For an IPSec connection, there are recommended configurations for each network setup so that a tunnel can be established. A distinction is made between whether the public IP is located on the UTM or whether the connection is "nated". Whether there are multiple Internet lines also plays a role here.
Single path with public IP addresses
The following explains what an IPSec VPN configuration looks like when there is only one Internet line on each side of the connection and public IP addresses are directly connected to the UTM. This is the case, for example, if an ADSL modem is connected to the external interface.
Head office
Network defaults
For the connection of a modem to the UTM, a PPPoE interface and a default route via this interface are set up. In our case, it is the first PPPoE interface, which is then given the name wan0.
The default route can be created by clicking → Network →Network ConfigurationTab Routing Button + Add Default Route, selecting the previously created PPPoE interface as the gateway.
IPSec Phase 1
With a click on → VPN →IPSecTab Connections Button + Add IPSec Connection an IPSec connection can be added. Detailed instructions can be found here. If Phase 1 is clicked afterwards, the dialog looks like this:
Name:
Connection name
IKE Version:
IKE Version
Local Gateway:
Specify local gateway
Local Gateway ID:
The gateway ID is included in the authentication. This can be an IP address, a host name or an interface.
Remote Host/Gateway:
Public IP address (or hostname that can be resolved by DNS) of the remote station.
Remote Host/Gateway ID:
ID configured as local ID on the remote station (any string).
Allow any remote addresses:
Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured.
Local authentication method:
A pre-shared key, a certificate or an RSA key can be used.
Pre-Shared Key:
Enter key here or have a very strong key created.
Start behavior:
The startup behavior Outgoing defines that this page will initiate the connection automatically.
Dead Peer Detection:
This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used.
DPD Timeout:
Period before the state under Startup behavior is restored.
DPD Interval:
Inspection interval
Compression:
Compression is not supported by all remote stations.
Save
Saves the settings
Branch
Network defaults
For the connection of a modem to the UTM, a PPPoE interface and a default route via this interface are set up. In our case, it is the first PPPoE interface, which is then given the name wan0.
The default route can be created by clicking → Network →Network ConfigurationTab Routing Button + Add Default Route, selecting the previously created PPPoE interface as the gateway.
IPSec Phase 1
With a click on → VPN →IPSecTab Connections Button + Add IPSec Connection an IPSec connection can be added. Detailed instructions can be found here. If Phase 1 is clicked afterwards, the dialog looks like this:
Name:
Connection name
IKE Version:
IKE Version
Local Gateway:
Specify local gateway
Local Gateway ID:
The gateway ID is included in the authentication. This can be an IP address, a host name or an interface.
Remote Host/Gateway:
Public IP address (or hostname that can be resolved by DNS) of the remote station.
Remote Host/Gateway ID:
ID configured as local ID on the remote station (any string).
Allow any remote addresses:
Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured.
Local authentication method:
A pre-shared key, a certificate or an RSA key can be used.
Pre-Shared Key:
Enter key here or have a very strong key created.
Start behavior:
The startup behavior Outgoing defines that this page will initiate the connection automatically.
Dead Peer Detection:
This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used.
DPD Timeout:
Period before the state under Startup behavior is restored.
DPD Interval:
Inspection interval
Compression:
Compression is not supported by all remote stations.
Save
Saves the settings
Single path with one nated side
The following explains what an IPSec VPN configuration looks like when there is only one Internet line on each side of the connection, but only one side has a public IP address directly connected to the UTM. The other is behind a router, which enables the UTM to access the Internet via a transfer network. This is the case, for example, if the ADSL router of an Internet provider is connected to the external interface of the UTM.
Head office
Network defaults
For the connection of a modem to the UTM, a PPPoE interface and a default route via this interface are set up. In our case, it is the first PPPoE interface, which is then given the name wan0.
The default route can be created by clicking → Network →Network ConfigurationTab Routing Button + Add Default Route, selecting the previously created PPPoE interface as the gateway.
RSA key
As soon as an IPSec VPN connection is "nated" on at least one side, for example by a router, we recommend using RSA keys instead of a pre-shared key. This makes it possible to use a separate key and also the gateway ID again as a second authentication feature for each additional VPN connection. Creating an RSA key pair is done under → Authentication →KeysTab + Add Key (see also RSA-Keys). Then, only the public key of the head office has to be exported in PEM, HEX or Base64 format and imported into the UTM of the branch office. The public key of the branch is also exported and imported into the UTM of the head office.
