- Updated to Redesign of the webinterface
Introduction
For an IPSec connection, there are recommended configurations for each network setup so that a tunnel can be established.
A distinction is made between whether the public IP is located on the UTM or whether the connection is "nated". Whether there are multiple Internet lines also plays a role here.
Single path with public IP addresses
The following explains what an IPSec VPN configuration looks like when there is only one Internet line on each side of the connection and public IP addresses are directly connected to the UTM. This is the case, for example, if an ADSL modem is connected to the external interface.
Head office
Network defaults
UTMuser@firewall.name.fqdnNetwork 
For the connection of a modem to the UTM, a PPPoE interface and a default route via this interface are set up.
In our case, it is the first PPPoE interface, which is then given the name wan0.
The default route can be created by clicking Area Routing Button , selecting the previously created PPPoE interface as the gateway.
IPSec Phase 1
With a click on Area Connections Button an IPSec connection can be added. Detailed instructions can be found here.
If is clicked afterwards, the dialog looks like this:
| Name: | Connection name | UTMuser@firewall.name.fqdnVPNIPSec 
|
| IKE Version: | IKE version | |
| Local Gateway: | Specify local gateway | |
| Local Gateway ID: | The gateway ID is included in the authentication. This can be an IP address, a host name or an interface. | |
| Remote Host/Gateway: | Public IP address (or hostname that can be resolved by DNS) of the remote station. | |
| Remote Host/Gateway ID: | ID configured as local ID on the remote station (any string). | |
| Allow any remote addresses: | Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured. | |
| Local authentication method: | A pre-shared key, a certificate or an RSA key can be used. | |
| Pre-Shared Key: | Enter key here or have a very strong key created. | |
| Start behavior: | The startup behavior Outgoing defines that this page will initiate the connection automatically. | |
| Dead Peer Detection: | This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used. | |
| DPD Timeout: | Period before the state under Startup behavior is restored. | |
| DPD Interval: | Inspection interval | |
| Compression: | Compression is not supported by all remote stations. | |
Branch
Network defaults
UTMuser@firewall.name.fqdnNetwork 
For the connection of a modem to the UTM, a PPPoE interface and a default route via this interface are set up.
In our case, it is the first PPPoE interface, which is then given the name wan0.
The default route can be created by clicking Area Routing Button , selecting the previously created PPPoE interface as the gateway.
IPSec Phase 1
With a click on Area Connections Button an IPSec connection can be added. Detailed instructions can be found here.
If is clicked afterwards, the dialog looks like this:
| Name: | Connection name | UTMuser@firewall.name.fqdnVPNIPSec 
|
| IKE Version: | IKE version | |
| Local Gateway: | Specify local gateway | |
| Local Gateway ID: | The gateway ID is included in the authentication. This can be an IP address, a host name or an interface. | |
| Remote Host/Gateway: | Public IP address (or hostname that can be resolved by DNS) of the remote station. | |
| Remote Host/Gateway ID: | ID configured as local ID on the remote station (any string). | |
| Allow any remote addresses: | Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured. | |
| Local authentication method: | A pre-shared key, a certificate or an RSA key can be used. | |
| Pre-Shared Key: | Enter key here or have a very strong key created. | |
| Start behavior: | The startup behavior Outgoing defines that this page will initiate the connection automatically. | |
| Dead Peer Detection: | This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used. | |
| DPD Timeout: | Period before the state under Startup behavior is restored. | |
| DPD Interval: | Inspection interval | |
| Compression: | Compression is not supported by all remote stations. | |
Single path with one nated side
The following explains what an IPSec VPN configuration looks like when there is only one Internet line on each side of the connection, but only one side has a public IP address directly connected to the UTM. The other is behind a router, which enables the UTM to access the Internet via a transfer network. This is the case, for example, if the ADSL router of an Internet provider is connected to the external interface of the UTM.
Head office
Network defaults
UTMuser@firewall.name.fqdnNetwork
For the connection of a modem to the UTM, a PPPoE interface and a default route via this interface are set up.
In our case, it is the first PPPoE interface, which is then given the name wan0.
The default route can be created by clicking Area Routing Button , selecting the previously created PPPoE interface as the gateway.
RSA key
UTMuser@firewall.name.fqdnAuthentication 
As soon as an IPSec VPN connection is "nated" on at least one side, for example by a router, we recommend using RSA keys instead of a pre-shared key.
This makes it possible to use a separate key and also the gateway ID again as a second authentication feature for each additional VPN connection.
Creating an RSA key pair is done under Button (see also RSA-Keys).
