Creating an IPsec Tunnel

Note: The following instructions assume that the IPsec Tunnel implementation is made using a certificate-based authentication method. If the IPsec Tunnel implementation is using a pre-shared key (PSK) authentication method, continue to Step 4.

Prerequisites

• From the primary Smoothwall, create a new local certificate authority, see our help topic, Importing and creating certificate authorities and their certificates.
• From the primary Smoothwall, create certificates for the primary and remote Smoothwall Filter and Firewall hardware appliances, including third party devices, see our help topic, Importing and creating certificate authorities and their certificates.
• Set the default local certificate for the primary Smoothwall, see our help topic, Managing global VPN network settings.

Procedure

1. From the primary Smoothwall that points to the remote host, on the NETWORK menu, under the VPN submenu, click IPsec subnets and enter a meaningful Name for this VPN.
2. New VPNs are turned on by default.
3. Select the Local IP address that the tunnel connects to from the list and enter the Local network subnet that the remote host has access to, in this format: <IP_address>/<network_mask>.
4. Select the identity type that's presented to the remote system from the Local ID type list.

Note: Typically, you specify the ID types when connecting to non-Smoothwall VPN gateways. Refer to your vendor's documentation.

• If you selected "User specified", enter the Local ID value. This can be either the host and domain name, IP address, email address or certificate subject. Typically, you can leave this blank because the value is retrieved automatically during the connection process, according to the chosen Local ID type.
5. Enter the Remote IP or hostname. If the remote host uses a dynamic IP address, you can leave this blank for any.
6. Enter the Remote network subnet that the local host has access to, in this format: <IP_address>/<network_mask>.
7. Select the Remote ID type that the remote gateway is expected to present from the list.
   • If you selected "User specified", enter the Remote ID value. This can be either the host and domain name, IP address, or certificate subject.
8. Choose the authentication method from the Authenticate by list.
   • If you selected "Preshared key" to Authenticate by, in the Preshared key box, enter the pre-shared key (PSK).
   • Reenter the pre-shared key in the Preshared key again box. Don't copy and paste from the Preshared key box.
9. If you want to Use compression or for the local VPN system to Initiate the connection if the remote IP address is known, select these options. You can also enter a Comment.
• If you need to configure the compatibility with other VPN gateway systems, click Advanced ».

Tip: You can also tweak the VPN for performance gains in Smoothwall to Smoothwall VPN connections.

1. If you use non-standard X509 authentication for this VPN, choose the Local certificate from the list.
2. To turn on the Prefect forward secrecy key establishment protocol, select this option.
3. Choose the Authentication type method from the list.
4. Enter the Key Life (mins) that a set of keys can be used for, the number Key Tries of connection attempts before failing, the IKE lifetime (mins) that keys are exchanged.
5. To turn off rekeying, select the Do not rekey option and to turn on the IKEV2 protocol, select this option.
6. Enter the MTU size and the Local internal IP address of the network to use when the Smoothwall itself sends traffic in the tunnel.
7. Select the Cryptographic algorithm, Hash algorithm and Diffie-Hellman Group to use in the first and second phases when establishing the VPN connection.
10. Click Add.

Follow-up tasks

• To edit IPsec Tunnel settings:
  1. Under the Current tunnels section, for the IPsec Tunnel configuration that you want, select the Mark option.
  2. Click Edit. The selected IPsec Tunnel setting are made available for you to update.
• To remove an IPsec Tunnel configuration:
  • Under the Current tunnels section, for the IPsec Tunnel configuration that you want, select the Mark option.
  • Click Remove. The selected IPsec Tunnel configuration is deleted.