16.4.2. Procedure – Configuring SSL connections

  1. Navigate to the VPN component of the Zorp host that will be the endpoint of the VPN connection. Select the Connections tab.

    Configuring SSL (OpenVPN) connections

    Figure 16.13. Configuring SSL (OpenVPN) connections

  2. Click New and enter a name for the connection.

  3. Select the SSL protocol option.

  4. Set the VPN topology in the Scenario section.

    Selecting the SSL (OpenVPN) scenario

    Figure 16.14. Selecting the SSL (OpenVPN) scenario

    To create a Roadwarrior server, select the Roadwarrior server option.

    Select the Peer to Peer option for other topologies.

    Note

    When creating a Network-to-Network connection, the two endpoints of the VPN tunnel are not used to communicate with each other. To encrypt the communication of the endpoints, create a separate Peer-to-Peer connection.

  5. Configure the local networking parameters. These parameters affect the Zorp endpoint of the VPN connection.

    Configuring local networking parameters

    Figure 16.15. Configuring local networking parameters

    Set the following parameters in the Listen options section:

    • Local address: Select the IP address that Zorp will use for the VPN connection. If Zorp should accept incoming VPN connections on every interface, enter the 0.0.0.0 IP address.

    • Port: Zorp uses the port to listen for incoming VPN connections. Use the default port (1194) if nothing restricts that.

      Note

      These parameters have no effect if Zorp is the client-side of a VPN tunnel and does not accept incoming VPN connections.

    Set the following parameters in the Tunnel settings section:

    • Interface: It is the name of the virtual interface used for the VPN connection. ZMS automatically assigns the next available interface.

    • Local: It denotes the IP address of Zorp as seen from the VPN tunnel. The tun interface will bind to this address, so Zorp rules can use this address.

    • Remote: It is the IP address of the remote endpoint as seen from the VPN tunnel.

    • By default, the VPN connections use the UDP protocol to communicate with the peers. To use the TCP protocol instead, select Protocol > TCP.

    The Local and Remote addresses must be non-routable virtual IP addresses (for example, from the 192.168.0 0 range). These IP addresses are visible only on the tun interface, and are needed for building the VPN tunnel.

    Warning

    The Local and Remote addresses must be specified even for roadwarrior scenarios. Use the first two addresses of the dynamic IP range used for the remote clients.

  6. Configure the networking parameters of the remote endpoint.

    Configuring remote networking parameters

    Figure 16.16. Configuring remote networking parameters

    For Peer-to-Peer scenarios, set the following parameters:

    • Remote address: It denotes the IP address of the remote endpoint.

    • Remote port: Zorp connects this port to the remote VPN server. Use the default port (1194) if nothing restricts that.

    • Pull configuration: Download the configuration from the remote endpoint. (Works only if the remote endpoint has its push options specified.)

    • No local bind: Select this option if the Zorp host that is being configured shall run in client-mode only, without accepting incoming VPN connections.

    When Zorp acts as a roadwarrior server, set the IP address range using the Dynamic address from and Dynamic address to fields. Clients connecting to Zorp will receive their IP addresses from this range.

    Note

    The configured address range cannot contain more than 65535 IP addresses.

    Every Windows client needs a /30 netmask (4 IP addresses). Make sure to increase the available address range when there are many Windows clients.

  7. When configuring Peer-to-Peer or Network-to-Network connections, select the Active side option so that Zorp initiates the VPN connection to the remote endpoint. If possible, enable this option on the remote endpoint as well.

  8. Click on the Authentication tab and configure authentication.

    Configuring authentication

    Figure 16.17. Configuring authentication

    Set the following parameters:

    • Certificate: Select a certificate available on the Zorp host. Zorp will show this certificate to the remote endpoint.

    • CA: Select the trusted (Certificate Authority) CA group that includes the certificate of the root CA that issued the certificate of the remote endpoint. Zorp will use this CA group to verify the certificate of the remote endpoint.

    Warning

    If several remote endpoints use the same certificate to authenticate, only one of them can be connected to Zorp at the same time.

    Note

    See Chapter 11, Key and certificate management in Zorp for details on creating and importing certificates, CAs, and trusted CA groups required for certificate-based authentication.

  9. Configure routing for the VPN tunnel. Click on the Routing tab, and add a routing entry for every network that is on the remote end of the VPN tunnel (or located behind the remote endpoint). Zorp sends every packet that target these networks through the VPN tunnel. To add a new network, click New, and enter the IP address and the netmask of the network.

    Configuring tunnel routing

    Figure 16.18. Configuring tunnel routing

  10. Configure push options on the Push options tab.

    Configuring push options

    Figure 16.19. Configuring push options

    Tip

    Push options are most often used to set the configuration of roadwarrior clients. For example, it can be used to assign a fix IP address to a specific client.

    Configuring client routing

    Figure 16.20. Configuring client routing

    Click Route to add routing entries for the remote endpoint. These routing entries determine which networks protected by Zorp are accessible from the remote endpoint.

    See Section 16.4.3.2, Push options for details.

  11. Set other options as needed. See Section 16.4.3, SSL options for details.

Previous Up Next
 Home