Use this page to create a secure, encrypted tunnel between subnets.
Navigation: NETWORK > VPN > IPsec subnets.
Create new tunnel | |
---|---|
Name | A meaningful name for this VPN. |
Enabled | Indicates whether the VPN is turned on or not. |
Local IP | The Local IP address that the tunnel connects to. Typically, this is one of your external IP addresses, though you can select a Basic interface to create an internal tunnel. |
Local network | The local subnet that the remote host has access to, in this format: <IP_address>/<network_mask>. |
Local ID type |
The identity type that's presented to the remote system. This identifies the primary system to the secondary system and the secondary system to the primary system by using the host and domain name ID value in the primary or secondary system’s default local certificate, respectively.
|
Local ID value | Either the host and domain name, IP address, email address or certificate subject, depending on what you selected from the Local ID type list. |
Remote IP or hostname (blank for ANY) | You can leave this blank if the remote host uses a dynamic IP address. |
Remote network | The remote network subnet that the local host has access to. |
Remote ID type |
The valid remote ID type values.
|
Remote ID value | Either the host and domain name, IP address, or certificate subject depending on what you selected from the Remote ID type list. |
Authenticate by |
This instructs the Smoothwall to authenticate the secondary system by validating the certificate it presents as its identity credentials.
|
Preshared key | The preconfigured password that only the connecting VPN gateways know. |
Preshared key again | The same preshared password. |
Use compression | Compresses the tunnel communication. This is useful for low bandwidth connections, but it does increase CPU utilization on both host systems. The benefits of compression also vary depending on the type of traffic that will flow through the tunnel. For example, compressing encrypted data such as HTTPS, or VPN tunnels within tunnels might decrease performance. The same rule applies when transferring data that's already compressed, for example, streaming video. For any tunnel with a high proportion of encrypted or already-compressed traffic, we don't recommend that you use compression. We recommend that you use compression for non-encrypted, uncompressed traffic. This setting must be the same on the tunnel specifications of both connecting gateways. |
Initiate the connection | Turns on the local VPN system to initiate this tunnel connection if the remote IP address is known. |
Comment | An optional comment for this VPN. |
Advanced » |
Expands the view to show the next options listed in this table so that you can configure the compatibility with other VPN gateway systems. Tip: You can also tweak the VPN for performance gains in Smoothwall to Smoothwall VPN connections. |
Local certificate | The local certificate, if non-standard X509 authentication is used for this VPN. |
Perfect forward secrecy | Turns on the use of the prefect forward secrecy (PFS) key establishment protocol, ensuring that previous VPN communications can't be decoded should a key currently in use be compromised. We recommend that you use PFS for maximum security. VPN gateways must agree on the use of PFS. |
Authentication type |
The valid authentication method type values:
Note: This setting must be the same on both tunnel specifications of two connecting gateways. |
Key Life (mins) | The length of time, in minutes, that a set of keys can be used for. After the Key life value has expired, new encryption keys are generated, reducing the threat of snooping attacks. We recommend that you use the default value of 60 minutes. |
Key Tries (0 means never give up) | The number of connection attempts before failing. The default value of 0 means that the host can continuously rekey the connection. However, a non-initiating VPN gateway should not use the default value as the connection can't be initiated. |
IKE lifetime (mins) | The length of time, in minutes, the Internet Key Exchange (IKE) keys are exchanged again. |
Do not rekey | Turns off rekeying. This can be useful when working with NAT-ed end points. |
IKEV2 | Turns on the Internet Key Exchange version 2 (IKEV2) protocol. You need IKEV2 when selecting an elliptic curve group Diffie-Hellman Group for Phase 2. |
MTU | The Maximum Transmission Unit (MTU) size. The MTU value must be a whole number greater or equal to 68 and represents the maximum size of a packet communicated through the tunnel. In most cases, you can leave this parameter unset. However, some connectivity / performance issues might be resolved by changing the MTU. |
Local internal IP | The IP address of the network to use when the Smoothwall itself sends traffic in the tunnel. |
Cryptographic algorithm |
The encryption algorithm to use in the first and second phases when establishing the VPN connection. This setting must be the same on both tunnel specifications of two connecting gateways.
|
Hash algorithm |
From the list, select the hashing algorithm to use in the first and second phases when establishing the VPN connection. This setting must be the same on both tunnel specifications of two connecting gateways.
|
Diffie-Hellman Group |
The Diffie-Hellman Group cryptographic protocol to use in the first phase when establishing the VPN connection. This setting must be the same on both tunnel specifications of the two connecting gateways.
Note: When upgrading your Smoothwall Filter and Firewall, changes applied to an existing IPsec Tunnel configuration needs the selection of explicit Diffie-Hellman Group settings. |
Add | Adds the IPsec tunnel to the Current tunnels section. |
Current tunnels | |
---|---|
Name | Opens the details of the tunnel in a new tab. |
Enabled | Indicates whether the tunnel is active or not. |
Initiator | Indicates if the local VPN system initiates this tunnel connection if the remote IP address is known. |
Local IP | The Local IP address that the tunnel connects to. |
Remote IP | The remote IP address. |
Remote network | The remote network subnet address that the local host has access to. |
Authenticate by | The authentication method. |
Comment | Any comments that you added when you added the tunnel. |
Mark | Indicates whether the tunnel is selected or not. |
Remove | Removes the selected tunnel from the view. |
Edit | Populates the Create new tunnel section with the details of the marked tunnel so that you can edit the details. |