Then, only the public key of the head office has to be exported in PEM, HEX or Base64 format and imported into the UTM of the branch office. The public key of the branch is also exported and imported into the UTM of the head office.
IPSec Phase 1
With a click on Area Connections Button an IPSec connection can be added. Detailed instructions can be found here.
If is clicked afterwards, the dialog looks like this:
| Name: | Connection name | UTMuser@firewall.name.fqdnVPNIPSec 
|
| IKE Version: | IKE version | |
| Local Gateway: | Specify local gateway | |
| Local Gateway ID: | The gateway ID is included in the authentication. This can be an IP address, a host name or an interface. | |
| Remote Host/Gateway: | Public IP address (or hostname that can be resolved by DNS) of the remote station. | |
| Remote Host/Gateway ID: | ID configured as local ID on the remote station (any string). | |
| Allow any remote addresses: | Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured. | |
| Local authentication method: | Select RSA | |
| Local RSA key: | Select previously created key | |
| RSA key of the remote station: | Select RSA key | |
| Start behavior: | Select incoming | |
| Dead Peer Detection: | This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used. | |
| DPD Timeout: | Period before the state under Startup behavior is restored. | |
| DPD Interval: | Inspection interval | |
| Compression: | Compression is not supported by all remote stations. | |
Branch
Network defaults
The Public IP address is therefore not located directly on the external interface of the UTM.
RSA key
UTMuser@firewall.name.fqdnAuthentication
As soon as an IPSec VPN connection is "nated" on at least one side, for example by a router, we recommend using RSA keys instead of a pre-shared key.
This makes it possible to use a separate key and also the gateway ID again as a second authentication feature for each additional VPN connection.
Creating an RSA key pair is done under Button (see also RSA-Keys).
Then, only the public key of the head office has to be exported in PEM, HEX or Base64 format and imported into the UTM of the branch office. The public key of the branch is also exported and imported into the UTM of the head office.
IPSec Phase 1
With a click on Area Connections Button an IPSec connection can be added. Detailed instructions can be found here.
If is clicked afterwards, the dialog looks like this:
| Name: | Connection name | UTMuser@firewall.name.fqdnVPNIPSec 
|
| IKE Version: | IKE version | |
| Local Gateway: | Specify local gateway | |
| Local Gateway ID: | Because of the transfer network to the ADSL router, the public IP address is not on the interface. | |
| Remote Host/Gateway: | The public IP address of the head office is entered here. | |
| Remote Host/Gateway ID: | ID configured as local ID on the remote station (any string). | |
| Allow any remote addresses: | Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured. | |
| Local authentication method: | Select RSA | |
| Local RSA key: | Select previously created key | |
| RSA key of the remote station: | Select RSA key | |
| Start behavior: | The startup behavior Outgoing defines that this page will initiate the connection automatically. | |
| Dead Peer Detection: | This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used. | |
| DPD Timeout: | Period before the state under Startup behavior is restored. | |
| DPD Interval: | Inspection interval | |
| Compression: | Compression is not supported by all remote stations. | |
Single-path nated on both sides
The following explains what an IPSec VPN configuration looks like when there is only one Internet line on each side of the connection and both sides of the connection are behind a router that provides Internet access to the UTM via a transfer network. This is the case, for example, if the ADSL router of an Internet provider is connected to the external interface of the UTM.
This configuration is not recommended by Securepoint because it is usually unstable, if it is established at all. A OpenVPN Site to Site connection is recommended for this scenario.
Head office
Network defaults
RSA key
UTMuser@firewall.name.fqdnAuthentication
As soon as an IPSec VPN connection is "nated" on at least one side, for example by a router, we recommend using RSA keys instead of a pre-shared key.
This makes it possible to use a separate key and also the gateway ID again as a second authentication feature for each additional VPN connection.
Creating an RSA key pair is done under Button (see also RSA-Keys).
Then, only the public key of the head office has to be exported in PEM, HEX or Base64 format and imported into the UTM of the branch office. The public key of the branch is also exported and imported into the UTM of the head office.
IPSec Phase 1
With a click on Area Connections Button an IPSec connection can be added. Detailed instructions can be found here.
