16.3.1. Procedure – Configuring IPSec connections

1. 

   Figure 16.4. Configuring IPSec connections

   Navigate to the VPN component of the PNS host that will be the endpoint of the VPN connection. Select the Connections tab.

2. Click New and enter a name for the connection.

3. Select the IPSec protocol option.

4. 

   Figure 16.5. Selecting the IPSec scenario

   On the General tab, set the VPN topology and the transport mode in the Scenario section.

   • To create a Peer-to-Peer connection, select the Peer to Peer and the Transport options.

   • To create a Peer-to-Network connection, select the Peer to Peer and the Tunnel options.

   • To create a Roadwarrior server, select the Roadwarrior server and the Transport options.

   • To create a Network-to-Network connection, select the Peer to Peer and the Tunnel options.

   Note
   When creating a Network-to-Network connection, the two endpoints of the VPN tunnel do NOT use the VPN to communicate with each other. To encrypt the communication of the endpoints, create a separate Peer-to-Peer connection.

5. 

   Figure 16.6. Configuring local networking parameters

   Configure the local networking parameters. These parameters affect the PNS endpoint of the VPN connection. Set the following parameters:

   • Local address: Select the IP address that PNS will use for the VPN connection.

   • Local ID: The ID of the PNS endpoint in the VPN connection. Leave this field blank unless you experience difficulties in establishing the connection with the remote VPN application. If you set the Local ID, you might also want to set the Use ID in ipsec.secrets option.

   • Local nexthop: The IP address of the default network gateway. Packets sent into the VPN tunnel are routed towards this gateway. This parameter defaults to the default gateway used by PNS.

   • Local subnet: The subnet or zone protected by PNS that is permitted to use the VPN tunnel, or that can be accessed using the VPN tunnel. This option is available only for Peer-to-Network and Network-to-Network connections.

6. 

   Figure 16.7. Configuring remote networking parameters

   Configure the networking parameters of the remote endpoint. Set the following parameters:

   • Remote address: The IP address of the remote endpoint. Does not apply for roadwarrior VPNs.

   • Remote ID: The ID of the remote endpoint in the VPN connection. Leave this field blank unless you experience difficulties in establishing the connection with the remote VPN application. If you set the Remote ID, you might also want to set the Use ID in ipsec.secrets option.

   • Remote subnet: The subnet or zone behind the remote endpoint that is permitted to use the VPN tunnel, or that can be accessed using the VPN tunnel. This option is available only for Peer-to-Network and Network-to-Network connections.

     Note
     Network-to-Network connections connect the subnets specified in the Local subnet and Remote subnet parameters. Do not specify the subnet parameter for the peer side of Peer-to-Network connections, leave either the Local subnet or the Remote subnet parameter empty.

7. When configuring Peer-to-Peer or Network-to-Network connections, select the Active side option so that PNS initiates the VPN connection to the remote endpoint. If possible, enable this option on the remote endpoint as well.

8. 

   Figure 16.8. Configuring authentication

   Click on the Authentication tab and configure authentication.

   To use password-based authentication, select the Shared secret option and enter the password in the Secret field.

   Note
   Authentication using a shared secret is not a secure authentication method. Use it only if the remote endpoint does not support certificate-based authentication. Always use long and complicated shared secrets: at least twelve characters containing a mix of alphanumerical and special characters. Remember to change the shared secret regularly.

   To use certificate-based authentication, select the X.509 option and set the following parameters:

   • Local certificate: Select a certificate available on the PNS host. PNS will show this certificate to the remote endpoint.

   • If the remote endpoint has a specific certificate, select the Verify certificate option and select the certificate from the Remote certificate field. PNS will use this certificate to verify the certificate of the remote endpoint.

   • If there are several remote endpoints that can connect to the VPN tunnel, select the Verify trust option and select the trusted CA group containing the CA certificate of the CA that issued the certificates of the remote endpoints from the CA group field. PNS will use this trusted CA group to verify the certificates of the remote endpoints. (See Section 11.3.7, Trusted CAs for details.)

     PNS sends the common name of the accepted CAs to the remote endpoint, so the client knows what kind of certificate is required for the authentication. Select a specific CA certificate using the CA hint option if you want to accept only certificates signed by the selected CA.

   Note
   See Chapter 11, Key and certificate management in PNS for details on creating and importing certificates, CAs, and trusted CA groups required for certificate-based authentication.

9. 

   Figure 16.9. Configuring IPSec options

   Click on the Options tab and set the Action parameter of Dead peer detection to restart. That way PNS attempts to restart the VPN connection if the remote endpoint becomes unavailable.

   Note
   Dead peer detection is effective only if enabled on both endpoints of the VPN connection.

10. Set other options as needed. See Section 16.3.2, IPSec options for details.

    Note
    By default, PNS 3 F5 and later uses the IKEv2 key exchange protocol. However, earlier versions support only the IKEv1 protocol. Change the Options > Exchange protocol option to IKEv1 when the remote endpoint of the VPN connection is running PNS 3.4 LTS or earlier.