IPsec Peers
Here, all parts communicating with the firewall via IPsec are defined. The machines you define here are the firewalls and road warriors which set up the encrypted IPsec tunnel to the firewall. The networks using the IPsec tunnels are defined on the IPsec Tunnels page.
VPN gateway peers which have dynamic IP addresses can't use Preshared secret as Authentication method.
You can create a group consisting of several peers by defining them directly in the group row (see first row in the Offices group) or by defining them separately and adding them to the group (see second row in the Offices group). Defining them in the group will give all peers in the group the name of the group when appearing in the logs, which could be inconvenient. Subgroups defined separately will be logged as their own names.
In the example above, the key negotiations with Atlantic City will appear as Atlantic City negotiations in the log, regardless of the negotiations coming through the Atlantic City or the Offices alternative. Negotiations with the unnamed subgroup will appear as Offices negotiations in the log.
Name
Enter a name for the IPSec peer. Name is only used internally in the firewall.
Subgroup
Here, you can select an already defined IPSec peer in order to form a group of several peers. Assign more than one row to a name by clicking the plus sign to the left of the name, or by creating a group with several rows.
If you select a subgroup here, the rest of the fields in the row should be left empty.
Status
Select whether this tunnel should be active or not. If Off is selected, no IPSec connection will be established with this IPSec peer. If you selected a peer under Subgroup, select "-" here.
Authentication
Type
You can select Preshared secret, X.509 certificate, Trusted CA, with DN, or Trusted CA as the Authentication type. All except Preshared secret are different ways of using X.509 certificates. Road warriors, and peers whose IP addresses are looked up dynamically, must not use Preshared secret. If you selected a Subgroup, you should select '-' here.
If X.509 certificates are used, the firewall must also have a certificate of its own. This is created on the Certificates page.
Preshared secret is like a password which the IPSec peer and the firewall use to recognize each other.
X.509 certificate is an ordered list of details about the computer, digitally signed to ensure the authenticity of the information.
If Trusted CA, with DN was selected, the client is expected to authenticate using an X.509 certificate signed by a CA of which the firewall knows (the CA certificate should be uploaded on the Certificates page and listed on the X.509 Certificates page). You must also enter the client's Distinguished Name (DN) here.
If Trusted CA was selected, the client is expected to authenticate using an X.509 certificate signed by a CA of which the firewall knows (the CA certificate should be uploaded on the Certificates page). On the X.509 Certificates page, all certificates for trusted VPN CA should be listed.
Info
Here, you enter the information the firewall should use to identify the IPSec peer. Press the Change/view button to insert the information. The look of the form appearing when you press the button depends on which Authentication type you selected.
If you selected Preshared secret, you will see a simple form where you enter the secret twice. As the secret is like a password or an encryption key, it is important that it is kept a secret. If an eavesdropper gets your secret, he can easily decrypt all your traffic encrypted with the help of this secret.
As the secret is saved unencrypted in the firewall configuration, you should be careful with where you store the configuration.
If you selected X.509 certificate, you will see a form where you upload the public certificate of the IPSec peer. If the peer is another Ingate Firewall, you get its public certificate by downloading it on the X.509 Certificates page for that firewall.
If you selected Trusted CA, with DN, you will see a form where you enter the Distinguished Name (DN) in LDAP format of the client certificate. You can use the wildcard "*" for one or more RDNs.
You must enter all RDNs of the client certificate which are supported by the firewall. The following RDNs are supported:
| C | Country code |
| CN | Common Name |
| D | Description |
| DC | Domain Component |
| E | |
| GN | Given name |
| I | Initials |
| ID | X.500 Unique Identifier |
| L | Locality or town |
| N | Name |
| O | Organisation |
| OU | Organisational Unit |
| SN | Surname |
| SERIALNUMBER | Serial Number |
| ST | State or province |
| T | Personal title |
| UID | User ID |
If you selected Trusted CA, select one of the CAs whose certificates were imported on the Certificates page. You can also select "-", which means that the client certificate could be signed by any of the trusted CAs.
Local side
Select the firewall IP address which should manage the VPN traffic. This is the IP address to which the IPSec peer connects.
You must select an IP address from the logical network closest to the IPSec peer. Usually this means an IP address on the outside of the firewall on the network with your Default gateway. If more than one Directly connected networks are defined, an IP address on the network directed to the IPSec peer must be selected, i.e. the direction in which the IPSec packets will be sent.
Remote side
DNS name or IP address
Here, enter the host name or IP address of the IPSec peer. If the peer is a road warrior, having no fixed IP address, you enter "*" here.
If the peer IP address changes, but it keeps the same host name, you can enter the host name here, and select to do runtime DNS lookups of the name (see Dynamic).
Dynamic
Check the box here if the IP address of this peer should be looked up every time the firewall wants to use it. If the box is not checked, the firewall will only perform a DNS lookup for this address at configuration and when you click on Look up all IP addresses again.
This feature can only be used when the peers authenticate with X.509 certificates. You can't use this if you want to use a Preshared secret.
IP address
Here the IP address of the computer, entered in DNS name or IP address, is shown. If the peer is a road warrior, only "*" is shown here. This field is only updated when you click on Save or Look up all IP addresses again.
RADIUS
Select for road warriors whether RADIUS authentication is required for a successful connection. If you want to use RADIUS, you must also configure a RADIUS server on the RADIUS page under Basic Configuration, and an authentication server on the Authentication Server page. If you selected a peer under Subgroup, select '-' here.
Blacklist
Blacklisting means that if a IPSec connection to a road warrior (marked with '*' in the IP address field) is broken, the firewall will block unencrypted traffic to this IP address for a certain time period; the IP address is blacklisted.
The encrypted IPSec connection is established between the road warrior and the firewall, though usually the computer you want to connect to isn't the firewall, but another computer on a network behind the firewall. This computer does not detect the IPSec tunnel, but sends data unencrypted to the road warrior as in any open connection. If the IPSec tunnel is disconnected, the computer on the internal network will not detect this, and keep on sending unencrypted data to the IP address of the road warrior. As the IPSec tunnel no longer exist, the data will be sent unencrypted to the insecure network. Blacklisting prevents this by blocking all packets for a certain time period.
When blacklisting of a connection is possible, an asterisk ('*') will appear in the Blacklist field. The time interval for blacklisting is set on the IPSec Settings page.
Blacklisting can produce unwanted effects if a computer allows access from both IPSec clients and unencrypted clients, and where the clients share the same IP address. The effect is that the unencrypted clients can't reach the computer for the blacklisting interval. The chance that this occurs is small, and it is no security threat.
ISAKMP key lifetime
Here, the lifetime for encryption keys is set. A common value for this parameter is 1 hour (3600 seconds) and the maximum value is 48 hours (172,800 seconds). The time interval must be the same on both computers creating the VPN tunnel.
The length of this time interval is a balance between security and fast data flow. The longer time the same key is used, the more vulnerable the system is for cracking of this key. On the other hand, if the time interval is very short, a high rate of the data traffic is used for negotiating new encryption keys.
Some implementations of IPSec name this parameter IKE key lifetime.
Delete row
If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.
Add new rows
Enter the number of new rows you want to add to the table, and then click on Add new rows.
Save
Saves the IPsec Peers configuration to the preliminary configuration.
Undo
Clears and resets all fields in new rows and resets changes in old rows.
Look up all IP addresses again
Looks up the IP addresses for all DNS names on this page in the DNS servers you entered on the Basic Configuration page.