IPSec Phase 1
With a click on → VPN →IPSecTab Connections Button + Add IPSec Connection an IPSec connection can be added. Detailed instructions can be found here. If Phase 1 is clicked afterwards, the dialog looks like this:
Name:
Connection name
IKE Version:
IKE Version
Local Gateway:
Specify local gateway
Local Gateway ID:
The gateway ID is included in the authentication. This can be an IP address, a host name or an interface.
Remote Host/Gateway:
Public IP address (or hostname that can be resolved by DNS) of the remote station.
Remote Host/Gateway ID:
ID configured as local ID on the remote station (any string).
Allow any remote addresses:
Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured.
Local authentication method:
Select RSA
Local RSA key:
Select previously created key
RSA key of the remote station:
Select RSA key
Start behavior:
Select incoming
Dead Peer Detection:
This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used.
DPD Timeout:
Period before the state under Startup behavior is restored.
DPD Interval:
Inspection interval
Compression:
Compression is not supported by all remote stations.
Save
Saves the settings
Branch
Network defaults
In this scenario, the branch office side is the remote end of the IPSec connection, which must be additionally "nated" by an ADSL router via the transfer network. The Public IP address is therefore not located directly on the external interface of the UTM.
In the default route, the IP address of the ADSL router is entered as the gateway.
RSA key
As soon as an IPSec VPN connection is "nated" on at least one side, for example by a router, we recommend using RSA keys instead of a pre-shared key. This makes it possible to use a separate key and also the gateway ID again as a second authentication feature for each additional VPN connection. Creating an RSA key pair is done under → Authentication →KeysTab + Add Key (see also RSA-Keys). Then, only the public key of the head office has to be exported in PEM, HEX or Base64 format and imported into the UTM of the branch office. The public key of the branch is also exported and imported into the UTM of the head office.
IPSec Phase 1
With a click on → VPN →IPSecTab Connections Button + Add IPSec Connection an IPSec connection can be added. Detailed instructions can be found here. If Phase 1 is clicked afterwards, the dialog looks like this:
Name:
Connection name
IKE Version:
IKE Version
Local Gateway:
Specify local gateway
Local Gateway ID:
Because of the transfer network to the ADSL router, the public IP address is not on the interface.
Remote Host/Gateway:
The public IP address of the head office is entered here.
Remote Host/Gateway ID:
ID configured as local ID on the remote station (any string).
Allow any remote addresses:
Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured.
Local authentication method:
Select RSA
Local RSA key:
Select previously created key
RSA key of the remote station:
Select RSA key
Start behavior:
The startup behavior Outgoing defines that this page will initiate the connection automatically.
Dead Peer Detection:
This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used.
DPD Timeout:
Period before the state under Startup behavior is restored.
DPD Interval:
Inspection interval
Compression:
Compression is not supported by all remote stations.
Save
Saves the settings
Single-path nated on both sides
The following explains what an IPSec VPN configuration looks like when there is only one Internet line on each side of the connection and both sides of the connection are behind a router that provides Internet access to the UTM via a transfer network. This is the case, for example, if the ADSL router of an Internet provider is connected to the external interface of the UTM.
This configuration is not recommended by Securepoint because it is usually unstable, if it is established at all. A OpenVPN Site to Site connection is recommended for this scenario.
Head office
Network defaults
In this scenario, the head office is to establish the IPSec connection via an Internet line, which must be additionally "nated" by an ADSL router via the transfer network. The public IP address is therefore not located directly on the external interface of the UTM.
In the default route, the IP address of the ADSL router is entered as the gateway.
RSA key
As soon as an IPSec VPN connection is "nated" on at least one side, for example by a router, we recommend using RSA keys instead of a pre-shared key. This makes it possible to use a separate key and also the gateway ID again as a second authentication feature for each additional VPN connection. Creating an RSA key pair is done under → Authentication →KeysTab + Add Key (see also RSA-Keys). Then, only the public key of the head office has to be exported in PEM, HEX or Base64 format and imported into the UTM of the branch office. The public key of the branch is also exported and imported into the UTM of the head office.
IPSec Phase 1
With a click on → VPN →IPSecTab Connections Button + Add IPSec Connection an IPSec connection can be added. Detailed instructions can be found here. If Phase 1 is clicked afterwards, the dialog looks like this:
Name:
Connection name
IKE Version:
IKE Version
Local Gateway:
Specify local gateway
Local Gateway ID:
Because of the transfer network to the ADSL router, the public IP address is not on the interface.
Remote Host/Gateway:
Remote Host/Gateway ID:
ID configured as local ID on the remote station (any string).
