VPN clients with Ingate Firewall
This is a description of various scenarios for connecting a VPN client to a VPN gateway (such as a firewall with VPN support). For each scenario you also find configuration details for an Ingate Firewall.
Client with a public IP address
In this scenario, the VPN client has a public IP address, visible for the entire Internet.
Firewall configuration
The firewall VPN configuration has the following details:
IPsec Peers
Remote side should be set to "*".
IPsec Tunnels
Remote network: Address type should be set to "Remote side address".
Remote side: Network should be left empty.
Client with NAT:ed, fixed IP address
In this scenario, the VPN client is located behind a NAT device, which means that its real IP address can't be seen on the Internet. This makes it trickier for IPSec, though, since the real IP address inside the packet does not match the NAT:ed IP address which the firewall sees as the sender of the packet.
Firewall configuration
The firewall VPN configuration has the following details:
IPsec Peers
Remote side should be set to "*".
IPsec Tunnels
In the IPsec networks table, create a new row. Enter the real client IP address (not the NAT address) and netmask 32.
In the IPsec tunnels table; select Network under Remote network: Address type.
Select under Remote network: Network the network you just created.
Client with NAT:ed DHCP IP address
In this scenario, the VPN client is located behind a NAT device, which means that its real IP address can't be seen on the Internet. The client acquired its IP address via DHCP.
The settings below require that the client IP address belong to one of the standardized prived IP address ranges (see appendix G, Lists of reserved ports, ICMP types and codes, and Internet protocols).
Firewall configuration
The firewall VPN configuration has the following details:
IPsec Peers
Remote side should be set to "*".
IPsec Tunnels
Remote network: Address type should be set to "Any private address".
Remote side: Network should be left empty.
If the DHCP IP address range is not within the standardized private networks, you need to do this instead:
IPsec Peers
Remote side should be set to "*".
IPsec Tunnels
In the IPsec networks table, create a new row. Enter the network number and netmask for the IP range from which the client obtains its DHCP IP address.
In the IPsec tunnels table; select "Network, allow subset" under Remote network: Address type.
Select under Remote network: Network the network you just created.
Firewall and client with dynamic IP addresses
In this scenario, the firewall as well as the VPN client have acquired their IP addresses via DHCP/PPPoE.
This is a problem, since none of the IP addresses is known in advance, which makes it difficult to define a connection point for either device.
One solution is to let the firewall report its IP address to DynDNS.org, where the client can look it up. This requires settings on the Dynamic DNS update page under Basic Configuration. It also requires that you acquire an account at DynDNS.org.
Firewall configuration
The firewall VPN configuration has the following details:
Dynamic DNS update
DynDNS.org status should be set to On.
Select which DynDNS.org service you use.
Enter your DynDNS.org Username and Password
Select the IP address for updates. This should be the IP address of the firewall outside - the one that get its address via DHCP/PPPoE.
Under DNS names to update at DynDNS.org, enter the host/domain name for the firewall. This is the name which the client should use to connect to the firewall.
IPsec Peers
Remote side should be set to "*".
IPsec Tunnels
Remote network: Address type should be set to "Any private address".
Remote side: Network should be left empty.