IPSec - End to Site / Roadwarrior

Configuration of an End-to-Site-connection with IPSec for roadwarrior

Changelog

Last adaptation to the version: 11.8

New:

• Design adaptation
• Translation

Previous versions: 11.6.12

Introduction

A roadwarrior connection connects individual hosts to the local network. This allows, for example, a field service employee to connect to the network of the headquarters.
This step-by-step guide shows how to configure an end-to-site connection. The selected connection type is native IPSec with IKEv1.
For native IPSec connections with IKEv1 the client needs a separate program.

Configuration of a native IPSec connection

After logging into the administration interface of the firewall (factory default: https://192.168.175.1:11115) an IPSec connection can be added in the menu → VPN →IPSec Button Add IPSec Connection.

Wizard

Caption	Value	Description
Step 1 Connection Type
Selection of the connection type	The following connections are available: Roadwarrior Site to Site	For the configuration of an E2S / End-to-Site-connection roadwarrior is to be selected.	Wizard step 1
Step 2 General
Name:	IPSec Roadwarrior	Name for the connection	Wizard step 2
Connection Type:	IKEv1 - Native	Possible connection types: IKEv1 - L2TP IKEv1 - XAuth IKEv1 - Native IKEv2 - Native Please note which type is supported by the operating system
Authentication method:	PSK	Alternatively: X.509 Certificate RSA (Not with IKEv2 !)
Pre-Shared Key:	12345	Any PSK. With the button a very strong key is generated.
X.509 Certificate:	Server Certificate	Selection of a certificate
Step 3 Local
Local Gateway ID:	eth0	The gateway ID is included in the authentication. This can be an IP address, a host name or an interface.	Wizard step 3
Share networks:	192.168.122.0/24	The local network to be connected via the VPN connection
Step 4 Remote
Remote Gateway ID:	192.0.2.192 or My_Roadwarrior	If more than one IPSec connection is established, a unique ID should be entered here. The password of incoming connections is validated against the ID of the IPSec connection. If no IP address is specified as ID, further settings must be made for site-to-site connections.	Wizard step 4
IP Address(es):	192.168.222.35	Additional IP address for the roadwarrior with which the IPSec connection is established. If many Roadwarriors should use the same tunnel, a network address can be configured later in Phase 2 / Subnets. For this example, after the wizard has finished, the ip-address just dedicated is edited and for the Remote network the value 192.168.22.0/24 is entered.
Exit the setup wizard with Finish
Set of rules To grant access to the internal network, the connection must be allowed.
Implied rules It is possible, but not recommended to do this with implied rules in → Firewall →Implied Rules section VPN and section IPSec Traffic. However, these implied rules enable the ports used for IPSec connections on all interfaces.			Implied rules, VPN section Implied rules, section IPSec Traffic
Creating a network object → Firewall →PortfilterTab Network objects Button Add object
Name:	ngrp-IPSec-Roadwarrior	Name for the IPSec network object	Network object
Type:	VPN network	type to be selected
Address:	192.168.222.0/24	roadwarrior IP address or the roadwarrior pool entered in the Installation Wizard in step 4 (or subsequently adjusted in phase 2). In this example the network 192.168.222.0/24.
Zone:	vpn-ipsec	zone to be selected
Group:		Optional: Group
Port filter rules		Port filter rule
The first rule allows the IPSec tunnel to be built at all.
Source	internet	Source from which access to the internal network is to be made.
Destination	external-interface	Interface on which the connection is received.
Service	ipsec	Predefined service group for IPSec Service / Protocol, Port isakmp / udp 500 nat-traversal / udp 4500 Protocol esp
A second rule allows the roadwarrior to access the desired network, host or network group.
Source	IPSec Roadwarrior	Roadwarrior host or network
Destination	dmz1-network	Network to be accessed.
Service	xyz	Desired service or service group

Now a connection with a roadwarrior can be established.
A client may have to be used for this. Care must be taken to ensure that the parameters on both sides are identical in all phases of the connection.

When using an NCP client, for example, the parameters

• Diffie-Hellman Group: (UTM) or IKE-DH Group (NCP) and
• DH group (PFS) (UTM) or IKE DH group (NCP)

either in the UTM or in the NCP client.
When using IKEv1, the

• Exchange mode

can be set to the secure Main Mode (IKEv1) in the NCP client.