Before creating a road warrior connection using IPsec, see the following list to assess whether it's the right choice:
- Each connection can be routed to a different internal network.
- Each connection can use different types of cryptographic and authentication settings.
- Software needs to be installed on road warrior devices.
The same advanced options that are available when configuring IPsec site-to-site VPNs are also available to IPsec road warriors. This includes overriding the default local certificate.
Prerequisites
- Create a certificate for each road warrior user, see our help topic, Importing and creating certificates.
- Configure the preshared key for IPsec road warrior, see our help topic, Managing global VPN network settings.
Note: Typically, user specified ID types are used when connecting to non-Smoothwall VPN gateways. Refer to your vendor's documentation.
Procedure
- On the NETWORK menu, under the VPN submenu, click IPsec road warriors.
- Under the Create new tunnel section, enter a meaningful Name for this VPN.
- From the Local IP list, select the local IP address that the tunnel connects to and enter the Local network IP address and network mask, in this format: <IP_address>/<network_mask>.
- Enter a valid Client IP address for this road warrior tunnel. The specified IP address must be available on the network specified for Local network.
- From the Local ID type list, choose the identity type that's presented. We recommend that you use the default.
- If the Local ID type is user defined, enter the Local ID value, which might be a host and domain name, IP address, email address, or certificate subject.
- From the Remote ID type list, select "Remote IP (or ANY if blank Remote IP)". We recommend that you use this setting because it means that the road warrior can present any form of valid credentials.
- If you choose a user defined, enter the Remote ID value of the remote ID used in the certificate that the road warrior is expected to use.
- From the Authenticate by list, select the authentication method and to compress tunnel communication (if your traffic is non-encrypted) select the Use compression option.
- Either click Add or to configure more settings click Advanced ».
- If non-standard X509 authentication is used for this VPN, from the Local certificate list choose the local certificate.
- To make sure that previous VPN communications can't be decoded should a key currently in use be compromised, select the Perfect forward secrecy (PFS) key establishment protocol option.
- From the Authentication type list, choose the authentication method. This setting must be the same on both tunnel specifications of two connecting gateways.
- Enter the Key Life (mins). The length of time, in minutes, that a set of keys can be used for. We recommend that you use the default, and maximum, value of 60 minutes.
- Enter the Key Tries (0 means never give up), the number of connection attempts before failing and enter the IKE lifetime (mins), the length of time, in minutes, the Internet Key Exchange (IKE) keys are exchanged again.
- To turn off rekeying, select the Do not rekey option and to turn on the Internet Key Exchange version 2 (IKEV2) protocol, select the IKEV2 option.
- Enter the Maximum Transmission Unit (MTU) size - it must be a whole number greater than or equal to 68.
- On both tunnel specifications of two connecting gateways, for both Phase 1 and Phase 2:
- From the Cryptographic algorithm list, select the encryption algorithm to use in the first and second phases when establishing the VPN connection.
- From the Hash algorithm list, select the hashing algorithm to use in the first phases when establishing the VPN connection.
- From the Diffie-Hellman Group list, select the encryption algorithm to use in the second phase when establishing the VPN connection.
- Click Add.