Support /
Knowledge Base

VPN Configuration Tasks

Decide Over Connection Type and Network Topology

A first step in setting up a tunnel is deciding which topology to use. IPSec allows us to create two kinds of tunnels host to network and network to network.

Host to Network Tunnels

Host to network tunnels – also known as a road warrior connection where a person using a laptop will connect to the company’s headquarters; in this case you will need to decide upon two things:

  • the local interface where to listen for connections
  • the local network that you want to make available to this road warrior

 

Such a setup as presented in this sub-section is drawn in Figure 8-1.

Figure 8-1

Network to Network Tunnels

This type of tunnel can be used to connect branch offices to the main office. To configure such a tunnel you need information about:

  • the local interface where to listen for connections
  • the local network that you want to make available at the other end of the tunnel
  • the remote IP address for the other end of the tunnel
  • the remote network that we will have access to

A network to network tunnel is depicted in Figure 8-2.

Figure 8-2

NAT Traversal

It’s important to remember that the destination endpoint of a VPN connection must always be a routable IP address (not a private IP from the 10.0.0.0/8, 192.168.0.0/24 or 172.16.0.0/24 networks). The initiator of the tunnel may be behind a NAT router, since Syneto supports NAT-Traversal. A VPN tunnel between two networks where one party is behind a router doing SNAT is presented in Figure 8-3.

Figure 8-3

Choose Authentication Type

Password authentication is the simplest method to setup, since all you must do is decide upon a secret string to share between the two endpoints of the tunnel. However, since this method is vulnerable to dictionary attacks, a preferred, much stronger way of authenticating are X.509 certificates.

Figure 8-4

Configuring Syneto appliance to use X.509 certificates require a few steps:

  • Decide which Certificate Authority (CA) to use. The CA will be used to issue and verify all X.509 certificates throughout the organization. The CA may be:
    • a public CA like Verisign, case when using the Web Management Interface navigate to X509 Certificates > Imported CAs menu and import your Certification Authority’s certificate. This step is optional, since you’ll be able to load this certificate using the X509 Certificates > Imported Certificates menu.
    • one Syneto machine when navigate to X509 Certificates > Manage Local CA and create a local Certificate Authority. Creating a Certification Authority will automatically generate a self signed certificate for the current machine.
  • Obtain client certificates: every machine must have one X.509 certificate and a matching private certificate key. The public certificate will be issued by the designed CA and distributed to all VPN peers.
    • If using a public CA obtain certificates as instructed by the public CA in pem or pkcs12 format.
    • If using a Syneto machine as Certificate authority, on Syneto machine designated as CA go to the X509 Certificates > Manage Local Certificates menu and export certificate in “linux” (pem archive) or “windows” (pkcs12) archive.
  • Load client certificates: the certificates issued by the CA must be loaded on all tunnel endpoints (Syneto or other machines):
    • On Syneto you can load X.509 certificates issued by another Syneto machine or an external CA by navigating to X509 Certificates > Imported Certificates.
    • If using other types of machines, be sure to load the certificates using methods specific to those machines.

 

Choose Authentication Method and Encryption Scheme

Choosing an authentication method and encryption scheme must be done before configuring any VPN endpoints, because all endpoints must be configured to use the same methods.

The administrator must decide which encryption scheme to use:

  • [Any] – automatically choose encryption scheme
  • AES – recommended if creating tunnels between two Syneto machines: strong encryption, fastest, not so widely supported
  • 3DES – strong encryption, slower, widely supported
  • CAST – ENCRYPTION RFC2144 and 2612
  • Blowfish
  • Twofish – Twofish was submitted as an AES (Advanced Encryption Standard) candidate cipher by researchers at CounterPane Systems. It is a 16 round block cipher supporting key sizes of 128, 192, and 256 bits

 

Authentication method is the method used to exchange authentication parameters and keys. You may choose one of:

  • MD5 – MD5 message digest algorithm (RFC1321)
  • SHA1 – SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2)
  • SHA2_256 – SHA256 secure hash standard (DFIPS 180-2). This version of SHA implements a 256 bit hash with 128 bits of security against collision attacks.
  • SHA2_512 – SHA512 secure hash standard (DFIPS 180-2). This version of SHA implements a 512 bit hash with 256 bits of security against collision attacks.

 

Configure Syneto’s VPN Tunnel

When adding a tunnel on Syneto it is necessary to fill in a form consisting of several fields. By now you must have a clear picture of what these parameters must be set to:

  • ‘Tunnel Type’: select a pre-defined tunnel type; selecting one will enable or disable certain fields in the form, and some (hidden) IPSec parameters to ensure interoperability
  • ‘Name’: an identifier given to the tunnel; this name must be unique for every tunnel
  • ‘Tunnel Mode’: specifies if the firewall should actively try to setup the connection to its peer (autostart), or if it must only wait for incoming connections (listen)
  • ‘Local IP’: the interface on which IPSec will listen for VPN connections
  • ‘Local Network’: the network that will be available to our peer once the tunnel is established
  • ‘Remote IP’: our peer’s IP – or “any” if we do not know it (in case it is a dynamic or mobile IP)
  • ‘Remote Network’: the network that will be available at the other end of the tunnel
  • ‘Authentication Type’: X.509 or pre-shared key
  • ‘Encryption Method’: AES, 3DES, etc; different encryption methods have different performance and different strength
  • ‘Authentication Method’: MD5, SHA1, SHA2 – message digests used for authentication
  • ‘Pre-shared key’: password used to authenticate the other end if preshared keys are used
  • ‘X.509 Certificate’: use this certificate’s ID to identify the other peer
  • ‘Subject’: the other peer’s ID; this is auto-completed by selecting the certificate, but may be changed in rare cases to ensure interoperability

 

Accept traffic on VPN tunnel

By default Syneto will not accept traffic that is not explicitly permitted, and this also includes traffic passing through an established IPSec VPN tunnel.

This means that you will have to create a filter to accept the traffic coming from the IPSec tunnel (or going to the IPSec tunnel). This filter will be as restrictive as your company policy allows. For a quite permissive traffic policy, you may add filters like in these two examples:

  • Allow all computers at the end of the tunnel to go everywhere (this assumes that only “trusted” clients are able to setup the VPN tunnel):
    • ‘Source Network’: any
    • ‘Destination Network’: any
    • ‘Service’: any
    • ‘Source Interface’: ipsecN
    • ‘Destination Interface’: any
    • ‘Filter action’: ACCEPT
  • Allow our internal network to access clients at the end of the tunnel. In this example we assume the eth2 interface is connected to the internal network:
    • ‘Source Network’: eth2
    • ‘Destination Network’: any
    • ‘Service’: any
    • ‘Source Interface’: eth2
    • ‘Destination Interface’: ipsec0
    • ‘Filter action’: ACCEPT