Skip to main content

How IPSec VPN works

Updated

About

IPsec VPN creates a secure, encrypted tunnel between two distinct networks (subnets) over an untrusted connection, like the internet. There are two categories of IPSec VPN within Smoothwall’s Unified Threat Management (UTM) system:

  1. IPSec Subnets allow traffic between two permanent locations, such as a district office and a school, as if they were physically connected. To set this up, configure the specific local and remote subnets that pass through the VPN tunnel. See Creating an IPsec Tunnel and Creating the tunnel on the secondary system.
  2. Road Warrior is ideal for users on mobile devices who don’t have fixed locations or static IP addresses. This category allows mobile devices to securely connect to the parent network (the Smoothwall appliance) by ensuring that users have the correct credentials or VPN certificates.

IPSec VPN features

  • Purpose: IPSec VPN routes traffic between two internal networks so that users on both ends can access resources, such as servers or printers, as if they were on the same local network.
  • Tunneling: IPSec VPN encrypts data packets within the Tunnel by “wrapping” the original packet and placing it inside a new IP packet.
  • Authentication: IPSec VPN supports several authentication methods, such as Preshared Keys (PSK) for simple setups or Certificates (RSA) for more enterprise-level security.
  • Negotiation: It uses the Internet Key Exchange (IKE) protocol to manage the secure "handshake" between the two Smoothwall appliances.

What you need to configure IPSec VPN

You must configure three core components to configure IPSec VPN:

  1. IPSec Subnets: Explicitly define the Local Network (your LAN) and the Remote Network (the other site's LAN). If these don't match exactly on both appliances, the tunnel will fail to connect.
  2. Firewall Rules: Create a specific Firewall Rule that allows traffic to flow between the IPsec interface and your Internal interfaces.
  3. ID and encryption settings: You can choose between:
    • IP Address and PSK for IPSec tunnels.
    • Active Directory (AD) or local users for SSL VPN.

  Note

Your encryption settings must match. See Set up IPSec VPN for details.