall wird deutlich vereinfacht, wenn nur die UTM eine Route bekommt, bei der der Tunnel auch tatsächlich aufgebaut wird. CLI-Befehl Verbindung per SSH oder über Menü Extras CLI : route set id <ID> flags BLACKHOLE_IF_OFFLINE Z.B.: route set id "2" flags BLACKHOLE_IF_OFFLINE Dieser Befehl verwirft Pakete zu diesem Ziel wenn die Route nicht vorhanden ist. Bei SSL-VPN oder bei Wireguard zum Beispiel wenn der Tunnel nicht steht. Zuvor kann mit route get die korrekte Verbindungs-ID ermittelt werden

Site-to-site client configuration

SSL-VPN Connection

Installation wizard

notempty

For the S2S server setup, a CA, a server certificate and a client certificate are required.

Step 1 S2S Client

Add SSL-VPN Connection UTMuser@firewall.name.fqdnVPNSSL-VPN Installation step 1

In installation step 1 the connection type is selected, the following connections are available:

Roadwarrior Server
Site-to-Site Server
Site-to-Site Client

For the configuration of the Site-to-Site Client this is selected.

Step 2 S2S Client

Installation step 2

If a local IPv6 network is to be connected, the option Use IPv6 over IPv4: must be enabled Yes.

Step 3 S2S Client

Local settings for the Site-to-Site Client can be made in step 3. Here you can enter a name for the connection, select protocol, choose a server certificate - by clicking the button with the window you can import a CA and a certificate.

Caption	Value	Description	Installation step 3
Name:	S2S-client	Unique name
Protocol:	UDP	Choose desired protocol It is necessary to select the same protocol as for the site-to-site server.
Client certificate:	CC-S2S-Client-Network1	Selection of the certificate with which the client authenticates itself. The same certificate must be used here that was selected as the certificate of the remote terminal (client) for the site-to-site server in step 5. Open with Section CA Button Import CA Import CA from S2S server Section Certificates Button Import certificate Import the client certificate created on the S2S server .

Step 4 S2S Client

This installation step is omitted for the site-to-site client.

Step 5 S2S Client

Installation step 5

In step 5, the public remote gateway IP address or SPDyn address of the site-to-site server is entered as the remote site.
notempty

The port address must be set with a colon after the IP address.

If port 1194 is used, this specification can be omitted.

Section General General S2S Client

Already created SSL VPN connections can be edited under VPN SSL-VPN Button .

Caption	Value	Description	Edit SSL-VPN Connection UTMuser@firewall.name.fqdnVPNSSL-VPN Section General
Name:	S2S-client	Name of the SSL connection
Interface:	tun4	Used interface
Modus:	CLIENT
Protocol:	UDP (Default) TCP	Choose desired protocol
Certificate:	CC-S2S-Client-Network1	The certificate used can be changed here
Static SSL-VPN key type: notempty New as of v12.6.1	Off tls-authtls-crypt	Activation of tls-auth causes additional authentication of the control channel tls-crypt causes additional authentication and encryption of the control channel
Static SSL-VPN key: notempty New as of v12.6.1	SSL-VPN S2S	Key for securing the connection The key must be of type OVPN_STATIC_KEY
Data Connection Cipher:	Default	Default settings of OpenSSL are used. notempty The remote terminal must use the same cipher!
Data Connection Cipher:	BF-CBC DES-EDE-CBC DES-EDE3-CBC CAST5-CBC AES-128-CBC AES-192-CBC AES-256-CBC AES-128-GCM AES-192-GCM AES-256-GCM
Data Connection Hash:	Default	Default settings of OpenSSL are used. notempty The remote terminal must use the same hash!
Data Connection Hash:	SHA1 SHA224 SHA256 SHA384 SHA512 whirlpool
Allowed ciphers for auto-negotiation (NCP):		Individual ciphers can be selected from a list
Renegotiation:	never 1 hour (Default) 2 hours 4 hours 8 hours 12 hours	Period of time from which the connection is rebrokered

Advanced S2S Client

Caption	Value	Description	Edit SSL-VPN Connection UTMuser@firewall.name.fqdnVPNSSL-VPN Section Advanced
MTU:	1500	Maximum transmission unit of the largest packet (byte)
LZO:	Off	LZO compression After changing this option, the corresponding client counterparts must adjust their configuration!
Disabled:	No
Pass TOS:	Off	Allows forwarding of TOS packets
Ping interval:	10 seconds	Interval of ping requests
Ping timeout:	120 seconds	Timeout of ping requests
Outgoing buffer size:	65536 Bytes
Incoming buffer size:	65536 Bytes
Replay window sequence size:	64
Replay window waiting time:	15 seconds

S2S Client Rulebook

S2S Client Implied rules

Since the site-to-site client establishes the connection to the S2S server and outgoing connections from the firewall itself are always allowed by default, no implicit rules are necessary.

