52.2. Configuration on the Intra2net System

52.2.1. Prerequisites

First of all, you must ensure that each side has its own key and the public key of the other. It is recommended that you create a dedicated key for VPNs only on each system.

If you set up multiple VPNs on the Intra2net system, you do not have to create a separate key for each connection: You can use a single key for all VPNs. Of course you will still need the public key from each of the peers.

Further details on key management can be found in 43. Chapter, „Key Management“.

52.2.2. Default Settings

You can configure VPN connections in the Services > VPN > Connections menu.

On the first page, set the remote side. The remote side is the official IP under which the Intra2net system can reach the IPSec gateway on the peer's side of the connection. Do not confuse this with the IP that the peer has in its own network (typically from a private network area).

If the peer has a static IP, it is advisable to enter this IP and not the DNS name, which might also exist. If the peer is not accessible from the Intra2net system or has no DynDNS name (e.g. because it is located in a UMTS network and cannot be reached behind NAT), you can enter "Dynamic IP (Road Warrior)" as the type. However, this setting is intended for individual clients and not so much for permanently active connections between networks.

The encryption algorithms used can be selected via the encryption profile; for details see Section 42.5, „Algorithms“. It is important that the setting for Perfect Forward Secrecy (PSF) is identical on both sides.

Encapsulation controls how the packets for the VPN tunnel are packed. With ESP, encryption and authentication are encapsulated. With ESP+AH, encryption and authentication are carried out separately. ESP+AH cannot be conducted through NAT, so ESP is widely accepted. This setting must be identical on both sides of the connection.

52.2.3. Authentication

Select your own key and the key of the remote side.

For the reasons mentioned in Section 42.6, „Limitations“ we advise against authenticating connections using a pre-shared key (PSK). If you still want to use it, you must choose the IPSec IDs of both sides in addition to the common key. If both sides have static IPs, you can use the IPs directly as IPSec IDs. For dynamic IPs, it is recommended to enter email addresses as IPSec IDs.

52.2.4. Configuring the Tunnel

On the "Tunnel" page, you can configure which networks are connected to each other by this VPN connection.

The Local network option selects the network to be connected on the side of the Intra2net system. With the Local networks option, select one of the networks directly connected or routed to the Intra2net system.

For Remote network select the Custom net type and enter IP and netmask of the network behind the IPSec Gateway on the peer's side.

The options for address conversion (NAT) are explained in 56. Chapter, „Solving IP Address Conflicts in VPNs Through NAT“.

52.2.5. Rights

In this menu the rights of the VPN network on the peer's side are defined. This applies to all packets coming from the VPN network. A description of the rights options can be found under Section 9.3, „Access Rights of a Network Object“.

52.2.6. Activation

This menu is used to configure when the connection is established and when existing sessions are to be extended.

For passive or manual start, the Intra2net system waits until either the peer establishes the connection or a user establishes the connection manually through the mainpage. If the connection is always running, the Intra2net system will continuously try to establish the connection and keep it open.

The number of setup attempts only affects the manual setup on the mainpage. This option has no impact when used in conjunction with Always.

The lifespan of the two phases indicates how many minutes after a connection should be re-authenticated and new session keys negotiated. The time for phase 1 should be greater than the time for phase 2, these values do not have to match the settings of the peer.

If a value is entered for Offline detection, the Intra2net system sends a packet to the other side at a minimum of the specified number of times. If no response is received on multiple occasions, the connection is dropped and re-established. This function uses the IPSec default dead-peer detection (DPD).