This Configuration Guide demonstrates how to set up an IPsec connection to a remote terminal.
Situation
A remote router is connected to the Internet. An encrypted IPsec connection to the network behind this router is supposed to be established.
Solution
It is prerequisite that you have access to the web interface of the router and the router is configured for a WAN connection using the startup wizard from default settings. The following figure shows the network topology that is used for this example:
.png)
Please note for the addresses used!
All addresses are exemplary for the present example and must be adjusted to your application.
Keep your router up to date!
Update your router to iom OS 7.3 or later first! All encryption algorithms that are no longer considered sufficiently secure have been removed starting with this version, which eliminates the possibility of such algorithms being used inadvertently.
Open the user interface of the router: https://insys.icom
Click on on the Network → Interfaces page under IPsec to add a new IPsec tunnel from the local LAN to the remote router and configure this accordingly:
Description: IPsec tunnel to 69.32.16.8
IP address or domain name of remote site: 69.32.16.8
Create tunnel interface: VTI interface (this allows a free IP address in the local subnet to be assigned to the tunnel; if none is selected, no routes or IP filter rules can be created for the tunnel)
Local tunnel address: 192.168.2.0 / 24
Local ID: can be optionally modified if the default ID (IP address) cannot or should not be used
Remote ID: can be explicitly specified if the actual IP address differs from the received ID or is unknown
Configure the authentication of the IPsec connection (Phase 1) accordingly:
IKE version: select the IKE version used by the IPsec remote site and, if necessary, the IKEv1 mode
Please note regarding IKEv1 mode!
The Main mode transmits all authentication data encrypted, what makes this method safer. The Aggressive mode works without encryption, what makes this method faster. It is strongly recommended not to use Aggressive mode for reasons of security.
Authentication: select the authentication method used
Certificate: check the checkbox Upload and apply certificates and upload CA certificate, Certificate and Private key
Pre-shared key: enter the Pre-shared key
Configure the IPsec connection (Phase 2) accordingly:
IP address of tunnel interface (VTI): 192.168.2.0 / 32 (avoid address conflicts!)
Local subnet: 192.168.2.0 / 24
Remote subnet: 192.168.200.0 / 24
.png)
Additional IPsec SAs!
In order to tunnel different networks separately, up to 20 additional IPsec SAs can be added under this IKE SA.
Additional parameters in extended view!
Depending on the remote site, it may be necessary to configure additional parameters in the extended view. Open the extended view by clicking on to extended view.
Enforce UDP encapsulation: if checked, all ESP (Encapsulating Security Payload) packets are packed in a UDP packet and sent via the UDP port 4500 in addition. If this option is not checked, this will only be performed if one of the two terminals is accessed via a NAT (Network Address Translation) router.
Dead peer detection interval: defines, in which intervals requests to the remote terminal are sent through the tunnel.
Dead peer detection timeout: the requests must be must be responded within this time before the connection is considered as closed.
Maximum wait time to establish connection: defines the time, which is granted for the establishment of the IPsec tunnel within the WAN chain. If the tunnel cannot be established within this time, the establishment of the WAN chain is considered as terminated.
IKE Key Parameters: these can be negotiated automatically or set fix. In case of the latter, encryption and hash algorithm as well as Diffie-Hellman parameters are selected in the respective drop-down list. The parameters selected here must be supported by the remote terminal. AES GCM and AES CBC or SHA-256, 384 and 512 are recommended as per TR-02102-2. DES or SHA-1 and MD5 are not recommended.
IKE key renegotiation interval: defines the time for the regular exchange of the data connection key, which must expire before new keys are created.
IKE key renegotiation tries: defines how often it will be tried to renegotiate the keys before the remote terminal is considered as not available.
Exklusiv tunneln: Data traffic from the router to the IPsec tunnel is restricted to the specified protocol and/or port under Local. Data traffic from the IPsec tunnel to the router is restricted to the specified protocol and/or port under Remote.