Allow any remote addresses:
Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured.
Local authentication method:
Select RSA
Local RSA key:
Select previously created key
RSA key of the remote station:
Select RSA key
Start behavior:
The startup behavior Outgoing defines that this page will initiate the connection automatically.
Dead Peer Detection:
This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used.
DPD Timeout:
Period before the state under Startup behavior is restored.
DPD Interval:
Inspection interval
Compression:
Compression is not supported by all remote stations.
Save
Saves the settings
Branch
Network defaults
In this scenario, the branch office side, as an IPSec VPN remote station, must also be "nated" by an ADSL router via the transfer network. The public IP address is therefore not located directly on the external interface of the UTM.
In the default route, the IP address of the ADSL router is entered as the gateway.
RSA key
As soon as an IPSec VPN connection is "nated" on at least one side, for example by a router, we recommend using RSA keys instead of a pre-shared key. This makes it possible to use a separate key and also the gateway ID again as a second authentication feature for each additional VPN connection. Creating an RSA key pair is done under → Authentication →KeysTab + Add Key (see also RSA-Keys). Then, only the public key of the head office has to be exported in PEM, HEX or Base64 format and imported into the UTM of the branch office. The public key of the branch is also exported and imported into the UTM of the head office.
IPSec Phase 1
With a click on → VPN →IPSecTab Connections Button + Add IPSec Connection an IPSec connection can be added. Detailed instructions can be found here. If Phase 1 is clicked afterwards, the dialog looks like this:
Name:
Connection name
IKE Version:
IKE Version
Local Gateway:
Specify local gateway
Local Gateway ID:
Because of the transfer network to the ADSL router, the public IP address is not on the interface.
Remote Host/Gateway:
Remote Host/Gateway ID:
ID configured as local ID on the remote station (any string).
Allow any remote addresses:
Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured.
Local authentication method:
Select RSA
Local RSA key:
Select previously created key
RSA key of the remote station:
Select RSA key
Start behavior:
Select incoming
Dead Peer Detection:
This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used.
DPD Timeout:
Period before the state under Startup behavior is restored.
DPD Interval:
Inspection interval
Compression:
Compression is not supported by all remote stations.
Save
Saves the settings
Multipath with public IP addresses
The following explains how an IPSec VPN configuration looks like if there are several Internet lines on one side and public IP addresses are directly connected to the UTM on both sides. This is the case, for example, if an ADSL modem is connected to the external interface.
Head office
Network defaults
In this scenario, we assume that the head office has multiple connections to the Internet. Here, the IPSec VPN connection is to be established via an Internet access with a directly connected DSL modem. In our case, it is the first PPPoE interface, which is then given the name wan0. It is also important at this point that the VPN zones vpn-ipsec and firewall-vpn-ipsec are on the interface through which the VPN connection is to be created.
Since several Internet connections are used simultaneously in this example, there are also several standard routes (multipath routing). Otherwise, there will be problems with the portfilter rules. If different VPN connections are to be established via different Internet connections, additional VPN zones must be created.
IPSec Phase 1
With a click on → VPN →IPSecTab Connections Button + Add IPSec Connection an IPSec connection can be added. Detailed instructions can be found here. If Phase 1 is clicked afterwards, the dialog looks like this:
Name:
Connection name
IKE Version:
IKE Version
Local Gateway:
Specify local gateway
Local Gateway ID:
The gateway ID is included in the authentication. This can be an IP address, a host name or an interface.
Remote Host/Gateway:
Public IP address (or hostname that can be resolved by DNS) of the remote station.
Remote Host/Gateway ID:
ID configured as local ID on the remote station (any string).
Allow any remote addresses:
Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured.
Local authentication method:
A pre-shared key, a certificate or an RSA key can be used.
Pre-Shared Key:
Enter key here or have a very strong key created.
Start behavior:
The startup behavior Outgoing defines that this page will initiate the connection automatically.
Dead Peer Detection:
This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used.
DPD Timeout:
Period before the state under Startup behavior is restored.
DPD Interval:
Inspection interval
Compression:
Compression is not supported by all remote stations.
Save
Saves the settings
Branch
Network defaults
Here, too, a modem was connected to the UTM, a PPPoE interface was set up and a standard route was established via this interface. Also in this case it is the first PPPoE interface, which then gets the name wan0.
IPSec Phase 1
With a click on → VPN →IPSecTab Connections Button + Add IPSec Connection an IPSec connection can be added. Detailed instructions can be found here. If Phase 1 is clicked afterwards, the dialog looks like this:
Name:
Connection name
IKE Version:
IKE Version
Local Gateway:
Specify local gateway
Local Gateway ID:
The gateway ID is included in the authentication. This can be an IP address, a host name or an interface.
