Jump to:navigation, search
Wiki





























De.png
En.png
Fr.png






Overview of the different VPN connection techniques of the Securepoint UTM
Last adaption: 08.2022
New:
  • Since OpenVPN now also supports ARM processors, the reference to missing ARM support has been removed.
  • NAT on both sides with IKEv2 is still possible, but no longer recommended because there are often problems with downstream routers in local networks that do not handle packets correctly
notempty
This article refers to a Resellerpreview

11.8


This article explains the different techniques for establishing a VPN (Virtual Private Network) connection installed in the Securepoint UTM and provides an overview of when to use each of them.



Techniques

IPSec VPN

Protocols: IKE, ESP, NAT-Traversal
Ports: 500/UDP (IKE), 4500/UDP (NAT-Traversal)


IPSec is a very secure VPN standard consisting of different protocols that can be used for both site to site and end to site, what we call Roadwarrior, connections.

However, IPSec has some features that can have a negative effect on the establishment and stability of a VPN connection. This is especially true for connections that are routed to other IP address ranges, since the IPSec packets receive a new IP address and a new source port through NAT. This is where IPSec NAT traversal comes into play.

In practical use, however, there are still stability problems with connections where the routers that are to establish the VPN connection are positioned behind a NAT router and thus do not have direct access to the Internet line. Unfortunately, version 2 of the IKE protocol has not changed this.

Despite this, in order to establish the most stable connection possible, the use of RSA keys instead of a pre-shared key (PSK) for authentication has proven successful.

SSL VPN

Protocols: SSL, TLS
Ports: Standard 1194/UDP; but can use almost any free port and also TCP protocol.


The Securepoint firewall appliances offer an SSL (Secure Socket Layer) encrypted VPN connection based on the open source project OpenVPN. OpenVPN is characterized by high flexibility, a relatively simple configuration and good encryption of the data and thus a very high security.
Furthermore, OpenVPN usually has no problems with nated connections and can therefore also be used as a very stable alternative to IPSec VPN site-to-site connections.

L2TP VPN

Protocols: L2TP
Ports: 1701/UDP


The L2TP (Layer 2 Tunneling Protocol) is a combination of the protocols PPTP (Point to Point Tunneling Protocol) and L2F (Layer 2 Forwarding). Since L2TP only supports user authentication but not encryption, it is used in conjunction with the IPSec protocol. L2TP is used specifically to connect standalone computers to networks.

PPTP VPN

As a proven insecure protocol, PPTP VPN is no longer supported by the UTM.

PPTP VPN has been proven to be an insecure VPN protocol. It is strongly recommended not to use this protocol anymore. Instead, use SSL VPN, IPSec xAuth or IPSec with L2TP for Roadwarrior connections.

Protocols: PPTP, GRE
Ports: 1723/TCP

The Point-to-Point Tunneling Protocol (PPTP) is usually used for Roadwarrior connections.
The VPN connection is initialized via TCP port 1723 and the data flow is then controlled using the Generic Routing Encapsulation protocol (GRE).



Site to Site VPN connections

The following table shows which VPN technology runs most stable in combination with which Internet connection according to our experience.

VPN-Art NAT ADSL/SDSL VDSL Cable connection LTE UMTS
SSL-VPN without NAT
ADSL/SDSL
VDSL
Cable connection
LTE
UMTS
SSL-VPN NAT on one side
ADSL/SDSL
VDSL
Cable connection
LTE
UMTS
SSL-VPN NAT on oth sides
ADSL/SDSL
VDSL
Cable connection
LTE
UMTS
IPSec IKEv2 without NAT
ADSL/SDSL
VDSL
Cable connection
LTE
UMTS
IPSec IKEv2 NAT on one side
ADSL/SDSL
VDSL
Cable connection
LTE
UMTS
IPSec IKEv2 NAT on oth sides
ADSL/SDSL
VDSL
Cable connection
LTE
UMTS
IPSec IKEv1 without NAT
ADSL/SDSL
VDSL
Cable connection
LTE
UMTS
IPSec IKEv1 NAT on one side
ADSL/SDSL
with RSA key
VDSL
Cable connection
LTE
UMTS
with RSA key
IPSec IKEv1 NAT on oth sides
ADSL/SDSL
VDSL
Cable connection
LTE
UMTS
legend:
Recommended
Possible
Not recommended


Table explanation
Due to the properties of SSL VPN or OpenVPN, we have found that a stable VPN connection can almost always be set up with this technology.

RSA keys consist of a private and a public key and provide secure authentication. These key pairs can be generated on any Securepoint appliance and the public keys can be exchanged.

Unfortunately, we repeatedly have to make the experience that connections via LTE (Long Term Evolution) are nated by the Internet provider. The connection runs best with a public IP from the provider. Otherwise, VPN connections via IPSec are usually not stable, if they are established at all.

Setting up site-to-site connections


Roadwarrior or end-to-site VPN connections

Not all operating systems offer the possibility to use all VPN techniques.

The following table provides an overview.

Operating system SSL-VPN IPSec IKEv1 IPSec IKEv2 IPSec XAuth L2TP / IPSec
Windows XP

Version only 1.0.1
Windows Vista
Windows 7
Windows RT
Windows 8
Windows 8.1
Windows 10
as of Ver.2
Windows Server 2003R2
Windows Server 2008
Windows Server 2008R2
Windows Server 2012
Windows Server 2012R2
Windows Phone 7
Windows Phone 8
Windows Phone 8.1
Linux
OpenVPN
Apple OS X
Tunnel view
Apple iOS
OpenVPN
Android
OpenVPN
Operating system SSL-VPN IPSec IKEv1 IPSec IKEv2 IPSec XAuth L2TP / IPSec


legend:
Recommended
Not recommended
not possible

Table explanation OpenVPN clients are currently available for almost all systems, is easy to set up, stable and secure.
With the Securepoint client, the configuration is already included via the user setup. This must therefore only be installed (Installer) or started (Portable).

For the OpenVPN clients or the "tunnel view", the finished configuration with the required certificates is downloaded and imported into the client. This is also easy to implement. Only for Apple iOS, the certificates have to be copied into the configuration file, so that the OpenVPN client only has to access a single file. You can find the corresponding instructions in the Wiki.

On a Windows Phone 8, IPSec and L2TP VPN are only supported beginning with version 8.1.

For Linux and Unix, it depends heavily on the distribution which IPSec VPN client is included.

Der Hinweis "mit Client" bezieht sich auf unsere Erfahrung mit dem TheGreenbow oder NCP Client. Ansonsten gehen wir, bis auf SSL-VPN, von den bordeigenen VPN-Clients aus, die die Betriebssysteme mitbringen.

There are recurring problems with the stability of a VPN connection if a router/modem in front of the appliance also has an active firewall. Please disable any firewall functionality on these devices.

Since PPTP VPN is too insecure and L2TP/IPSec under Windows terminates after 1 hour each, we do not recommend these two methods.


Windows XP and Windows Vista are no longer supported operating systems by Microsoft, which are usually no longer provided with security updates. Therefore, we also see a risk for the network to which this computer should connect via VPN.

Likewise, Windows 7 should only be used if the extended security updates (ESU) are obtained.
If this is not the case, Windows 7 is also to be classified as insecure and poses a threat to networks.

Setting up the Roadwarrior connections