Configuration of an End-to-Site-connection with IPSec for roadwarrior
Last adaptation to the version: 11.8
- Design adaptation
Previous versions: 11.6.12
A roadwarrior connection connects individual hosts to the local network. This allows, for example, a field service employee to connect to the network of the headquarters.
This step-by-step guide shows how to configure an end-to-site connection. The selected connection type is native IPSec with IKEv1.
For native IPSec connections with IKEv1 the client needs a separate program.
Configuration of a native IPSec connection
After logging into the administration interface of the firewall (factory default: https://192.168.175.1:11115) an IPSec connection can be added in the menu Button .
Step 1 Connection Type
|Selection of the connection type||The following connections are available:
||For the configuration of an E2S / End-to-Site-connection roadwarrior is to be selected.|
Step 2 General
|Name:||IPSec Roadwarrior||Name for the connection|
Please note which type is supported by the operating system
|Pre-Shared Key:||12345||Any PSK. With the buttona very strong key is generated.|
|X.509 Certificate:||Selection of a certificate|
Step 3 Local
|Local Gateway ID:||eth0||The gateway ID is included in the authentication. This can be an IP address, a host name or an interface.|
|Share networks:||192.168.122.0/24||The local network to be connected via the VPN connection|
Step 4 Remote
|Remote Gateway ID:||192.0.2.192
|If more than one IPSec connection is established, a unique ID should be entered here. The password of incoming connections is validated against the ID of the IPSec connection. If no IP address is specified as ID, further settings must be made for site-to-site connections.|
|IP Address(es):||192.168.222.35||Additional IP address for the roadwarrior with which the IPSec connection is established.
Für dieses Beispiel wird das nach Beendigung des Assistenten das soeben angelegte Subnetz bearbeitet und für das Remote-Netzwerk der Wert 192.168.22.0/24 eingebtragen.
|Exit the setup wizard with|
Set of rules
To grant access to the internal network, the connection must be allowed.
Creating a network object
Network objects ButtonTab
|Name:||ngrp-IPSec-Roadwarrior||Name for the IPSec network object|
|Type:||VPN network||type to be selected|
|Address:||192.168.222.0/24||roadwarrior IP address or the roadwarrior pool entered in the Installation Wizard in step 4 (or subsequently adjusted in phase 2).|
In this example the network 192.168.222.0/24.
|Zone:||vpn-ipsec||zone to be selected|
Port filter rules
|The first rule allows the IPSec tunnel to be built at all.|
|╭╴ Source ╶╮||internet||Source from which access to the internal network is to be made.|
|╭╴ Destination ╶╮||external-interface||Interface on which the connection is received.|
|╭╴ Service ╶╮||ipsec||Predefined service group for IPSec Service / Protocol, Port isakmp / udp 500 nat-traversal / udp 4500 Protocol esp|
A second rule allows the roadwarrior to access the desired network, host or network group.
|╭╴ Source ╶╮||IPSec Roadwarrior||Roadwarrior host or network|
|╭╴ Destination ╶╮||dmz1-network||Network to be accessed.|
|╭╴ Service ╶╮||xyz||Desired service or service group|
Now a connection with a roadwarrior can be established.
A client may have to be used for this. Care must be taken to ensure that the parameters on both sides are identical in all phases of the connection.
When using an NCP client, for example, the parameters
- Diffie-Hellman Group: (UTM) or IKE-DH Group (NCP) and
- DH group (PFS) (UTM) or IKE DH group (NCP)
either in the UTM or in the NCP client.
When using IKEv1, the
- Exchange mode
can be set to the secure Main Mode (IKEv1) in the NCP client.
|Caption||Default values UTM||Default values NCP client|
|Encryption:||AES 128 Bit|
|Authentication:||Hash: SHA2 256 Bit|
|Diffie-Hellman Group:||IKE DH-Grupe: DH2 (modp1024)|
|Encryption:||AES 128 Bit|
|Authentication:||SHA2 256 Bit|
|Key lifetime:||8 hours|
|Restart on abort:|
|Exchange mode||Main Mode (not configurable)||Agressive Mode (IKEv1)|