Remote Host/Gateway:
Public IP address (or hostname that can be resolved by DNS) of the remote station.
Remote Host/Gateway ID:
ID configured as local ID on the remote station (any string).
Allow any remote addresses:
Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured.
Local authentication method:
A pre-shared key, a certificate or an RSA key can be used.
Pre-Shared Key:
Enter key here or have a very strong key created.
Start behavior:
The startup behavior Outgoing defines that this page will initiate the connection automatically.
Dead Peer Detection:
This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used.
DPD Timeout:
Period before the state under Startup behavior is restored.
DPD Interval:
Inspection interval
Compression:
Compression is not supported by all remote stations.
Save
Saves the settings
Multipath with one side nated
The following explains how an IPSec VPN configuration looks like if there are multiple Internet lines on one side and public IP addresses are directly connected to the UTM there. The other side is behind a router, which provides the UTM with Internet access via a transfer network. This is the case, for example, if the ADSL router of an Internet provider is connected to the external interface of the UTM.
Head office
Network defaults
In this scenario, we assume that the head office has multiple connections to the Internet. Here, the IPSec VPN connection is to be established via an Internet access with a directly connected DSL modem. In our case, it is the first PPPoE interface, which is then given the name wan0. It is also important at this point that the VPN zones vpn-ipsec and firewall-vpn-ipsec are on the interface through which the VPN connection is to be created.
Since several Internet connections are used simultaneously in this example, there are also several standard routes (multipath routing). Otherwise, there will be problems with the portfilter rules. If different VPN connections are to be established via different Internet connections, additional VPN zones must be created.
RSA key
As soon as an IPSec VPN connection is "nated" on at least one side, for example by a router, we recommend using RSA keys instead of a pre-shared key. This makes it possible to use a separate key and also the gateway ID again as a second authentication feature for each additional VPN connection. Creating an RSA key pair is done under → Authentication →KeysTab + Add Key (see also RSA-Keys). Then, only the public key of the head office has to be exported in PEM, HEX or Base64 format and imported into the UTM of the branch office. The public key of the branch is also exported and imported into the UTM of the head office.
IPSec Phase 1
With a click on → VPN →IPSecTab Connections Button + Add IPSec Connection an IPSec connection can be added. Detailed instructions can be found here. If Phase 1 is clicked afterwards, the dialog looks like this:
Name:
Connection name
IKE Version:
IKE Version
Local Gateway:
Specify local gateway
Local Gateway ID:
Because of the transfer network to the ADSL router, the public IP address is not on the interface.
Remote Host/Gateway:
Remote Host/Gateway ID:
ID configured as local ID on the remote station (any string).
Allow any remote addresses:
Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured.
Local authentication method:
Select RSA
Local RSA key:
Select previously created key
RSA key of the remote station:
Select RSA key
Start behavior:
The startup behavior Outgoing defines that this page will initiate the connection automatically.
Dead Peer Detection:
This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used.
DPD Timeout:
Period before the state under Startup behavior is restored.
DPD Interval:
Inspection interval
Compression:
Compression is not supported by all remote stations.
Save
Saves the settings
Branch
Network defaults
In this scenario, the branch is connected to the Internet via an ADSL router. This means that there is a transfer network, in our example 192.168.2.0/24, over which additional "nating" must take place. The public IP address is therefore not located directly on the external interface of the UTM.
In the default route, the IP address of the ADSL router is entered as the gateway.
RSA key
As soon as an IPSec VPN connection is "nated" on at least one side, for example by a router, we recommend using RSA keys instead of a pre-shared key. This makes it possible to use a separate key and also the gateway ID again as a second authentication feature for each additional VPN connection. Creating an RSA key pair is done under → Authentication →KeysTab + Add Key (see also RSA-Keys). Then, only the public key of the head office has to be exported in PEM, HEX or Base64 format and imported into the UTM of the branch office. The public key of the branch is also exported and imported into the UTM of the head office.
IPSec Phase 1
With a click on → VPN →IPSecTab Connections Button + Add IPSec Connection an IPSec connection can be added. Detailed instructions can be found here. If Phase 1 is clicked afterwards, the dialog looks like this:
Name:
Connection name
IKE Version:
IKE Version
Local Gateway:
Specify local gateway
Local Gateway ID:
Because of the transfer network to the ADSL router, the public IP address is not on the interface.
