IPsec subnets Page

Use this page to create a secure, encrypted tunnel between subnets.

Navigation: NETWORK > VPN > IPsec subnets.

Create new tunnel
Name A meaningful name for this VPN.
Enabled Indicates whether the VPN is turned on or not.
Local IP The Local IP address that the tunnel connects to. Typically, this is one of your external IP addresses, though you can select a Basic interface to create an internal tunnel.
Local network The local subnet that the remote host has access to, in this format: <IP_address>/<network_mask>.
Local ID type

The identity type that's presented to the remote system. This identifies the primary system to the secondary system and the secondary system to the primary system by using the host and domain name ID value in the primary or secondary system’s default local certificate, respectively.

  • Default local Certificate Subject - Uses the subject of the default local certificate as the local certificate ID.
  • Local IP - Uses the local IP address of the host as the local certificate ID.
  • User specified Host & Domain Name - Uses a user specified host and domain name as the local certificate ID.
  • User specified IP address - Uses a user specified IP address name as the local certificate ID.
  • User specified Email address - Uses a user specified email address as the local certificate ID.
  • User specified Certificate Subject - Uses a user specified certificate subject as the local certificate ID.
Local ID value Either the host and domain name, IP address, email address or certificate subject, depending on what you selected from the Local ID type list.
Remote IP or hostname (blank for ANY) You can leave this blank if the remote host uses a dynamic IP address.
Remote network The remote network subnet that the local host has access to.
Remote ID type

The valid remote ID type values.

  • Remote IP (or ANY if blank Remote IP) - The remote ID is the remote IP address, or any other form of presented ID.
  • User specified Host & Domain Name - The user can specify a custom host and domain name that it should expect the remote gateway to present as ID.
  • User specified IP address - The user can specify a custom IP address that it should expect the remote gateway to present as ID.
  • User specified Email address - The user can specify a custom email address that it should expect the remote gateway to present as ID.
  • User specified Certificate Subject - The user can specify a custom certificate subject string that it should expect the remote gateway to present as ID (typically used for non- Smoothwall VPN gateways).
Remote ID value Either the host and domain name, IP address, or certificate subject depending on what you selected from the Remote ID type list.
Authenticate by

This instructs the Smoothwall to authenticate the secondary system by validating the certificate it presents as its identity credentials.

  • Preshared key - The preconfigured password that only the connecting VPN gateways know.
  • Certificate presented by peer - An industry strength and internationally recognized authentication method, using a system of digital certificates, as published by the ITU-T and ISO standardization bodies.
Preshared key The preconfigured password that only the connecting VPN gateways know.
Preshared key again The same preshared password.
Use compression Compresses the tunnel communication. This is useful for low bandwidth connections, but it does increase CPU utilization on both host systems. The benefits of compression also vary depending on the type of traffic that will flow through the tunnel. For example, compressing encrypted data such as HTTPS, or VPN tunnels within tunnels might decrease performance. The same rule applies when transferring data that's already compressed, for example, streaming video. For any tunnel with a high proportion of encrypted or already-compressed traffic, we don't recommend that you use compression. We recommend that you use compression for non-encrypted, uncompressed traffic. This setting must be the same on the tunnel specifications of both connecting gateways.
Initiate the connection Turns on the local VPN system to initiate this tunnel connection if the remote IP address is known.
Comment An optional comment for this VPN.
Advanced »

Expands the view to show the next options listed in this table so that you can configure the compatibility with other VPN gateway systems.

Tip: You can also tweak the VPN for performance gains in Smoothwall to Smoothwall VPN connections.

Local certificate The local certificate, if non-standard X509 authentication is used for this VPN.
Perfect forward secrecy Turns on the use of the prefect forward secrecy (PFS) key establishment protocol, ensuring that previous VPN communications can't be decoded should a key currently in use be compromised. We recommend that you use PFS for maximum security. VPN gateways must agree on the use of PFS.
Authentication type

The valid authentication method type values:

  • ESP - Encapsulating Security Payload (ESP) uses IP Protocol 50 and ensures confidentiality, authenticity and integrity of messages. We recommend that you use this setting for optimal performance.
  • AH - IP Authentication Header (AH) uses IP Protocol 51 and ensures authentication and integrity of messages. This is useful for compatibility with older VPN gateways because AH provides only authentication and not encryption, we don't recommend AH.

Note: This setting must be the same on both tunnel specifications of two connecting gateways.