If is clicked afterwards, the dialog looks like this:
| Name: | Connection name | UTMuser@firewall.name.fqdnVPNIPSec 
|
| IKE Version: | IKE version | |
| Local Gateway: | Specify local gateway | |
| Local Gateway ID: | Because of the transfer network to the ADSL router, the public IP address is not on the interface. | |
| Remote Host/Gateway: | ||
| Remote Host/Gateway ID: | ID configured as local ID on the remote station (any string). | |
| Allow any remote addresses: | Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured. | |
| Local authentication method: | Select RSA | |
| Local RSA key: | Select previously created key | |
| RSA key of the remote station: | Select RSA key | |
| Start behavior: | The startup behavior Outgoing defines that this page will initiate the connection automatically. | |
| Dead Peer Detection: | This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used. | |
| DPD Timeout: | Period before the state under Startup behavior is restored. | |
| DPD Interval: | Inspection interval | |
| Compression: | Compression is not supported by all remote stations. | |
Branch
Network defaults
RSA key
UTMuser@firewall.name.fqdnAuthentication
As soon as an IPSec VPN connection is "nated" on at least one side, for example by a router, we recommend using RSA keys instead of a pre-shared key.
This makes it possible to use a separate key and also the gateway ID again as a second authentication feature for each additional VPN connection.
Creating an RSA key pair is done under Button (see also RSA-Keys).
Then, only the public key of the head office has to be exported in PEM, HEX or Base64 format and imported into the UTM of the branch office. The public key of the branch is also exported and imported into the UTM of the head office.
IPSec Phase 1
With a click on Area Connections Button an IPSec connection can be added. Detailed instructions can be found here.
If is clicked afterwards, the dialog looks like this:
| Name: | Connection name | UTMuser@firewall.name.fqdnVPNIPSec 
|
| IKE Version: | IKE version | |
| Local Gateway: | Specify local gateway | |
| Local Gateway ID: | Because of the transfer network to the ADSL router, the public IP address is not on the interface. | |
| Remote Host/Gateway: | ||
| Remote Host/Gateway ID: | ID configured as local ID on the remote station (any string). | |
| Allow any remote addresses: | Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured. | |
| Local authentication method: | Select RSA | |
| Local RSA key: | Select previously created key | |
| RSA key of the remote station: | Select RSA key | |
| Start behavior: | Select incoming | |
| Dead Peer Detection: | This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used. | |
| DPD Timeout: | Period before the state under Startup behavior is restored. | |
| DPD Interval: | Inspection interval | |
| Compression: | Compression is not supported by all remote stations. | |
Multipath with public IP addresses
The following explains how an IPSec VPN configuration looks like if there are several Internet lines on one side and public IP addresses are directly connected to the UTM on both sides. This is the case, for example, if an ADSL modem is connected to the external interface.
Head office
Network defaults
UTMuser@firewall.name.fqdnNetwork 
In this scenario, we assume that the head office has multiple connections to the Internet.
Here, the IPSec VPN connection is to be established via an Internet access with a directly connected DSL modem. In our case, it is the first PPPoE interface, which is then given the name wan0.
It is also important at this point that the VPN zones vpn-ipsec and firewall-vpn-ipsec are on the interface through which the VPN connection is to be created.
Since several Internet connections are used simultaneously in this example, there are also several standard routes (multipath routing).
Otherwise, there will be problems with the packetfilter rules.
If different VPN connections are to be established via different Internet connections, additional VPN zones must be created.
IPSec Phase 1
With a click on Area Connections Button an IPSec connection can be added. Detailed instructions can be found here.
If is clicked afterwards, the dialog looks like this:
| Name: | Connection name | UTMuser@firewall.name.fqdnVPNIPSec 
|
| IKE Version: | IKE version | |
| Local Gateway: | Specify local gateway | |
| Local Gateway ID: | The gateway ID is included in the authentication. This can be an IP address, a host name or an interface. | |
| Remote Host/Gateway: | Public IP address (or hostname that can be resolved by DNS) of the remote station. | |
| Remote Host/Gateway ID: | ID configured as local ID on the remote station (any string). | |
| Allow any remote addresses: | Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured. | |
| Local authentication method: | A pre-shared key, a certificate or an RSA key can be used. | |
| Pre-Shared Key: | Enter key here or have a very strong key created. | |
| Start behavior: | The startup behavior Outgoing defines that this page will initiate the connection automatically. | |
| Dead Peer Detection: | This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used. | |
| DPD Timeout: | Period before the state under Startup behavior is restored. | |
| DPD Interval: | Inspection interval | |
| Compression: | Compression is not supported by all remote stations. | |
Branch
Network defaults
Also in this case it is the first PPPoE interface, which then gets the name wan0.
IPSec Phase 1
With a click on Area Connections Button an IPSec connection can be added. Detailed instructions can be found here.
