IPsec road warriors

Use this page to configure the IPsec road warrior connection.

Navigation: NETWORK > VPN > IPsec road warriors.

Create new tunnel
Name A meaningful name for this VPN.
Enabled Indicates whether the VPN is turned on or off. New VPNs are turned on by default.
Local IP The local IP address that the tunnel connects to. Typically, this is one of your external IP addresses, though you can select a Basic interface to create an internal tunnel.
Local network The local IP address and network mask, using the format: <IP_address>/<network_mask>. You can restrict (or extend) the hosts that a road warrior can see on its assigned internal network by changing this setting. For example, if you want to restrict the connected road warrior to a specific IP address such as 192.168.2.10, set the local network to 192.168.2.10/32. Accordingly, enter the value 192.168.2.0/24 or 192.168.2.0/255.255.255.0 to allow the road warrior to access all addresses in the range 192.168.2.0 to 192.168.2.255.
Client IP The valid client IP address for this road warrior tunnel. The specified IP address must be available on the network specified for Local network.
Local ID type
  • The identity type that's presented. Valid values are:
  • Local ID Type Description
    Default local Certificate Subject Uses the subject of the default local certificate as the local certificate ID. We recommend that you use this setting for road warrior connections.
    Local IP Uses the local IP address of the host as the local certificate ID.
    User specified Host & Domain Name Uses a user specified host and domain name as the local certificate ID.
    User specified IP address Uses a user specified IP address name as the local certificate ID.
    User specified Email address Uses a user specified email address as the local certificate ID.
    User specified Certificate Subject Uses a user specified certificate subject as the local certificate ID.
    Local ID value If the Local ID type is user defined, enter the host and domain name, IP address, email address, or certificate subject. Typically, you can leave this blank because the value is automatically retrieved during the connection process, according to the chosen Local ID type.
    Remote ID type We recommend that you use setting because it means that the road warrior can present any form of valid identity credentials.
    Remote ID value The value of the remote ID used in the certificate that the road warrior is expected to use.
    Authenticate by

    the authentication method:

    Authentication Method Description
    <Roadwarrior_certificate> Use the road warrior’s certificate created in step 1.
    Certificate presented by peer Use a certificate created by a different Certificate Authority. We recommend that you authenticate by a named certificate for easier management.
    Preshared key Use the global preshared key defined in step 3.
    Preshared key The key that you need for authentication. Reenter the preshared key. Do not copy and paste from the Preshared key box.
    Preshared key again
    Use compression This is useful for low bandwidth connections, but it does increase CPU utilization on both host systems. The benefits of compression also vary depending on the type of traffic that will flow through the tunnel. For example, compressing encrypted data such as HTTPS, or VPN tunnels within tunnels might decrease performance. The same rule applies when transferring data that's already compressed, for example, streaming video. We don't recommend that you use compression for any tunnel with a high proportion of encrypted or already-compressed traffic. We recommend that you use compression for non-encrypted, uncompressed traffic.
    Initiate the connection Makes the local VPN system initiate this tunnel connection if the remote IP address is known.
    Comment An optional comment for this VPN.
    Advanced » Expands the view to show the following settings.
    Local certificate If non-standard X509 authentication is used for this VPN, choose the local certificate from the drop-down list.
    Perfect forward secrecy

    We recommend that you use PFS for maximum security. VPN gateways must agree on the use of PFS.

    Authentication type

    Valid values:

    Authentication Type Description
    ESP Encapsulating Security Payload (ESP) uses IP Protocol 50 and ensures confidentiality, authenticity and integrity of messages. We recommend that you use this for optimal performance.
    AH IP Authentication Header (AH) uses IP Protocol 51 and ensures authentication and integrity of messages. This is useful for compatibility with older VPN gateways. Because AH provides only authentication and not encryption, we don't recommend that you use AH.
    Key Life (mins) The length of time, in minutes, that a set of keys can be used for. After the Key life value has expired, new encryption keys are generated, reducing the threat of snooping attacks.
    Key Tries (0 means never give up) The number of connection attempts before failing. The default value of 0 means that the host can continuously rekey the connection. However, a non-initiating VPN gateway should not use the default value as the connection can't be initiated.
    IKE lifetime (mins) The length of time, in minutes, the Internet Key Exchange (IKE) keys are exchanged again.
    Do not rekey Turns off rekeying. This can be useful when working with NAT-ed end points.
    IKEV2 Turns on the Internet Key Exchange version 2 (IKEV2) protocol. You need IKEV2 when selecting an elliptic curve group Diffie-Hellman Group for Phase 2.
    MTU The Maximum Transmission Unit (MTU) size. The MTU value must be a whole number greater or equal to 68 and represents the maximum size of a packet communicated through the tunnel. In most cases this parameter can be left unset, however some connectivity / performance issues might be resolved by changing the MTU.

    Phase 1 and Phase 2

    Cryptographic algorithm

    The encryption algorithm to use in the first and second phase when establishing the VPN connection. This setting must be the same on both tunnel specifications of two connecting gateways.

    Encryption Algorithm Description
    3DES A triple strength version of the DES cryptographic standard using a 168-bit key. The 3DES is a very strong encryption algorithm though it's been exceeded in recent years. It's the default encryption scheme on most VPN gateways. Therefore, we recommend that you use this for maximum compatibility.
    AES 128 Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. AES offers faster and stronger encryption than 3DES.
    AES 256 Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. AES offers faster and stronger encryption than 3DES. We recommend for maximum security and performance.

    Phase 1 and Phase 2

    Hash algorithm

    The hashing algorithm to use in the first and second phases when establishing the VPN connection. This setting must be the same on both tunnel specifications of two connecting gateways.

    Hashing Algorithm Description
    MD5 A cryptographic hash function using a 128-bit key. We recommend that you use this for faster performance and compatibility.
    SHA Secure Hashing Algorithm uses a 160-bit key and is the US government's hashing standard. We recommend that you use this for maximum security.

    Phase 1 and Phase 2

    Diffie-Hellman Group

    The Diffie-Hellman Group cryptographic protocol to use in the first and second phases when establishing the VPN connection. This setting must be the same on both tunnel specifications of the two connecting gateways.

    Read more

    About IPsec road warrior connections

    Things you can do here

    Configuring the IPsec road warrior connection

    Something not right? .