S2S Client Network objects

A new network object can be created under Firewall Network Object Button + Add Object.

Caption	Value	Description	Add Network Objects UTMuser@firewall.name.fqdnFirewallNetwork objects Network object for the tunnel network
Name:	sslvpn-S2S-Server-Network	Unique name
Type:	VPN network	If only a single host is to be shared in the server network, VPN host can also be selected here.
Address:	192.168.175.0/24	Note for multiple server networks If several server networks have been shared, a separate network object must be created for each of these networks. The network objects can then be combined into a group.
Zone:	vpn-ssl-S2S-client	the zone on the S2S client through which the S2S server network is accessed.
Group:		Optional

S2S Client Packetfilter rules

S2S Client

Packetfilter UTMuser@firewall.name.fqdnFirewall Regeln aktualisieren Packetfilter rules in the

Menu Firewall Packtfilter Button + Add rule.
Two rules allow access to or from the S2S server network or from the network:

#	Source	Destination	Service	NAT	Action	Activ
5	internal-network	sslvpn-S2S-server-network	default-internet		Accept	On
4	sslvpn-S2S-server-network	internal-network	default-internet		Accept	On

S2S Client Routen

S2S Client

The routes are set automatically.
However, when using VoIP through the tunnel, routes should be set to ensure that the phones connect correctly to the PBX.
Menu Network Network configuration Area Routing Button + Add route.
A route should be set so that the network of the remote terminal can be found reliably.

Caption	Value	Description	Add Route UTMuser@firewall.name.fqdn Route for remote terminal
Gateway interface:	tun4	A TUN interface was created when the connection was set up and must be specified here.
Target network:	192.168.175.0/24	The network of the remote terminal (S2S Server)
Route nur bei aufgebauter Verbindung Ausgangslage Es kann gewünscht sein, die Routen für VPN-Verbindungen Nur für interne Prüfzwecke erst dann zu setzen, wenn die Verbindung wirklich steht. Dadurch wird verhindert das Pakete in das Internet geroutet und vom Conntrack gespeichert werden und so einen korrekten Aufbau der Verbindung verhindern. Dies kann von Vorteil sein wenn zum Beispiel VoIP durch den Tunnel gehen soll. Load Balancing über eine zweite Firewall wird deutlich vereinfacht, wenn nur die UTM eine Route bekommt, bei der der Tunnel auch tatsächlich aufgebaut wird. CLI-Befehl Verbindung per SSH oder über Menü Extras CLI : route set id <ID> flags BLACKHOLE_IF_OFFLINE Z.B.: route set id "2" flags BLACKHOLE_IF_OFFLINE Dieser Befehl verwirft Pakete zu diesem Ziel wenn die Route nicht vorhanden ist. Bei SSL-VPN oder bei Wireguard zum Beispiel wenn der Tunnel nicht steht. Zuvor kann mit route get die korrekte Verbindungs-ID ermittelt werden notempty New as of 12.6.2

Note

Multipath

S2S Client

For multipath on the client side, the VPN connection in the client must be bound to an interface.
To bind a client connection to an interface, the CLI command must be used openvpn get to locate the ID of the connection.
The command openvpn set id $ID_DES_TUNNELS local_addr $IP_DES_INTERFACES can then be used to set the outgoing IP.
In addition, a rule route via the corresponding tunX interface is required in the outgoing rule (internal-network → VPN network → $DIENST).

The transparent HTTP proxy

When accessing a server behind the site-to-site connection from the internal network via HTTP, the transparent HTTP proxy may filter the packets. This can lead to errors in the accesses to the target.
To prevent this from happening a rule must be added in the Applications HTTP Proxy Area Transparent Mode Button + Add transparent rule menu:

Add Transparent Rule UTMuser@firewall.name.fqdnApplicationHTTP-Proxy
Protocol:	HTTP
Type:	Exclude
Source:	internal-network
Destination:	name-vpn-netzwerk-objekt

If SSL interception is used, this should be done additionally for the protocol.

Connection Rate Limit

Throttling of access from certain source IPs to recurring ports

notempty

The function is still in the testing phase and will be further expanded.
The function can initially only be configured via the CLI

The function aims to protect against attacks.
SSL-VPN accesses can be protected against aggressive scans or login attempts, for example.

