notempty
- New function: Allow configured certificates only
- Layout adjustments and updated screenshots
Introduction
- SSL-VPN can also be used to establish site-to-site connections. Since this requires the corresponding instance of the service to run explicitly in client or server mode, it is possible to create multiple instances of the SSL-VPN service.
Site-to-Site Server
- This method is used when the remote terminal is the initiator of the connection. For this, the service must explicitly start in server mode.
Site-to-Site Client
- This method is used when the UTM itself is the initiator of the connection. For this, the service must explicitly start in client mode.
Site-to-Site Server Configuration
SSL-VPN Connection
Set up the connection under Button menu.
Installation wizard
Step 1
In installation step 1 the connection type is selected, the following connections are available:
- Roadwarrior Server
- Site-to-Site Server
- Site-to-Site Client
For the configuration of the Site-to-Site server this is selected.
Step 2
If a local IPv6 network is to be connected, the option Use IPv6 over IPv4: must be enabled Yes.
Step 3
| Caption | Value | Description |  |
|---|---|---|---|
| Name: | S2S-server | Unique name | |
| Protocol: | Desired protocol | ||
| Server certificate: | Selection of the certificate with which the server authenticates itself If a server certificate does not yet exist, it can be created (and if necessary also a CA) in the certificate management. Open with
Both certificates must be created with the same CA!
The Client certificate and the associated CA are also needed to configure the remote terminal (client). They must be exported with the button. For use with a UTM as client, the -format is required. | ||
| Share server networks: | » ✕ 192.168.175.0/24 | Network located at this appliance (VPN server) that is to be accessible via SSL-VPN. | |
Step 4
In installation step 4, the transfer network for the site-to-site server is entered.
| Caption | Value | Description |  |
|---|---|---|---|
| Transfer network: | 192.168.190.0/24 | A network address must be specified that is not used in any network of the involved appliances. | |
| Server tunnel address: | 192.168.190.1/32 | The server and client tunnel address is determined automatically. | |
| IPv4 client tunnel address: | 192.168.190.2/24 | ||
Step 5
| Caption | Value | Description |  |
|---|---|---|---|
| Name: | S2S-client | Is automatically generated from the name defined in step 3 | |
| Client certificate: | Certificate of the client network | ||
| Share client networks: | » ✕192.168.174.0/24 | Networks of the remote terminal that are to be released. (Input by clicking in the click box and then using the keyboard). | |
| notempty The selected certificate should not be used with any other client / network.
| |||
Tab General
| Caption | Value | Description |  |
|---|---|---|---|
| Name: | S2S-server | Name of the ssl connection | |
| Interface: | tun0 | Used interface | |
| Modus: | SERVER | Depending on connection type | |
| Protocol: | (Default) |
Select preferred protocol (UDP and TCP can each be limited to IPv4 or IPv6). | |
| Port: | 1194 |
Default port for the first SSL VPN connection. May not be used for any other purpose. For further connections, the next free port is selected. | |
| Authentication: | (Default) |
Select the appropriate authentication method | |
| Certificate: | The certificate used can be changed here | ||
| Data Connection Cipher: | Default settings of OpenSSL are used. notempty The remote terminal must use the same cipher!
| ||
| Data Connection Hash: | Default settings of OpenSSL are used. notempty The remote terminal must use the same hash!
| ||
| Allowed ciphers for auto-negotiation (NCP): | Individual ciphers can be selected from a list. | ||
| IPv4 Transfer network: | 192.168.190.0/24 | Enter pool address | |
| IPv6 Transfer network: | /64 | Enter pool address | |
| Share server networks globally: | Network IP for networks behind the UTM that are supposed to be accessible via the SSL VPN connection can be edited. | ||
| Search Domain: | notempty It only makes sense to specify a search domain for a Roadwarrior connection!