Key Life (mins) The length of time, in minutes, that a set of keys can be used for. After the Key life value has expired, new encryption keys are generated, reducing the threat of snooping attacks. We recommend that you use the default value of 60 minutes.
Key Tries (0 means never give up) The number of connection attempts before failing. The default value of 0 means that the host can continuously rekey the connection. However, a non-initiating VPN gateway should not use the default value as the connection can't be initiated.
IKE lifetime (mins) The length of time, in minutes, the Internet Key Exchange (IKE) keys are exchanged again.
Do not rekey Turns off rekeying. This can be useful when working with NAT-ed end points.
IKEV2 Turns on the Internet Key Exchange version 2 (IKEV2) protocol. You need IKEV2 when selecting an elliptic curve group Diffie-Hellman Group for Phase 2.
MTU The Maximum Transmission Unit (MTU) size. The MTU value must be a whole number greater or equal to 68 and represents the maximum size of a packet communicated through the tunnel. In most cases, you can leave this parameter unset. However, some connectivity / performance issues might be resolved by changing the MTU.
Local internal IP The IP address of the network to use when the Smoothwall itself sends traffic in the tunnel.
Cryptographic algorithm

The encryption algorithm to use in the first and second phases when establishing the VPN connection. This setting must be the same on both tunnel specifications of two connecting gateways.

  • 3DES - Triple Data Encryption Algorithm, a triple strength version of the DES cryptographic standard using a 168-bit key. The 3DES is a very strong encryption algorithm though it's been exceeded in recent years. It's the default encryption scheme on most VPN gateways. Therefore, we recommend that you use this setting for maximum compatibility.
  • AES 128 - Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. AES offers faster and stronger encryption than 3DES.
  • AES 256 - Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. AES offers faster and stronger encryption than 3DES. We recommend for maximum security and performance.
Hash algorithm

From the list, select the hashing algorithm to use in the first and second phases when establishing the VPN connection. This setting must be the same on both tunnel specifications of two connecting gateways.

  • MD5 - A cryptographic hash function using a 128-bit key. We recommend that you use this for faster performance and compatibility.
  • SHA - Secure Hashing Algorithm uses a 160-bit key and is the US government's hashing standard. We recommend that you use this for maximum security.
Diffie-Hellman Group

The Diffie-Hellman Group cryptographic protocol to use in the first phase when establishing the VPN connection. This setting must be the same on both tunnel specifications of the two connecting gateways.

  • 2 (1024-bit modulus) - A modular exponentiation group (MODP) with a 1024-bit modulus.
  • 14 (2048-bit modulus) - A modular exponentiation group (MODP) with a 2048-bit modulus.
  • 15 (3072-bit modulus) - A modular exponentiation group (MODP) with a 3072-bit modulus.
  • 16 (4096-bit modulus) - A modular exponentiation group (MODP) with a 4096-bit modulus.
  • 17 (6144-bit modulus) - A modular exponentiation group (MODP) with a 6144-bit modulus.
  • 18 (8192-bit modulus) - A modular exponentiation group (MODP) with an 8192-bit modulus.
  • 19 (256-bit elliptic curve) - 256-bit elliptic curve group. IKEv2 option must be selected when selecting this Diffie-Hellman Group algorithm.
  • 20 (384-bit elliptic curve) - 384-bit elliptic curve group. IKEv2 option must be selected when selecting this Diffie-Hellman Group algorithm.
  • 21 (521-bit elliptic curve) - 521-bit elliptic curve group. IKEv2 option must be selected when selecting this Diffie-Hellman Group algorithm.
  • 24 (2048-bit modulus with 256-bit subgroup) - 2048-bit modulus with 256-bit prime.

Note: When upgrading your Smoothwall Filter and Firewall, changes applied to an existing IPsec Tunnel configuration needs the selection of explicit Diffie-Hellman Group settings.

Add Adds the IPsec tunnel to the Current tunnels section.
Current tunnels
Name Opens the details of the tunnel in a new tab.
Enabled Indicates whether the tunnel is active or not.
Initiator Indicates if the local VPN system initiates this tunnel connection if the remote IP address is known.
Local IP The Local IP address that the tunnel connects to.
Remote IP The remote IP address.
Remote network The remote network subnet address that the local host has access to.
Authenticate by The authentication method.
Comment Any comments that you added when you added the tunnel.
Mark Indicates whether the tunnel is selected or not.
Remove Removes the selected tunnel from the view.
Edit Populates the Create new tunnel section with the details of the marked tunnel so that you can edit the details.