If is clicked afterwards, the dialog looks like this:
| Name: | Connection name | UTMuser@firewall.name.fqdnVPNIPSec 
|
| IKE Version: | IKE version | |
| Local Gateway: | Specify local gateway | |
| Local Gateway ID: | The gateway ID is included in the authentication. This can be an IP address, a host name or an interface. | |
| Remote Host/Gateway: | Public IP address (or hostname that can be resolved by DNS) of the remote station. | |
| Remote Host/Gateway ID: | ID configured as local ID on the remote station (any string). | |
| Allow any remote addresses: | Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured. | |
| Local authentication method: | A pre-shared key, a certificate or an RSA key can be used. | |
| Pre-Shared Key: | Enter key here or have a very strong key created. | |
| Start behavior: | The startup behavior Outgoing defines that this page will initiate the connection automatically. | |
| Dead Peer Detection: | This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used. | |
| DPD Timeout: | Period before the state under Startup behavior is restored. | |
| DPD Interval: | Inspection interval | |
| Compression: | Compression is not supported by all remote stations. | |
Multipath with one side nated
The following explains how an IPSec VPN configuration looks like if there are multiple Internet lines on one side and public IP addresses are directly connected to the UTM there. The other side is behind a router, which provides the UTM with Internet access via a transfer network. This is the case, for example, if the ADSL router of an Internet provider is connected to the external interface of the UTM.
Head office
Network defaults
UTMuser@firewall.name.fqdnNetwork
In this scenario, we assume that the head office has multiple connections to the Internet.
Here, the IPSec VPN connection is to be established via an Internet access with a directly connected DSL modem. In our case, it is the first PPPoE interface, which is then given the name wan0.
It is also important at this point that the VPN zones vpn-ipsec and firewall-vpn-ipsec are on the interface through which the VPN connection is to be created.
Since several Internet connections are used simultaneously in this example, there are also several standard routes (multipath routing).
Otherwise, there will be problems with the packetfilter rules.
If different VPN connections are to be established via different Internet connections, additional VPN zones must be created.
RSA key
UTMuser@firewall.name.fqdnAuthentication
As soon as an IPSec VPN connection is "nated" on at least one side, for example by a router, we recommend using RSA keys instead of a pre-shared key.
This makes it possible to use a separate key and also the gateway ID again as a second authentication feature for each additional VPN connection.
Creating an RSA key pair is done under Button (see also RSA-Keys).
Then, only the public key of the head office has to be exported in PEM, HEX or Base64 format and imported into the UTM of the branch office. The public key of the branch is also exported and imported into the UTM of the head office.
IPSec Phase 1
With a click on Area Connections Button an IPSec connection can be added. Detailed instructions can be found here.
If is clicked afterwards, the dialog looks like this:
| Name: | Connection name | UTMuser@firewall.name.fqdnVPNIPSec
|
| IKE Version: | IKE version | |
| Local Gateway: | Specify local gateway | |
| Local Gateway ID: | Because of the transfer network to the ADSL router, the public IP address is not on the interface. | |
| Remote Host/Gateway: | ||
| Remote Host/Gateway ID: | ID configured as local ID on the remote station (any string). | |
| Allow any remote addresses: | Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured. | |
| Local authentication method: | Select RSA | |
| Local RSA key: | Select previously created key | |
| RSA key of the remote station: | Select RSA key | |
| Start behavior: | The startup behavior Outgoing defines that this page will initiate the connection automatically. | |
| Dead Peer Detection: | This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used. | |
| DPD Timeout: | Period before the state under Startup behavior is restored. | |
| DPD Interval: | Inspection interval | |
| Compression: | Compression is not supported by all remote stations. | |
Branch
Network defaults
RSA key
UTMuser@firewall.name.fqdnAuthentication
As soon as an IPSec VPN connection is "nated" on at least one side, for example by a router, we recommend using RSA keys instead of a pre-shared key.
This makes it possible to use a separate key and also the gateway ID again as a second authentication feature for each additional VPN connection.
Creating an RSA key pair is done under Button (see also RSA-Keys).
Then, only the public key of the head office has to be exported in PEM, HEX or Base64 format and imported into the UTM of the branch office. The public key of the branch is also exported and imported into the UTM of the head office.
IPSec Phase 1
With a click on Area Connections Button an IPSec connection can be added. Detailed instructions can be found here.