IPsec Key Parameters: these can be negotiated automatically or set fix. In case of the latter, encryption and hash algorithm as well as Diffie-Hellman parameters are selected in the respective drop-down list. If Diffie-Hellman parameters are also selected with set fix key parameters, perfect forward secrecy (PFS) will be activated. In case of negotiated automatically key parameters, no Diffie-Hellman parameters and therefore no PFS will be used. The parameters selected here must be supported by the remote terminal. AES GCM and AES CBC or SHA-256, 384 and 512 are recommended as per TR-02102-2. DES or SHA-1 and MD5 are not recommended
IPsec key renegotiation interval: defines the time for the regular exchange of the data connection key, which must expire before new keys are created.
Dead peer detection action: here can be configured whether a connection recognised as aborted by the dead peer detection configured above is to be restarted (restart) or closed (clear).
MTU: in rare cases, it may be necessary to adjust the Maximum Transmission Unit (MTU, maximum permissible number of bytes in a packet to be transmitted).
Click on SUBMIT.
Klicken Sie auf der Seite Netzwerk → WAN / Internet unter Primäre Internetverbindung auf Interface anhängen , um das IPsec-Interface an die WAN-Kette anzuhängen und wählen Sie für Startposition 2 das Interface ipsec1 aus.
.png)
Click on SUBMIT.
Click on on the Network → Routing page under Static routes to add a new static route through the IPsec tunnel to the remote subnet behind the remote router and configure this accordingly:
Description: IPsec route to 192.168.200.0
Creation after start of Interface: ipsec1
Type of the route: Network 192.168.200.0 / 24
Gateway: interface ipsec1
.png)
Click on SUBMIT.
Click on on the Network → Firewall / NAT page under IP filter to add an IP filter rule that rule enables to establish IPsec connections and key exchange and configure this accordingly:
Description: IPsec (tunnel establishment)
Packet direction: OUTPUT
IP version: All
Protocol: UDP
Output interface: Check the WAN interface used, i.e. lte2 or net3.
Destination port: 500
.png)
Click on SUBMIT.
Klicken Sie auf der Seite Netzwerk → Firewall / NAT unter IP-Filter auf , um eine IP-Filter-Regel für den Aufbau des IPsec-Tunnels hinzuzufügen, und konfigurieren Sie diese entsprechend:
Beschreibung: IPsec protocol ESP
Paket-Richtung: OUTPUT
IP-Version: Alle
Protokoll: ESP
Ausgehendes Interface: Markieren Sie die verwendete WAN-Schnittstelle, d.h. lte2 oder net3
Click on SUBMIT.
Click on on the Network → Firewall / NAT page under IP filter to add an IP filter rule that enables to establish IPsec connections and key exchange when using NAT traversal and configure this accordingly:
Description: IPsec UDP Port 4500 (NAT traversal)
Packet direction: OUTPUT
IP version: All
Protocol: UDP
Output interface: Check the WAN interface used, i.e. lte2 or net3.
Destination port: 4500
Click on SUBMIT.
Click on on the Network → Firewall / NAT page under IP filter to add an IP filter rule that rule enables to establish IPsec connections and key exchange and configure this accordingly:
Description: IPsec (tunnel establishment)
Packet direction: INPUT
IP version: All
Protocol: UDP
Input interface: Check the WAN interface used, i.e. lte2 or net3.
Destination port: 500
Click on SUBMIT.
Click on on the Network → Firewall / NAT page under IP filter to add an IP filter rule that enables to establish the IPsec tunnel and configure this accordingly:
Description: IPsec protocol ESP
Packet direction: INPUT
IP version: All
Protocol: ESP
Input interface: Check the WAN interface used, i.e. lte2 or net3.
Click on SUBMIT.
Click on on the Network → Firewall / NAT page under IP filter to add an IP filter rule that enables to establish IPsec connections and key exchange and configure this accordingly:
Description: IPsec UDP Port 4500 (NAT traversal)
Packet direction: INPUT
IP version: All
Protocol: UDP
Input interface: Check the WAN interface used, i.e. lte2 or net3.
