Ingate Firewall 4.2: User Manual
Prev	Chapter 5. How to configure VPN connections	Next

How to configure Ingate Firewall for IPSec connections from a road warrior

With an IPsec connection between the firewall and a road warrior, the user can use servers and other resources from home or a hotel without exposing the traffic openly on the Internet.

Connections with a road warrior require X.509 certificates.

This is how to set up an IPSec VPN connection to the firewall.

Certificates

If you have many road warriors connecting to the firewall and you don't want to upload every client X.509 certificate separately, you can choose to trust certificates signed by a certain CA. For this, the firewall requires the CA certificate instead. You upload the CA certificate on the Certificates page.

Enter a name for the CA certificate. The name is only used internally in the firewall.

To authenticate itself, the firewall needs an X.509 certificate. This is created on the same page.

Make a new row in the Private Certificates table, press Create new, and fill in the form. The password fields are only relevant if you want to be able to revoke the certificate.

You can select to let the firewall sign its own certificate (this is the simple way) or create a certificate request and make a CA sign it for you. If you use an outside CA, the signed certificate must be uploaded to the firewall.

X.509 Certificates

Go to the X.509 Certificates page under Virtual Private Networks and select which certificate the firewall should use for VPN connections. Also add all CA servers which have signed certificates for the VPN clients.

IPsec Peers

Go to the IPsec Peers page under Virtual Private Networks to define the IP addresses between which the VPN connection should be established. You also define how the VPN peers should authenticate themselves to each other.

Select On under Status. Under Authentication:Type, select the authentication method. Road warrios must use X.509 certificates, and you can select to upload the client's certificate or trust the CA which signed the client certificate. To use X.509 certificates, you must have access to a CA server (or purchase signings) which will sign certificate requests. If you have your own CA server, you can upload its certificate to the firewall and then trust all certificates signed by that CA (select Trusted CA).

Under Info, upload the client certificate or enter the CA/DN, depending on the authentication type selected above. N.B.: The X.509 certificate you upload here is the client certificate, not the firewall's own one.

Under Local side, select a public IP address of the firewall, and enter a "*" under Remote side. This means that the peer is a road warrior.

Enter a lifetime for the ISAKMP (IKE) keys. The lifetime must be the same on both VPN peers.

The X.509 certificate authenticates the connecting computer. You can also make the firewall require authentication from the connecting user, using a RADIUS server. For this, you have to run a RADIUS server separately, as the firewall does not contain one. It also requires a public IP address on the firewall with an unused port. To use RADIUS authentication, select On under RADIUS.

IPsec Tunnels

Next, go to the IPsec Tunnels page and enter the networks which will use the VPN tunnel.

In the IPsec networks table, define the local office network that will be used through the VPN tunnel.

If RADIUS is used, you must also enter the public IP of the authentication server here, either as a part of the office network or as a separate network.

Under Peer, select the newly created VPN tunnel.

Under Local network, select Network as the Address type and the local network (connected to the firewall) that you defined below under Network.

Under Remote network, you have the following options:

The road warrior has a public IP address on the Internet. Select Remote side address under Address type. This means "the same IP address as on the IPsec Peers page".
The road warrior is located behind a NAT:ing device, and you know which IP network it belongs to. Enter that network in the IPsec Networks table. In the IPsec Tunnels table, select Network, allow subset under Address type and select the network you just created under Network.
Usually, you won't know the private IP address of the road warrior in advance, or it will change a lot. You might not even know if the client is NAT:ed or not.
Select Remote/private address as the Address type. This will allow all private IP addresses as well as the public address presented by the client at the negotiation.

When Network or Network, allow subset was selected, there must be a line for every pair of networks that should be able to communicate through the VPN connection.

The IPSec key lifetime is optional, but if you enter a lifetime, it must be the same on both VPN peers.

Authentication Server

If RADIUS is used to authenticate the user, the firewall must have an SSL certificate for its authentication server.

Go to the Authentication Server page and select a public IP address and port of the firewall. You might have to go to the Interface pages to define an extra IP address (alias) for the outside of the firewall.

You must also select which certificate the authentication server of the firewall should use to identify itself to the connecting client.

RADIUS

If RADIUS authentication is used, the firewall must know which RADIUS server to contact. Go to the RADIUS page under Basic Configuration and enter the RADIUS server to use.

Networks and Computers

Go to the Networks and Computers page under Network and make sure that there are groups for all networks that will use the VPN tunnel. These are used for building rules for the VPN traffic. You don't need a network for the authentication server.

The network on the other side of the VPN tunnel (see VPN network in the example) must have "-" selected under Interface.