Configuration of the VPN gateway

Local IP address of the VPN gateway

In this example, the VPN gateway is operated with IP address 192.168.0.30 . To assign the bintec secure IPSec client™ an IP address from this network range, the option Proxy ARP must be enabled.

For this, go to the following menu:

Go to LAN -> IP Configuration -> Interfaces -> <en1-0> .

LAN -> IP Configuration -> Interfaces -> <en1-0>

Relevant fields in the Interfaces menu

Field	Meaning
IP Address/Netmask	With Add, add a new address entry and enter the IP Address and corresponding Netmask of the interface.
Proxy ARP	Enable the option Proxy ARP.

Definition of an IP address pool

An IP address pool is specified in the IP Poolsmenu, from which an address in assigned all VPN clients at tunnel setup. In our example, a range from the local network is selected, e.g. 192.168.0.150 to 192.168.0.180 .

Go to VPN -> IPSec -> IP Pools -> Add.

VPN -> IPSec -> IP Pools -> Add

Relevant fields in the IP Pools menu

Field Meaning

IP pool name Enter the name of the IP pool, e.g. pool .

IP pool range

Field	Meaning
IP pool name	Enter the name of the IP pool, e.g. `pool` .
IP pool range	In the first field, enter the first IP address from the local network. In the second field, enter the last IP address from the local network.

In the first field, enter the first IP address from the local network.

In the second field, enter the last IP address from the local network.

Import of certificates

For VPN IPsec authentication, a PKCS#12 certificate was generated for each of the bintec secure IPSec clients™ as well as the VPN gateway. The certificate of the VPN gateway is imported over the Certificate List Menu.

Go to VPN -> Certificates -> Certificate List -> Import.

VPN->Certificates->Certificate List->Import

Relevant fields in the Certificate List menu

Field	Meaning
External Filename	With Browse..., select the file path or data name of the PKCS#12 certificate.
Local Certificate Description	Enter a name under which the certificate is saved in the VPN gateway, e.g. `vpn-gateway` .
Password	Enter the password issued at creation of the PKCS#12 certificate.

After importing the PKCS#12 container, you see the inserted certificate of the VPN gateway and the root certificate of the certification authority in the certificate list.

Go to VPN -> Certificate -> Certificate List.

VPN -> Certificates -> Certificate List

Configuration of IPSec Phase 1 parameters

In the Phase 1 Profile menu, the imported certificate (e.g. vpn-gateway) is then selected as Local Certificate.

Go to VPN -> IPSec -> Phase 1 Profiles -> Edit .

VPN -> IPSec -> Phase 1 Profiles -> Edit

Relevant fields in the Phase 1 Profiles menu

Field	Meaning
Authentication Method	Under Authentication Method select `RSA Signature` . Phase 1 key calculations are authenticated using the RSA algorithm.
Local Certificate	This field allows you to select the imported certificate (e.g. vpn-gateway) as local certificate.
Mode	With the option Main Mode (ID Protect) it is insured that the data for negotiation of the IPSec Phase 1 are transmitted in encrypted form.
Local ID Value	If you enable the option Use subject name from certificate, the subject name of the VPN gateway certificate (in our example: "MAILTO=vpn-gateway@bintec-elmeg.com, CN=vpn-gateway, OU=dev, O=fec, L=nuernberg, ST=bavaria, C=DE") is used as a local IPSec ID.

Configuration of IPSec Phase 2 parameters

Settings in the VPN -> IPSec -> Phase 2 Profiles-> Edit can be taken over unchanged.

VPN -> IPSec -> Phase 2 Profiles -> Edit

Setup of VPN IPSec peers

In the IPSec Peersmenu, a VPN connection is set up for every bintec secure IPSec client™.

Go to VPN -> IPSec -> IPSec Peers -> Edit .

VPN -> IPSec -> IPSec Peers -> Edit

Relevant fields in the IPSec Peers menu

Field	Meaning
Description	Enter a description of the peer which identifies it, e.g. `vpnclient1` .
Peer ID	As Peer ID the Subject Name of the VPN client certificate with the type `ASN.1-DN (Distinguished Name)` is saved. This subject name was issued at creation of the certificates generated for the bintec secure IPSec clients™. In this example, for the first VPN peer the following subject name is saved: `MAILTO=vpnclientuser@bintec-elmeg.com, CN=vpnclientuser, OU=sales, O=FEC, L=nuernberg, ST=bavaria, C=DE.`
IP Address Assignment	Here, choose the configuration mode `IKE Config Mode` off.
IP Assignment Pool	Select an IP pool configured in the VPN -> IP Pools menu.
Local IP Address	Assign an IP address to the bintec secure IPSec client™.

The Advanced Settings menu consists of the following fields:

Relevant fields in the menu Advanced Settings

Field Meaning

Phase 1 Profile For phase 1, select a profile already configured in the Phase 1 Profiles menu, e.g. RSA Multiproposal .

Phase 2 Profile For phase 1, select a profile already configured in the Phase 2 Profiles menu, e.g. Multiproposal .

Proxy ARP

Field	Meaning
Phase 1 Profile	For phase 1, select a profile already configured in the Phase 1 Profiles menu, e.g. `RSA Multiproposal` .
Phase 2 Profile	For phase 1, select a profile already configured in the Phase 2 Profiles menu, e.g. `Multiproposal` .
Proxy ARP	Set Proxy ARP to `Up or Dormant` . Your device only responds to an ARP request if the status of the connection to the IPSec peer is up or dormant. In the case of `Dormant` , your device only responds to the ARP request; the connection is not set up until someone actually wants to use the route.

Set Proxy ARP to Up or Dormant . Your device only responds to an ARP request if the status of the connection to the IPSec peer is up or dormant.

In the case of Dormant , your device only responds to the ARP request; the connection is not set up until someone actually wants to use the route.