Configuration of the VPN gateway |
The VPN gateway is operated here with IP address 192.168.10.254. To assign the VPN client an IP address from this network range, the option Proxy ARP must be enabled.
Go to LAN -> IP Configuration -> Interfaces -> Edit.
Relevant fields in the Interfaces menu
Field | Meaning |
---|---|
Address mode | Select how an IP address is assigned to the interface. |
IP Address/Netmask | Here, enter the IP address and the corresponding Netmask of the interface. |
Interface Mode | Here, select the configuration mode of the interface. |
Proxy ARP | Enable the option Proxy ARP. |
An IP address pool is specified in the IP Poolsmenu, from which an address in assigned the VPN client at tunnel setup. In our example, a range from the local network is selected, e.g. 192.168.10.150 to 192.168.10.180.
Go to VPN -> IPSec -> IP Pools -> Add.
Relevant fields in the IP Pools menu
Field | Meaning |
---|---|
IP pool name | Enter the name of the IP pool. |
IP pool range |
In the first field, enter the first IP address from the local network. In the second field, enter the last IP address from the local network. |
A RADIUS server must be used for advanced IPSec authentication (XAuth). Perform all necessary settings in the XAuth Profile menu.
Go to VPN -> IPSec -> XAUTH Profiles -> New.
Relevant fields in the XAUTH Profiles menu
Field | Meaning |
---|---|
Description | Enter a description for the IPSec authentication. |
Role | Here, select Server . |
Mode | Under Mode select RADIUS . |
You can now configure IPSec Peers. Create one entry per VPN client connection. The preshared key as well as the local ID must be differently saved for every user or tunnel.
Choose the New button to set up more IPSec peers.
Go to VPN -> IPSec -> IPSec Peers -> .
Relevant fields in the Peer Parameter menu
Field | Meaning |
---|---|
Administrative Status | Set Administrative Status to Active. The peer is available for setting up a tunnel immediately after saving the configuration. |
Description | Enter a description of the peer that identifies it. |
Peer ID | Select the ID type and enter the peer ID. On the peer device, this ID corresponds
to the parameter
Local ID Value.
Possible ID types:
|
Preshared Key | Under Preshared Key enter the password agreed with the peer. |
IP Address Assignment |
Select the configuration mode of the interface. When selecting the option IKE Config Mode choose an IP address from the configured IP pool. |
IP Assignment Pool | Select an IP pool configured in the VPN -> IP Pools menu. If an IP pool has not been configured here yet, the message Not yet defined appears in this field. |
Local IP Address | Enter the WAN IP address of your IPSec tunnel. This can be the same IP address as the address configured on your router as the LAN IP address. |
The Advanced Settings menu consists of the following fields:
Relevant fields in the menu Advanced Settings
Field | Meaning |
---|---|
Phase 1 Profile | If selecting None (use standard profile) the profile indicated as standard in Phase 1 Profiles is used. |
Phase 2 Profile | When selecting None (use standard profile) the profile indicated as standard in Phase 2 Profiles is used. |
XAUTH Profile | Here, select a configured XAUTH profile (e.g. radius_server ). |
Start mode | Here, you can select how the peer is to be switched to the active state. By selecting On Demand the peer is switched to the active state with a trigger. |
Back Route Verify | Here, it is determined whether a check on the back route should be enabled for the interface to the connection partner. |
Proxy ARP |
Set Proxy ARP to Up or Dormant . Your device only responds to an ARP request if the status of the connection to the IPSec peer is up or dormant. |
Mode | Set the Mode of the IPSec callback to Inactive . The local device neither reacts to incoming ISDN calls nor initiates ISDN calls to the remote device. |
In the Phase 1 Profiles menu, you can define the Phase 1 (IKE) settings. Click on the icon to edit existing entries. Select the New button to create new profiles.
Go to VPN -> IPSec -> Phase 1 Profiles -> .
Relevant fields in the Phase 1 Parameters (IKE) menu
Field | Meaning |
---|---|
Mode |
Select Phase 1 mode Aggressive . The Aggressive Mode is necessary if one of the peers does not have a static IP address and preshared keys are used for authentication; it requires only three messages for configuring a secure channel. |
Local ID Type |
Select the local ID type. Possible values:
|
Local ID Value | Enter the VPN gateway ID, e.g. headoffice@bintec-elmeg.com |
Settings in the VPN -> IPSec -> Phase 2 Profiles menu can be taken over unchanged.
Settings in the RADIUS menu enable advanced IPSec authentication (XAuth) with the Windows 2003 RADIUS server (IAS). You must set Authentication Type to XAuth as well as save the Server IP address of the Microsoft Windows 2003 RADIUS server (IAS). Communication with the RADIUS server is password-protected.
Go to System Management -> Remote Authentication -> RADIUS ->New.
Relevant fields in the RADIUS menu
Field | Meaning |
---|---|
Authentication Type | Select Authentication Type XAUTH . |
Server IP Address | Enter the Server IP address of the Microsoft Windows 2003 RADIUS server (IAS). |
RADIUS Password | Enter the shared password used for communication between the RADIUS server and your device (e.g. bintec elmeg ). |
Group description |
Define a new RADIUS group description or assign the new RADIUS entry to a predefined group. The configured RADIUS servers for a group are queried according to priority and policy. Possible values:
|
Copyright© Version 01/2020 bintec elmeg GmbH |