userguides:clearos_5.2:user_guide:ipsec_vpn

IPSec VPN

You can use the web-based administration tool to create a connection with other ClearOS systems.

Installation

If you did not select this module to be included during the installation process, you must first install the module.

You can find this feature in the menu system at the following location:

<navigation>Network|VPN|IPsec VPN</navigation>

Dynamic VPN and ClearSDN

The ClearSDN Dynamic VPN enhances the IPsec VPN experience with: i) support for dynamic IPs ii) automatic re-connections iii) easier and less error prone configuration.

Configuring Connections with Dynamic VPN

Dynamic VPN support not only simplifies configuration, but also improves the up-time of the connections. In order to create a connection between to systems, you need to configure both ClearOS systems.

If you are configuring a VPN connection between your local gateway and a remote gateway, then configure the remote gateway first. Once the VPN is started on the remote system it will only be accessible when the VPN connection is up.

From the webconfig tool, click on Create in the Dynamic VPN Connections box. You need to:

  • Select the target system name from the list
  • Type in a pre-shared secret (password)

On the first connection or when an IP address changes, it may take a minute for the connection to synchronize.

The two LAN networks at either end of the VPN connection must not overlap!

Configuring Unmanaged VPN Connections

The unmanaged VPN feature is not maintained by ClearCenter. We do not recommend using this feature in a production environment.

If you are using static IP addresses, you can also configure unmanaged VPN connections. Please keep in mind, unmanaged VPNs have the following limitations:

  • 4 tunnels are created per VPN connection instead of 1 single tunnel used in managed VPN
  • Unmanaged VPNs do not properly handle routing in a multi-WAN environment
  • Connections are not monitored as they are in managed VPN, so manual corrective action will be required for VPN outages

Select Headquarters and Satellite

Pick one server to be the “Headquarters” and the other to be the “Satellite”. This is just a naming convention – pick a convention and stick with it!

Gather Network Information

You must gather some network information for the IPsec server configuration, namely: the IP address, next hop (gateway), and network for both sides of the network. Make sure these settings are correct – you will save many hours of pain and frustration. The information for the local ClearOS system is shown when you start to configure an unmanaged VPN connection.

Select a Connection Name and Pre-Shared Secret

Once you have your network settings in hand, enter the information on both ends of the VPN connection. Enter a simple nickname for the connection along with a strong pre-shared secret. When configuring the other end of the VPN connection, do not be tempted to swap the Headquarters and Satellite information! The configuration screens on both ends of the connection will look exactly the same.

Sanity Checking

Start the IPsec server on both ends of the connection. Do not use Windows Network Networking to verify the VPN. Instead, make sure you can ping from:

  • gateway to gateway
  • gateway to remote PC
  • remote PC to gateway
  • remote PC to remote PC

If the connection fails, double check your network settings and restart your firewall.

Configuration for Road Warriors

The web-based administration tool does not support Road Warrior connections or interoperability with other IPsec servers. The software is capable of these configurations (including X.509 solutions), however, you must manually configure these connection types - a non-trivial task.

For road warriors/telecommuters, we suggest using the 128-bit encrypted PPTP Server or more modern and certificated base OpenVPN. This option is not only more cost effective, but also easier to configure.

Interoperability

The IPsec protocol is an industry standard, but one with many of loose ends. This means that other IPsec servers may not be able to connect to a ClearOS IPsec server. If you are familiar with the command line environment, you may be able to successfully connect a ClearOS system to a third party system. You can find more information in the OpenSwan Interoperability Documentation.

Troubleshooting

  • Make sure your firewall allows incoming connections for IPsec traffic
  • The IPsec protocol does not pass through NAT-based routers. In other words, if your external IP address is 192.168.x.x or 10.x.x.x, then your system is behind a NAT-based router.

search?q=clearos%2C%20clearos%20content%2C%20IPsec%20VPN%2C%20app-dynamic-vpn%2C%20clearos5%2C%20userguide%2C%20categorynetwork%2C%20subcategoryvpn%2C%20maintainer_dloper&amp;btnI=lucky

userguides/clearos_5.2/user_guide/ipsec_vpn.txt · Last modified: 2020/05/07 13:12 (external edit)