Products Partners Download Buy Network About Community Help  

User Guide Overview

Installing/Upgrading Introduction System Requirements Compatibility RAID Support Starting the Install/Upgrade Configuration Options Partitioning and RAID Troubleshooting

Post-Installation - First Boot Network Configuration Web-based Administration System Registration

Network Settings Bandwidth DHCP Server Hosts and DNS Server IP Settings LAN Configuration Multi-WAN Network Tools UPnP Wireless

Firewall 1 to 1 NAT Advanced DMZ Group Manager Incoming Outgoing Peer-to-Peer Port Forwarding

Security Intrusion Detection Intrusion Prevention

Accounts Users Groups

System Backup and Restore Date Encrypted File Systems Language Running Services Shutdown and Restart SMTP Relay SSL Certificate Manager Webconfig

Backup LAN Backup/Recovery

Database Database

E-mail Antispam Antispam - Dspam Antispam - Training Antivirus Aliases Archive Filters / Greylist Maildrop POP and IMAP SMTP Mail Server Webmail

File and Print Services Flexshare FTP Server Print Server Windows Networking

Filtering and Proxying Access Control Ad and Pop-up Blocker Content Filter Web Proxy

Groupware Groupware Setup

VPN Desktop-to-LAN / PPTP LAN-to-LAN / IPsec

Web Photo Gallery Web Server

Reports Current Status Dashboard Overview Intrusion Detection Logs SMTP Mail Statistics Web Proxy Web Server


Contact Us
  Sales Enquiry
  Tech Support

 
         
  Current Document and Section   Other Documents  
  - Documentation
    - User Guide
   DNS and Domains
Gateway Services Guide
Release Notes
Howtos
  
 

Modules - VPN Server - IPsec

Contents

[edit] Overview

VPN Server - IPsec Information
Description Virtual Private Network tools for LAN-to-LAN connections.
Package Name cc-ipsec
Configuration Page Software > VPN > LAN-to-LAN


You can use the web-based administration tool to create a connection with other ClarkConnect servers (on licensed systems, dynamic IP support is included).

[edit] Installation

If you did not select this module to be included during the installation process, you must first install the module.

[edit] Configuring Connections with Managed VPN

Managed VPN support not only simplifies configuration, but also improves the up-time of the connections. In order to create a connection between to systems, you need to configure both ClarkConnect systems.

Warning! 
  If you are configuring a VPN connection between your local gateway and a remote gateway, then configure the remote gateway '''first'''. Once the VPN is started on the remote system it will only be accessible when the VPN connection is up. If run into trouble configuring the tunnel, you can use a dial-up or other location to access the remote location.  
 


From the web-based administration tool, click on Create in the Managed VPN Connections box. You need to:

  • Select the IP address of the remote connect
  • Type in a pre-shared secret (password)

Create a Connection

On the first connection or when an IP address changes, it may take a few minutes for the connection to synchronize.

Warning! 
  The two LAN networks at either end of the VPN connection must not overlap! If you need to change the LAN IP address/network on your ClarkConnect server, please use the Administration Console.  
 


[edit] Configuring Un-managed VPN Connections (not recommended)

[edit] Select Headquarters and Satellite

Pick one server to be the "Headquarters" and the other to be the "Satellite". This is just a naming convention -- pick a convention and stick with it! The OpenSWAN documentation uses "left" and "right" in their documentation. This can be confusing at times, so we also use an alternate set of names: "headquarters" and "satellite".

[edit] Gather Network Information

You must gather some network information for the IPsec server configuration, namely: the IP address, next hop (gateway), and network for both sides of the network. Make sure these settings are correct -- you will save many hours of pain and frustration. The information for the local ClarkConnect system is shown when you start to configure an unmanaged VPN connection.


Warning! 
  The two LAN networks at either end of the VPN connection must not overlap! If you need to change the LAN IP address/network on your ClarkConnect server, please use the Administration Console  
 


[edit] Select a Connection Name and Pre-Shared Secret

Once you have your network settings in hand, enter the information on both ends of the VPN connection. Enter a simple nickname for the connection along with a strong pre-shared secret. When configuring the other end of the VPN connection, do not be tempted to swap the Headquarters and Satellite information! The configuration screens on both ends of the connection will look exactly the same.

Image:ss_webconfig_ipsec.png


[edit] Sanity Checking

Start the IPsec server on both ends of the connection. Do not use Windows Network Neighborhood to verify the VPN (there is a Howto on getting your Windows Network up and running). Instead, make sure you can ping from:

  • gateway to gateway
  • gateway to remote PC
  • remote PC to gateway
  • remote PC to remote PC

If the connection fails, double check your network settings and restart your firewall. Look in the log files -- /var/log/messages and /var/log/secure -- for error messages.

[edit] Configuration for Road Warriors

The web-based administration tool does not support Road Warrior connections or interoperability with other IPsec servers. The software is capable of these configurations (including X.509 solutions), however, you must manually configure these connection types. Configuration can be a non-trivial task, so please read the OpenSwan site for more information.

For road warriors/telecommuters, we strongly suggest using the 128-bit encrypted PPTP server. This option is not only more cost effective, but also easy to configure. See PPTP Server for installation and configuration instructions.

[edit] Configuring Windows Network Neighborhood - WINS

Do you want to be able to browse Windows Network Neighborhood across your VPN connection? You must configure and use a WINS server. Fortunately, ClarkConnect has all the pieces of the puzzle in place. Please view the additional documentation here.

Image:ss_ipsec_nethood.png

[edit] Interoperability

The IPsec protocol is an industry standard, but one with many of loose ends. This means that other IPsec servers - though standards compliant - may not be able to connect to a ClarkConnect IPsec server. If you are familiar with the command line environment, you may be able to successfully connect a ClarkConnect system to a third party system. You can find more information in the OpenSwan Interoperability Documentation. Technical support is not provided for IPsec interoperability.

[edit] Troubleshooting

  • Make sure your firewall allows incoming connections for IPsec traffic
  • The IPsec protocol does not pass through NAT-based routers. In other words, if your external IP address is 192.168.x.x or 10.x.x.x, then your system is behind a NAT-based router.

Retrieved from "http://www.clarkconnect.com/docs/Modules_-_VPN_Server_-_IPsec"

This page has been accessed 8,573 times. This page was last modified 15:07, 19 July 2007.


 
   
Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 License.

Company | Contact | Legal | Help | Login