If is clicked afterwards, the dialog looks like this:
| Name: | Connection name | UTMuser@firewall.name.fqdnVPNIPSec 
|
| IKE Version: | IKE version | |
| Local Gateway: | Specify local gateway | |
| Local Gateway ID: | Because of the transfer network to the ADSL router, the public IP address is not on the interface. | |
| Remote Host/Gateway: | ||
| Remote Host/Gateway ID: | ID configured as local ID on the remote station (any string). | |
| Allow any remote addresses: | Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured. | |
| Local authentication method: | Select RSA | |
| Local RSA key: | Select previously created key | |
| RSA key of the remote station: | Select RSA key | |
| Start behavior: | Select incoming | |
| Dead Peer Detection: | This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used. | |
| DPD Timeout: | Period before the state under Startup behavior is restored. | |
| DPD Interval: | Inspection interval | |
| Compression: | Compression is not supported by all remote stations. | |
Multipath nated on both sides
The following explains what an IPSec VPN configuration looks like when there are multiple Internet lines on one side and both sides of the connection are behind a router that provides Internet access to the UTM via a transfer network. This is the case, for example, if the ADSL router of an Internet provider is connected to the external interface of the UTM.
This configuration is not recommended by Securepoint because it is usually unstable, if it is established at all. We recommend a OpenVPN Site to Site connection for this scenario.
Head office
Network defaults
Here, the head office is to establish the IPSec connection via an Internet line, which must be additionally "nated" by an ADSL router via the transfer network. The public IP address is therefore not located directly on the external interface of the UTM.
RSA key
UTMuser@firewall.name.fqdnAuthentication
As soon as an IPSec VPN connection is "nated" on at least one side, for example by a router, we recommend using RSA keys instead of a pre-shared key.
This makes it possible to use a separate key and also the gateway ID again as a second authentication feature for each additional VPN connection.
Creating an RSA key pair is done under Button (see also RSA-Keys).
Then, only the public key of the head office has to be exported in PEM, HEX or Base64 format and imported into the UTM of the branch office. The public key of the branch is also exported and imported into the UTM of the head office.
IPSec Phase 1
With a click on Area Connections Button an IPSec connection can be added. Detailed instructions can be found here.
If is clicked afterwards, the dialog looks like this:
| Name: | Connection name | UTMuser@firewall.name.fqdnVPNIPSec
|
| IKE Version: | IKE version | |
| Local Gateway: | Specify local gateway | |
| Local Gateway ID: | Because of the transfer network to the ADSL router, the public IP address is not on the interface. | |
| Remote Host/Gateway: | ||
| Remote Host/Gateway ID: | ID configured as local ID on the remote station (any string). | |
| Allow any remote addresses: | Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured. | |
| Local authentication method: | Select RSA | |
| Local RSA key: | Select previously created key | |
| RSA key of the remote station: | Select RSA key | |
| Start behavior: | The startup behavior Outgoing defines that this page will initiate the connection automatically. | |
| Dead Peer Detection: | This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used. | |
| DPD Timeout: | Period before the state under Startup behavior is restored. | |
| DPD Interval: | Inspection interval | |
| Compression: | Compression is not supported by all remote stations. | |
Branch
Network defaults
RSA key
UTMuser@firewall.name.fqdnAuthentication
As soon as an IPSec VPN connection is "nated" on at least one side, for example by a router, we recommend using RSA keys instead of a pre-shared key.
This makes it possible to use a separate key and also the gateway ID again as a second authentication feature for each additional VPN connection.
Creating an RSA key pair is done under Button (see also RSA-Keys).
Then, only the public key of the head office has to be exported in PEM, HEX or Base64 format and imported into the UTM of the branch office. The public key of the branch is also exported and imported into the UTM of the head office.
IPSec Phase 1
With a click on Area Connections Button an IPSec connection can be added. Detailed instructions can be found here.
If is clicked afterwards, the dialog looks like this:
| Name: | Connection name | UTMuser@firewall.name.fqdnVPNIPSec 
|
| IKE Version: | IKE version | |
| Local Gateway: | Specify local gateway | |
| Local Gateway ID: | Because of the transfer network to the ADSL router, the public IP address is not on the interface. | |
| Remote Host/Gateway: | ||
| Remote Host/Gateway ID: | ID configured as local ID on the remote station (any string). | |
| Allow any remote addresses: | Disable this option for site to site connections with DynDNS hosts when multiple IPsec connections with a priori unknown addresses (DynDNS S2S, Roadwarrior) are configured. | |
| Local authentication method: | Select RSA | |
| Local RSA key: | Select previously created key | |
| RSA key of the remote station: | Select RSA key | |
| Start behavior: | Select incoming | |
| Dead Peer Detection: | This checks the connection by sending so-called keep alive packets, to which the remote station must respond. If it does not, the connection is terminated and re-established. It is important that the remote station must also have Dead Peer Detection implemented, otherwise it cannot be used. | |
| DPD Timeout: | Period before the state under Startup behavior is restored. | |
| DPD Interval: | Inspection interval | |
| Compression: | Compression is not supported by all remote stations. | |