Jump to:navigation, search


Configuration of an End-to-Site-connection with IPSec for roadwarrior


Last adaptation to the version: 11.8


  • Design adaptation
  • Translation

Previous versions: 11.6.12


A roadwarrior connection connects individual hosts to the local network. This allows, for example, a field service employee to connect to the network of the headquarters.
This step-by-step guide shows how to configure an end-to-site connection. The selected connection type is native IPSec with IKEv1.
For native IPSec connections with IKEv1 the client needs a separate program.

Configuration of a native IPSec connection

After logging into the administration interface of the firewall (factory default: an IPSec connection can be added in the menu → VPN →IPSec Button Add IPSec Connection .


Caption Value Description
Step 1 Connection Type
Selection of the connection type The following connections are available:
  • Roadwarrior
  • Site to Site
For the configuration of an E2S / End-to-Site-connection roadwarrior is to be selected. UTMv11.8.8 IPSEC Assitent1-en.png
Wizard step 1

Step 2 General

Name: IPSec Roadwarrior Name for the connection UTMv11.8.8 IPSEC S2E ikev1 Assitent2-en.png
Wizard step 2
Connection Type: IKEv1 - Native
Possible connection types:

IKEv1 - L2TP
IKEv1 - XAuth
IKEv1 - Native
IKEv2 - Native

Please note which type is supported by the operating system

Authentication method: PSK Alternatively:
  • X.509 Certificate
  • RSA (Not with IKEv2 !)
Pre-Shared Key: 12345 Any PSK. With the button a very strong key is generated.
X.509 Certificate: Server Certificate Selection of a certificate

Step 3 Local

Local Gateway ID: eth0 The gateway ID is included in the authentication. This can be an IP address, a host name or an interface. UTMv11.8.8 IPSEC Assitent3-en.png
Wizard step 3
Share networks: The local network to be connected via the VPN connection

Step 4 Remote

Remote Gateway ID:
If more than one IPSec connection is established, a unique ID should be entered here. The password of incoming connections is validated against the ID of the IPSec connection. If no IP address is specified as ID, further settings must be made for site-to-site connections. UTMv11.8.8 IPSEC S2E ikev1 Assitent4-en.png
Wizard step 4
IP Address(es): Additional IP address for the roadwarrior with which the IPSec connection is established.
  • If many Roadwarriors should use the same tunnel, a network address can be configured later in Phase 2 / Subnets.
    Für dieses Beispiel wird das nach Beendigung des Assistenten das soeben angelegte Subnetz bearbeitet und für das Remote-Netzwerk der Wert eingebtragen.
  • Exit the setup wizard with Finish

    Set of rules

    To grant access to the internal network, the connection must be allowed.

    Implied rules

    It is possible, but not recommended to do this with implied rules in → Firewall →Implied Rules section VPN and section IPSec Traffic. However, these implied rules enable the ports used for IPSec connections on all interfaces.
    UTM v11.8.8 Implizite-Regeln IPSec-en.png
    Implied rules, VPN section

    UTM v11.8.8 Implizite-Regeln IPSec-Traffic-en.png
    Implied rules, section IPSec Traffic

    Creating a network object

    → Firewall →PortfilterTab Network objects Button Add object

    Name: ngrp-IPSec-Roadwarrior Name for the IPSec network object UTM v11.8.8 Netzwerkobjekt IPSec-native-en.png
    Network object
    Type: VPN network type to be selected
    Address: roadwarrior IP address or the roadwarrior pool entered in the Installation Wizard in step 4 (or subsequently adjusted in phase 2).
    In this example the network
    Zone: vpn-ipsec zone to be selected
    Group:     Optional: Group

    Port filter rules

    UTM v11.8.8 Portfilter-Regel IPSec-ikev1-en.png
    Port filter rule
    The first rule allows the IPSec tunnel to be built at all.
    ╭╴ Source ╶╮ World.svg  internet Source from which access to the internal network is to be made.
    ╭╴ Destination ╶╮ Interface.svg  external-interface Interface on which the connection is received.
    ╭╴ Service ╶╮ Service-group.svg  ipsec Predefined service group for IPSec Service / Protocol, Port isakmp / udp 500 nat-traversal / udp 4500 Protocol esp

    A second rule allows the roadwarrior to access the desired network, host or network group.
    ╭╴ Source ╶╮ Vpn-network.svg  IPSec Roadwarrior Roadwarrior host or network
    ╭╴ Destination ╶╮ Network.svg  dmz1-network Network to be accessed.
    ╭╴ Service ╶╮ Service-group.svg  xyz Desired service or service group

    Now a connection with a roadwarrior can be established.
    A client may have to be used for this. Care must be taken to ensure that the parameters on both sides are identical in all phases of the connection.

    When using an NCP client, for example, the parameters

    • Diffie-Hellman Group: (UTM) or IKE-DH Group (NCP) and
    • DH group (PFS) (UTM) or IKE DH group (NCP)

    either in the UTM or in the NCP client.
    When using IKEv1, the

    • Exchange mode

    can be set to the secure Main Mode (IKEv1) in the NCP client.

    Default-Werte IKEv1 / IKEv2
    Caption Default values UTM Default values NCP client

    Phase 1
    Encryption: aes128 AES 128 Bit
    Authentication: sha2_256 Hash: SHA2 256 Bit
    Diffie-Hellman Group: modp2048 IKE DH-Grupe: DH2 (modp1024)
    Strict: Off
    IKE Lifetime: 1 Stunde
    Rekeying: default

    Phase 2
    Encryption: aes128 AES 128 Bit
    Authentication: sha2_256 SHA2 256 Bit
    DH-Gruppe (PFS): modp2048 keine
    Key lifetime: 8 hours 8 hours
    Restart on abort: Off
    Exchange mode Main Mode (not configurable) Agressive Mode (IKEv1)