| ||
| Renegotiation: | (Default) |
Period of time from which the connection is rebrokered | |
| Saves the settings | |||
Tab Advanced
| Caption | Value | Description |  |
|---|---|---|---|
| MTU: | 1500 |
Maximum transmission unit of the largest packet (byte) | |
| Max Clients: | 1024 | Maximum number of clients. If no value is set, the default value of 1024 applies. | |
| Push DNS: | No | Allows DNS transmission | |
| Push WINS: | No | Allows WINS transmission | |
| Multihome: | On | Allows the use of multiple default routes | |
| Allow configured certificates only: |
On | Only allocated certificates can still be accepted | |
| LZO: | Off | LZO compression After changing this option, the corresponding client counterparts must adjust their configuration! | |
| Disabled: | No | ||
| Pass TOS: | Off | Allows forwarding of TOS packets | |
| Ping interval: | 10 seconds |
Interval of ping requests | |
| Ping timeout: | 120 seconds |
Timeout of ping requests | |
| Outgoing buffer size: | 65536 Bytes |
Steuert die Größe des Puffers für den Socket | |
| Incoming buffer size: | 65536 Bytes |
s.o. | |
| Replay window sequence size: | 64 |
Anzahl der Pakete innerhalb derer noch ältere Sequenznummern akzeptiert werden. | |
| Replay window waiting time: | 15 seconds |
Zeitfenster in dem die Sequenzgröße maximal angewendet wird | |
| Saves the settings | |||
Other client remote terminals
Additional remote sites that are to be connected via this site-to-site server can be added via the button.
Display of remote sites by clicking on the folder icon
Rulebook
Implied rules
Under section VPN the protocol used for the connection can be enabled. Here On SSL-VPN UDP. This implicit rule frees the ports used for SSL-VPN connections on the WAN interface.
Network objects
A TUN interface was created when the connection was set up. It automatically receives the first IP from the transfer network configured in the connection and a zone "vpn-ssl-<servername>".
To be able to reach the client network of the remote terminal, a network object must be created for this purpose.
The TUN interface of the site-to-site client also receives an IP from this network. This serves as a gateway to the subnet of the site-to-site client. The subnet of the client must be created as a network object and is located in the zone on the associated TUN interface.
| Caption | Value | Description |  |
|---|---|---|---|
| Name: | sslvpn-S2S-Client-Network | Unique name | |
| Type: | If only a single host is to be shared in the client network, can also be selected here. | ||
| Address: | 192.168.174.0/24 | The network address that was shared as the client network in step 5
If multiple client networks have been shared, a separate network object must be created for each of these networks. Subsequently, the network objects can then be combined into a group.
| |
| Zone: | The zone on the S2S server through which the S2S client network is accessed. | ||
| Group: | Optional | ||
| Saves the settings | |||
Portfilter rules
Menu tab Portfilter Button
Two rules allow access to or from the S2S client network:
| # | Source | Destination | Service | NAT | Action | Activ | |||
 |
4 |  sslvpn-S2S-client-network |
 internal-network |
 default-internet |
Accept | On | |||
|
5 | internal-network |
sslvpn-S2S-client-network |
default-internet |
Accept | On |
Routen
The routes are set automatically.
However, when using VoIP through the tunnel, routes should be set to ensure that the phones connect correctly to the PBX.
Menu Tab Routing Button
A route should be set so that the network of the remote terminal can be found reliably.
| Caption | Value | Description |  |
|---|---|---|---|
| Gateway interface: | A TUN interface was created when the connection was set up and must be specified here. | ||
| Target network: | 192.168.174.0/24 | The network of the remote terminal (S2S Client) | |
Site-to-site client configuration
SSL-VPN Connection
Installation wizard
Step 1
In installation step 1 the connection type is selected, the following connections are available:
- Roadwarrior Server
- Site-to-Site Server
- Site-to-Site Client
For the configuration of the Site-to-Site Client this is selected.
Step 2
If a local IPv6 network is to be connected, the option Use IPv6 over IPv4: must be enabled Yes.
Step 3
Local settings for the Site-to-Site Client can be made in step 3. Here you can enter a name for the connection, select protocol, choose a server certificate - by clicking the button with the window you can import a CA and a certificate.
| Caption | Value | Description |  |
|---|---|---|---|
| Name: | S2S-client | Unique name | |
| Protocol: | Desired protocol | ||
| Client certificate: | Selection of the certificate with which the client authenticates itself. The same certificate must be used here that was selected as the certificate of the remote terminal (client) for the site-to-site server in step 5. Open with
| ||
Step 4
This installation step is omitted for the site-to-site client.
Step 5
notempty
If port 1194 is used, this specification can be omitted.