From v12.6.2, the UTM can limit the number of TCP and/or UDP connections from an external IP address to one port.
The following conditions apply:

Only incoming connections for which a default route exists are monitored
The connections from an IP address to a port of the UTM are counted within one minute
When activated, 5 connections / connection attempts per minute are permitted.
The connections are then limited:
- The additionally permitted connections are distributed evenly within 60 seconds of the first connection.
- With a CONNECTION_RATE_LIMIT value of 20, an additional connection is added every 3 seconds.
- 10 seconds after the first login, 3 further connections could be established (each from the same IP address to the same destination port)
Blocking an IP address only affects access to the port that has been used too often.

Other ports can still be accessed.

The function is activated by default for new installations on 20 UDP connections / minute on all ports
For Updates the function must be manually activated

extc-Variable	Default	Description
CONNECTION_RATE_LIMIT_TCP	0	Number of permitted TCP connections of an IP address per port 0 = Function deactivated, no blocking is performed
CONNECTION_RATE_LIMIT_TCP_PORTS		Ports to be monitored. Empty by default=all ports would be monitored (if activated). Individual ports are separated by spaces: [ 1194 1195 ]
CONNECTION_RATE_LIMIT_UDP	20 / 0 ‍ Default setting for new installations from v12.6.2: 20 For update installations the value is 0, so the function is deactivated.	Number of permitted UDP connections of an IP address per port
CONNECTION_RATE_LIMIT_UDP_PORTS		Ports to be monitored. Empty by default=all ports are monitored (only for new installations!). Individual ports are separated by spaces: [ 1194 1195 ]

Configuration with CLI commands

Show configuration with CLI commands

CLI command	Function
extc value get application securepoint_firewall Alternatively as root user: spcli extc value get application securepoint_firewall \| grep RATE	Lists all variables of the securepoint_firewall application. The variables beginning with CONNECTION_RATE_LIMIT_ are responsible for the connection limit. application \|variable \|value --------------------+-------------------------------+----- securepoint_firewall \|… \|… \|CONNECTION_RATE_LIMIT_TCP \|0 \|CONNECTION_RATE_LIMIT_TCP_PORTS\| \|CONNECTION_RATE_LIMIT_UDP \|20 \|CONNECTION_RATE_LIMIT_UDP_PORTS\|
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20 system update rule	Limits the allowed number of TCP connections from a single IP address to a specific port to 20 per minute A change is made directly by a rule update. The value must not be set to 0 first!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 0 system update rule	Deactivates the monitoring of TCP connections
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ] system update rule	Restricts the monitoring of TCP connections to ports 443 and 11115 There must be spaces before and after the square brackets [ ]!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ ] system update rule	There must be spaces before and after the square brackets [ ]!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20 system update rule	Limits the allowed number of UDP connections from a single IP address to a specific port to 20 per minute Default setting for new installations from v12.6.2: 20 For update installations the value is 0, so the function is deactivated. A change is made directly by a rule update. The value must not be set to 0 first!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 0 system update rule	Deactivates the monitoring of UDP connections
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ 1194 1195 ] system update rule	Restricts the monitoring of UDP connections to ports 1194 and 1195. (Example for 2 created SSL-VPN tunnels). There must be spaces before and after the square brackets [ ]!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ] system update rule	There must be spaces before and after the square brackets [ ]!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20 extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ] extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20 extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ] system update rule notempty Finally, the CLI command system update rule must be entered so that the values in the rules are applied.	For example, to allow a maximum of 20 connections per minute per IP address and port. For TCP, monitoring is restricted to ports 443 and 11115. All ports are monitored for UDP connections.

Introduction

Site-to-Site Server

Site-to-Site Client

Site-to-Site Server Configuration

SSL-VPN Connection

Installation wizard

Step 1

Step 2

Step 3

Step 4

Step 5

Section General General S2S Server

Section Advanced

Other client remote terminals

Rulebook

Implied rules

Network objects

Packetfilter rules

Routen

Site-to-site client configuration

SSL-VPN Connection

Installation wizard

Step 1

Step 2

Step 3

Step 4

Step 5

Section General General S2S Client

Section Advanced

S2S Client Rulebook

S2S Client Implied rules

S2S Client Network objects

S2S Client Packetfilter rules

S2S Client Routen

Note

Multipath

The transparent HTTP proxy

Connection Rate Limit

Configuration with CLI commands