Destination port: 4500
Click on SUBMIT.
Click on on the Network → Firewall / NAT page under IP filter to add an IP filter rule that enables to send all data through the IPsec tunnel and configure this accordingly:
Description: Traffic through the IPsec tunnel sent by the router
Packet direction: OUTPUT
IP version: All
Protocol: All
Output interface: ipsec1
Click on SUBMIT.
Click on on the Network → Firewall / NAT page under IP filter to add an IP filter rule enables to receive all data through the IPsec tunnel and configure this accordingly:
Description: Traffic through the IPsec tunnel sent to the router
Packet direction: INPUT
IP version: All
Protocol: All
Input interface: ipsec1
Click on SUBMIT.
Click on on the Network → Firewall / NAT page under IP filter to add an IP filter rule that enables to route all data from the local networks through the IPsec tunnel. and configure this accordingly:
Description: Traffic from the local net through the IPsec tunnel
Packet direction: FORWARD
IP version: All
Protocol: All
Input interface: net2
Output interface: ipsec1
Click on SUBMIT.
Click on on the Network → Firewall / NAT page under IP filter to add an IP filter rule that enables to route all data through the IPsec tunnel to the local networks and configure this accordingly:
Description: Traffic through the IPsec tunnel to the local net
Packet direction: FORWARD
IP version: All
Protocol: All
Input interface: ipsec1
Output interface: net2
Click on SUBMIT.
Activate the profile with a click on ACTIVATE PROFILE .
Observe the establishment of the WAN chain containing the tunnels on the
Status → Dashboard page in the WAN chain section.Click on the Administration → Debugging page on OPEN DEBUG TOOLS , select the Tool Ping, enter available IP addresses of the remote subnets under Parameter and click on SEND to verify the connectivity.
We’ve prepared the following ASCII configuration file for adding the filter rules in one go instead of entering them one by one as described in detail above. Copy and paste it to your text editor or download it using the link below. Don’t forget to adjust it to your application if required.
The ASCII configuration file will add all filters as above with both possible WAN interfaces that can be created by the Startup wizard, i.e. lte2 and net3.
Refer to Adding a List Parameter to a Profile Using Lua to see how to apply an ASCII configuration file to a profile.
ASCII configurationfile
netfilter.ip_filter.rule.add
netfilter.ip_filter.rule[last].rule_active=1
netfilter.ip_filter.rule[last].rule_description=IPsec (tunnel establishment)
netfilter.ip_filter.rule[last].rule_direction=output
netfilter.ip_filter.rule[last].rule_protocol=udp
netfilter.ip_filter.rule[last].rule_output_if=lte2,net3
netfilter.ip_filter.rule[last].rule_dport=500
netfilter.ip_filter.rule[last].rule_ipversion=all
netfilter.ip_filter.rule.add
netfilter.ip_filter.rule[last].rule_active=1
netfilter.ip_filter.rule[last].rule_description=IPsec protocol ESP
netfilter.ip_filter.rule[last].rule_direction=output
netfilter.ip_filter.rule[last].rule_protocol=esp
netfilter.ip_filter.rule[last].rule_output_if=lte2,net3
netfilter.ip_filter.rule[last].rule_ipversion=all
netfilter.ip_filter.rule.add
netfilter.ip_filter.rule[last].rule_active=1
netfilter.ip_filter.rule[last].rule_description=IPsec UDP Port 4500 (NAT traversal)
netfilter.ip_filter.rule[last].rule_direction=output
netfilter.ip_filter.rule[last].rule_protocol=udp
netfilter.ip_filter.rule[last].rule_output_if=lte2,net3
netfilter.ip_filter.rule[last].rule_dport=4500
netfilter.ip_filter.rule[last].rule_ipversion=all
netfilter.ip_filter.rule.add