Tab General
| Caption | Value | Description |  |
|---|---|---|---|
| Name: | S2S-client | Name of the ssl connection | |
| Interface: | tun0 | Used interface | |
| Modus: | Client | ||
| Protocol: | (Default) |
Desired protocol | |
| Certificate: | Das verwendete Zertifikat kann hier geändert werden | ||
| Data Connection Cipher: | Default settings of OpenSSL are used. notempty The remote terminal must use the same cipher!
| ||
| Data Connection Hash: | Default settings of OpenSSL are used. notempty The remote terminal must use the same hash!
| ||
| Allowed ciphers for auto-negotiation (NCP): | Individual ciphers can be selected from a list. | ||
| Renegotiation: | (Default) |
Period of time from which the connection is rebrokered | |
| Saves the settings | |||
Tab Advanced
| Caption | Value | Description |  |
|---|---|---|---|
| MTU: | 1500 |
Maximum transmission unit of the largest packet (byte) | |
| LZO: | Off | LZO compression After changing this option, the corresponding client counterparts must adjust their configuration! | |
| Disabled: | No | ||
| Pass TOS: | Off | Allows forwarding of TOS packets | |
| Ping interval: | 10 seconds |
Interval of ping requests | |
| Ping timeout: | 120 seconds |
Timeout of ping requests | |
| Outgoing buffer size: | 65536 Bytes |
||
| Incoming buffer size: | 65536 Bytes |
||
| Replay window sequence size: | 64 |
||
| Replay window waiting time: | 15 seconds |
||
| Saves the settings | |||
S2S Client Rulebook
S2S Client Implied rules
Since the site-to-site client establishes the connection to the S2S server and outgoing connections from the firewall itself are always allowed by default, no implicit rules are necessary.
S2S Client Network objects
| Caption | Value | Description |  |
|---|---|---|---|
| Name: | sslvpn-S2S-Server-Network | Unique name | |
| Type: | If only a single host is to be shared in the server network, can also be selected here. | ||
| Address: | 192.168.175.0/24 |
If several server networks have been shared, a separate network object must be created for each of these networks. The network objects can then be combined into a group.
| |
| Zone: | the zone on the S2S client through which the S2S server network is accessed. | ||
| Group: | Optional | ||
S2S Client Portfilter rules
Menu Tab Add rule Button .
Two rules allow access to or from the S2S server network or from the network:
| # | Source | Destination | Service | NAT | Action | Activ | |||
|
5 | internal-network |
sslvpn-S2S-server-network |
default-internet |
Accept | On | |||
|
4 | sslvpn-S2S-server-network |
internal-network |
default-internet |
Accept | On |
S2S Client Routen
The routes are set automatically.
However, when using VoIP through the tunnel, routes should be set to ensure that the phones connect correctly to the PBX.
Menu Tab Routing Button
A route should be set so that the network of the remote terminal can be found reliably.
| Caption | Value | Description |  |
|---|---|---|---|
| Gateway interface: | A TUN interface was created when the connection was set up and must be specified here. | ||
| Target network: | 192.168.175.0/24 | The network of the remote terminal (S2S Server) | |
Note
Encryption
By default, an AES128-CBC method is used. The encryption method can be customized in the server or/and client profile.
Hash method
By default, a SHA256 hash method is used. The hash method can be customized in the server or/and client profile.
QoS
For the VPN connection, the TOS fields for automatic QoS can be set in the package.
This setting can be changed in the VPN connection settings in the Advanced tab under Pass TOS: On must be enabled.
Multipath
For multipath on the client side, the VPN connection in the client must be bound to an interface.
To bind a client connection to an interface, the CLI command must be used openvpn get to locate the ID of the connection.
The command openvpn set id $ID_DES_TUNNELS local_addr $IP_DES_INTERFACES can then be used to set the outgoing IP.
In addition, a rule route via the corresponding tunX interface is required in the outgoing rule (internal-network → VPN network → $DIENST).
Search Domain
Transmit DNS/WINS
The DNS and WINS can be transmitted automatically. This setting can be enabled in the VPN connection settings under the Advanced tab:
- Transmit DNS: On
- Transmit WINS: On
The IP addresses from DNS and WINS are set in the menu Tab Domain Name System.
IPv6 for inbound connections
In the settings of the site-to-site server, the protocol UDP6 or TCP6 for IPv6 can be activated under General -> Protocol.
The transparent HTTP proxy
When accessing a server behind the site-to-site connection from the internal network via HTTP, the transparent HTTP proxy may filter the packets. This can lead to errors in the accesses to the target.
To prevent this from happening a rule must be added in the Tab Transparent Mode Button menu:
| Caption | Value |
|---|---|
| Protocol: | |
| Type: | |
| Source: | |
| Destination: |
If SSL interception is used, this should be done additionally for the protocol.