Remote Host/Gateway:
Remote Host/Gateway ID:
ID configured as local ID on the remote station (any string).
Allow any remote addresses:
Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured.
Local authentication method:
Select RSA
Local RSA key:
Select previously created key
RSA key of the remote station:
Select RSA key
Start behavior:
Select incoming
Dead Peer Detection:
This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used.
DPD Timeout:
Period before the state under Startup behavior is restored.
DPD Interval:
Inspection interval
Compression:
Compression is not supported by all remote stations.
Save
Saves the settings
Multipath nated on both sides
The following explains what an IPSec VPN configuration looks like when there are multiple Internet lines on one side and both sides of the connection are behind a router that provides Internet access to the UTM via a transfer network. This is the case, for example, if the ADSL router of an Internet provider is connected to the external interface of the UTM. This configuration is not recommended by Securepoint because it is usually unstable, if it is established at all. We recommend a OpenVPN Site to Site connection for this scenario.
Head office
Network defaults
In this scenario, we assume the case that the head office has multiple connections to the Internet. Here, the head office is to establish the IPSec connection via an Internet line, which must be additionally "nated" by an ADSL router via the transfer network. The public IP address is therefore not located directly on the external interface of the UTM.
In the default route, the IP address of the ADSL router is entered as the gateway.
RSA key
As soon as an IPSec VPN connection is "nated" on at least one side, for example by a router, we recommend using RSA keys instead of a pre-shared key. This makes it possible to use a separate key and also the gateway ID again as a second authentication feature for each additional VPN connection. Creating an RSA key pair is done under → Authentication →KeysTab + Add Key (see also RSA-Keys). Then, only the public key of the head office has to be exported in PEM, HEX or Base64 format and imported into the UTM of the branch office. The public key of the branch is also exported and imported into the UTM of the head office.
IPSec Phase 1
With a click on → VPN →IPSecTab Connections Button + Add IPSec Connection an IPSec connection can be added. Detailed instructions can be found here. If Phase 1 is clicked afterwards, the dialog looks like this:
Name:
Connection name
IKE Version:
IKE Version
Local Gateway:
Specify local gateway
Local Gateway ID:
Because of the transfer network to the ADSL router, the public IP address is not on the interface.
Remote Host/Gateway:
Remote Host/Gateway ID:
ID configured as local ID on the remote station (any string).
Allow any remote addresses:
Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured.
Local authentication method:
Select RSA
Local RSA key:
Select previously created key
RSA key of the remote station:
Select RSA key
Start behavior:
The startup behavior Outgoing defines that this page will initiate the connection automatically.
Dead Peer Detection:
This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used.
DPD Timeout:
Period before the state under Startup behavior is restored.
DPD Interval:
Inspection interval
Compression:
Compression is not supported by all remote stations.
Save
Saves the settings
Branch
Network defaults
In this scenario, the branch is also connected to the Internet via an ADSL router. This means that there is a transfer network over which additional "nating" must take place. The public IP address is therefore not located directly on the external interface of the UTM.
In the default route, the IP address of the ADSL router is entered as the gateway.
RSA key
As soon as an IPSec VPN connection is "nated" on at least one side, for example by a router, we recommend using RSA keys instead of a pre-shared key. This makes it possible to use a separate key and also the gateway ID again as a second authentication feature for each additional VPN connection. Creating an RSA key pair is done under → Authentication →KeysTab + Add Key (see also RSA-Keys). Then, only the public key of the head office has to be exported in PEM, HEX or Base64 format and imported into the UTM of the branch office. The public key of the branch is also exported and imported into the UTM of the head office.
IPSec Phase 1
With a click on → VPN →IPSecTab Connections Button + Add IPSec Connection an IPSec connection can be added. Detailed instructions can be found here. If Phase 1 is clicked afterwards, the dialog looks like this:
Name:
Connection name
IKE Version:
IKE Version
Local Gateway:
Specify local gateway
Local Gateway ID:
Because of the transfer network to the ADSL router, the public IP address is not on the interface.
Remote Host/Gateway:
Remote Host/Gateway ID:
ID configured as local ID on the remote station (any string).
Allow any remote addresses:
Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured.
Local authentication method:
Select RSA
Local RSA key:
Select previously created key
RSA key of the remote station:
Select RSA key
Start behavior:
Select incoming
Dead Peer Detection:
This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used.
DPD Timeout:
Period before the state under Startup behavior is restored.
DPD Interval:
Inspection interval
Compression:
Compression is not supported by all remote stations.