netfilter.ip_filter.rule[last].rule_active=1
netfilter.ip_filter.rule[last].rule_description=IPsec (tunnel establishment)
netfilter.ip_filter.rule[last].rule_direction=input
netfilter.ip_filter.rule[last].rule_protocol=udp
netfilter.ip_filter.rule[last].rule_input_if=lte2,net3
netfilter.ip_filter.rule[last].rule_dport=500
netfilter.ip_filter.rule[last].rule_ipversion=all
netfilter.ip_filter.rule.add
netfilter.ip_filter.rule[last].rule_active=1
netfilter.ip_filter.rule[last].rule_description=IPsec protocol ESP
netfilter.ip_filter.rule[last].rule_direction=input
netfilter.ip_filter.rule[last].rule_protocol=esp
netfilter.ip_filter.rule[last].rule_input_if=lte2,net3
netfilter.ip_filter.rule[last].rule_ipversion=all
netfilter.ip_filter.rule.add
netfilter.ip_filter.rule[last].rule_active=1
netfilter.ip_filter.rule[last].rule_description=IPsec UDP Port 4500 (NAT traversal)
netfilter.ip_filter.rule[last].rule_direction=input
netfilter.ip_filter.rule[last].rule_protocol=udp
netfilter.ip_filter.rule[last].rule_input_if=lte2,net3
netfilter.ip_filter.rule[last].rule_dport=4500
netfilter.ip_filter.rule[last].rule_ipversion=all
netfilter.ip_filter.rule.add
netfilter.ip_filter.rule[last].rule_active=1
netfilter.ip_filter.rule[last].rule_description=Traffic through the IPsec tunnel sent by the router
netfilter.ip_filter.rule[last].rule_direction=output
netfilter.ip_filter.rule[last].rule_protocol=all
netfilter.ip_filter.rule[last].rule_output_if=ipsec1
netfilter.ip_filter.rule[last].rule_ipversion=all
netfilter.ip_filter.rule.add
netfilter.ip_filter.rule[last].rule_active=1
netfilter.ip_filter.rule[last].rule_description=Traffic through the IPsec tunnel sent to the router
netfilter.ip_filter.rule[last].rule_direction=input
netfilter.ip_filter.rule[last].rule_protocol=all
netfilter.ip_filter.rule[last].rule_input_if=ipsec1
netfilter.ip_filter.rule[last].rule_ipversion=all
netfilter.ip_filter.rule.add
netfilter.ip_filter.rule[last].rule_active=1
netfilter.ip_filter.rule[last].rule_description=Traffic from the local net through the IPsec tunnel
netfilter.ip_filter.rule[last].rule_direction=forward
netfilter.ip_filter.rule[last].rule_protocol=all
netfilter.ip_filter.rule[last].rule_input_if=net2
netfilter.ip_filter.rule[last].rule_output_if=ipsec1
netfilter.ip_filter.rule[last].rule_ipversion=all
netfilter.ip_filter.rule.add
netfilter.ip_filter.rule[last].rule_active=1
netfilter.ip_filter.rule[last].rule_description=Traffic through the IPsec tunnel to the local net
netfilter.ip_filter.rule[last].rule_direction=forward
netfilter.ip_filter.rule[last].rule_protocol=all
netfilter.ip_filter.rule[last].rule_input_if=ipsec1
netfilter.ip_filter.rule[last].rule_output_if=net2
netfilter.ip_filter.rule[last].rule_ipversion=allTroubleshooting
Disable the IP filters for IPv4 in the Network → Firewall / NAT menu under Settings IP filter to check whether incorrect filter settings are the reason for connection problems.
If NAT is used, it may be necessary to configure the Local ID and Remote ID for the IPsec connection. If nothing is configured, the respective accessible IP addresses are normally used. Otherwise, the respective domain names, @ strings (i.e. alphanumeric combinations containing an @) or the Distinguished Name (DN) can be used as the ID. If certificate-based authentication is used and the DN cannot be easily derived, an attempt is made to establish a connection, which then logically fails. However, the log of this connection attempt shows what the remote station provides as the DN – and so you know what it would expect. You now copy the DN of the remote station and simply replace the common name with your own common name.