UTM/VPN/IPSec-Phase1-2 v12.2.3

notempty

Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty

Der Artikel für die neueste Version steht hier

notempty

Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Reseller-Preview bezieht

Caption	Value	Description
Phase 1
→ VPN →IPSecTab Connections Button Phase 1 General Tab General
Caption	Value	Description
Allow any remote addresses:	On Default	Disable this option for site-to-site connections with DynDNS hosts if multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured.
Initiate Connection:	Outgoing	The tunnel is initiated by the UTM even if no packets are sent. Incoming requests are accepted.
	Incoming	The UTM accepts incoming tunnel requests. No outgoing connection is created.
	Route	The tunnel is initiated by the UTM only when packets are to be sent.
	Ignore	Deactivates the tunnel
Dead Peer Detection:	On	Checks at a set interval whether the tunnel still exists. If the tunnel was terminated unexpectedly, the SAs are dismantled. (Only then it is also possible to reestablish a new tunnel). When Off deactivated, the option Restart after abort in phase 2 is also automatically deactivated.
DPD Timeout: Only with IKEv1 New as of 12.2.3	30 seconds	Period before the state under Startup behavior is restored. Under IKEv2 this parameter is not available. The same values are used here as for regular packets.
DPD Interval: New as of 12.2.3	10 seconds	Testing interval
Compression:	Off	Compression is not supported by all remote stations

Tab IKE Settings that must be identical in the UTM and in the client: IKE
Caption	Default-Werte UTM	Default-Werte NCP-Client
Encryption:	aes128	AES 128 Bit
Authentication:	sha2_256	Hash: SHA2 256 Bit
Diffie-Hellman Group:	modp2048	IKE DH-Grupe: DH2 (modp1024)

Tab IKE More settings:
Strict:	Off	The configured parameters (authentication and encryption algorithms) are preferred for connections
Strict:	On	No further proposals are accepted. A connection is only possible with the configured parameters.
IKE Life time:	1 Stunde	Validity period of the Security Association: Agreement between two communicating entities in computer networks. It describes how the two parties apply security services to communicate securely with each other. When using multiple services, multiple security connections must also be established. (Source: Wikipedia 2022) in phase 1
Rekeying:	unlimited (recommended)	Number of attempts to establish the connection (initial or after abort). For E2S connections (Roadwarrior), the setting 3 times can avoid endless attempts to connect to devices that are not correctly logged out.

Phase 2
→ VPN →IPSecTab Connections Button Phase 2 General Tab General : Settings that must be identical in the UTM and in the client:
Caption	Default-Werte UTM	Default-Werte NCP-Client
Encryption:	aes128	AES 128 Bit
Authentication:	sha2_256	SHA2 256 Bit
DH-Gruppe (PFS):	modp2048	keine
Schlüssel-Lebensdauer:	8 hours	Validity period of the key in phase 2
Austausch-Modus	Main Mode (nicht konfigurierbar)	Aggressive Mode (IKEv1) Must be changed to Main Mode in the NCP client! The UTM does not support Aggressive Mode for security reasons.

Tab General: More settings
Caption	Value	Description
Restart after abort:	No	If the connection was terminated unexpectedly, activating will restore the state configured under Startup behavior in phase 1. The Dead Peer Detection is automatically activated in phase 1.
Group subnet combinations: Only with IKEv2	Yes If grouping is not supported by the remote station, only the first subnet is connected despite the status display in the overview to the contrary.	If more than one network is configured on the local side or at the remote gateway, a separate SA is negotiated for each subnet combination when it is deactivated. This results in numerous subnet combinations and thus many SAs, especially with multiple subnets, and leads to limitations and losses in the stability of the connections due to the design of the IPSec protocol.
Subnets Tab Subnets Only with IKEv2
	Scenario: All subnets have access to each other The wizard automatically connects each local network to each remote network. With an SSH login as root, the behavior can be understood particularly well. Example with two subnets each. Group subnet combinations Enabled `root@firewall:~# swanctl --list-conns` `IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` Group subnet combinations Disabled `root@firewall:~# swanctl --list-conns` IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24 IPSec$20S2S_7: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.193.0/24		All subnets have access to each other
			All subnets have access to each other
	Scenario: Not all subnets may access every network of the remote gateway If in phase two a local network is not connected to all remote networks (or a remote network is not connected to all local ones), this will not be taken into account if the option Group subnet combinations is active! The Group subnet combinations option will connect all local networks to all remote networks! Port filter rules make it possible to control access. With an SSH login as root, the behavior can be understood particularly well. Example with two subnets each. Group subnet combinations Enabled `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` Group subnet combinations Disabled `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24`		The second local subnet is connected only to one remote subnet

Troubleshooting Detailed Troubleshooting instructions can be found in the Troubleshooting Guide If an email address should be used as gateway ID, it is necessary to insert a double @@ in front of the ID (mail@... becomes @@mail@...). Otherwise the ID will be treated as FQDN

Phase 1

General

IKE

Phase 2

General

Subnets

Troubleshooting