IPSec Client

IPSec VPN

The IPSec VPN feature allows the creation of VPN tunnels between an EdgeServer and an IPSec VPN server – with the EdgeServer being a VPN Client (Remote Site) and another being an IPsec VPN Server (Operations Center).

The following section will define the primary sequential steps to configure the EdgeServer device as an IPSec VPN Client.

Configure IPSec VPN Client

An EdgeServer IPSec VPN Client service can have multiple VPN Clients configured. Thus, for example, an EdgeServer can have a unique IPSec VPN tunnel for each Access network on the EdgeServer.

In any case, each EdgeServer IPSec Client must be configured using the IPSec VPN client profile downloaded from an IPSec VPN Server.

To access the configuration of the EdgeServer as a IPSec VPN Client, follow the below steps:

·      Select the IPSec Client tab.

• The client configuration opens with the following screen.

  • If a IPSec VPN Server was configured, they will be listed here.

Add IPSec VPN Server Configuration to Remote EdgeServer

To create a new IPSec VPN server connection,

·       Click + New Connection in the upper right of this table.

·       The following dialog box opens.

·       Enter the Server Connection Name. It will be used to refer to this connection in the rest of the user interface. It must be unique among all VPN connections configured in the system (IPSEC & Wireguard).

·       Enter the Server IP Address. It is the IP address of the IPSec Server that this connection will connect to. Do note that unlike a Wireguard VPN, there can only be a maximum of one IPSec VPN Connection to any given Server IP.

·       Enter the Server Name & Client Name. These are the identifiers to be used by the Server and this client to mutually authenticate each other.

·       Enter the Shared Secret. It is a password shared between the server & client.

·       If the client will be assigned a single IP address, then select Yes for NAT, and enter that IP address in the Local IP Address field – If not, select No for NAT.

·       If the NAT field is selected as No, the Local IP Address field will be disabled.

·       Select a WAN Profile from the dropdown menu for this connection. This field is optional.

·       The user can also create a new connection by entering the required details in a Sample JSON file and uploading it.

·        Click the JSON button to download the Sample JSON file.

·       Enter the required details in the sample file and save it.

·       Click the Upload Configuration Folder icon to select and upload the sample file with the required details. All the required fields will be taken from the sample file and auto populated in the dialog box.

·       The Configuration Mode controls the details of the IPsec configuration. By default, Auto is chosen, which causes the client to try auto-negotiation of security algorithms with the server – it will set itself to use IKE version 2 and propose a reasonable subset of algorithms that it supports.

·       If that does not work, a more advanced configuration is required. The actual protocol and algorithms must then be known by the user. If the user knows that the server requires IKE version 1, then choose IKEv1. The following options then appear.

·       For IKEv1, the user must specify if the server requires the Aggressive Mode, or will it use the Main Mode. Specify it by selecting Yes/No in the Aggressive dropdown.

·       The user must then enter the details of the algorithms to be used for the IKE Phase (also called ‘Phase 1’) and ESP (also called ‘Phase 2’). Select the correct algorithms from the drop downs. Note that the PRF drop down allows a None option.

·       If the server requires IKE version 2, select IKEv2. The configuration workflow for that is similar to that of IKEv1, except that there is no Aggressive/Main mode distinction.

·       If none of the above Configuration Mode works, there is an option for a Manual mode of configuration, wherein a configuration file snippet (consisting of ‘<whitespace> <name> ‘=’ <value> entries in the StrongSWAN ‘ipsec.conf’ configuration file format) may be specified. Choose Manual mode to do it.

·       Click Sample File to download the sample file.

·       Enter the required details in the sample file and save it.

·       Click the Upload Configuration Folder icon to select and upload the sample file with the required details.

·       Click Save to create the VPN connection.