IPsec

From Nitix Knowledgebase

Jump to: navigation, search
"IPsec" is included in NitixUserManual.


 

Known Configurations

Nitix’s IPSec functionality uses the industry standard ISAKMP/IKE protocol and has been proven to be compatible with other standard IPSec devices.

For a complete list of tested products and configurations, please the following site: http://www.nitix.com/downloads/IPSec_Compatibility/

 

Adding an IPsec Route

To create a new IPsec route:

  1. Select VPN from the Network Setup WebConfig menu.
  2. Select IPsec Setup... and the IPsec Setup screen will be displayed:


    3. IPSec Main


  3. Select Add New Route. The Create IPsec Route screen will be displayed:


    4. Create IPsec Route screen


  4. In the Remote Server field, enter the public IP address or the fully qualified domain name (FQDN) of the remote server.
  5. To include a private subnet behind the remote server’s firewall, enter the internal subnet containing the internal IP address of the remote unit in the Remote Subnet field. For example, if the unit’s internal IP address is 192.168.10.1 with a subnet mask of 255.255.255.0, you would enter 192.168.10.0/24.
  6. Enter your the remote IKE key. This is a password that should be unique and entered on both ends of the IPSec connection.
  7. Enable the Perfect Forward Secrecy (PFS) feature. The two ends do not negotiate this automatically, so make sure that the setting is the same on both ends.
  8. In the section Enable this connection, click "Yes".
  9. Click Save Changes.

 

Adding an Anonymous Incoming Connection IPsec Route

Creating an anonymous IPsec route will allow multiple remote locations, with a dynamic IP address, to connect to your Nitix server.

To configure an anonymous connection:

  1. Select IPsec Setup... from the VPN Setup screen. The IPsec Setup screen will be displayed:


    2. IPSec Main


  2. Select Add New Route. The Create IPsec Route screen will be displayed:


    3. IPsec create screen


  3. Enter 0.0.0.0 in the Remote Server IP address field. The Nitix-powered server must have a static IP address.
  4. To include a private subnet behind the remote server’s firewall, enter the internal subnet containing the internal IP address of the remote unit in the Remote Subnet field. For example, if the unit’s internal IP address is 192.168.10.1 with a subnet mask of 255.255.255.0, you would enter 192.168.10.0/24.
  5. Enter your the remote IKE key. This is a password that should be unique and entered on both ends of the IPSec connection.
  6. Enable the Perfect Forward Secrecy (PFS) feature. The two ends do not negotiate this automatically, so make sure that the setting is the same on both ends.
  7. In the section Enable this connection, click "Yes".
  8. Click Save Changes.

 

Editing an IPsec Route

To edit an existing IPsec route:

  1. Select the appropriate IPsec route’s edit action button on the IPsec Setup screen.


    2. Edit the IPsec route


  2. The Modify IPsec Route screen will be displayed:


    3. Modify IPsec routes


  3. In the Remote server field, enter the fully qualified domain name or IP address of the remote server to which you wish to connect.
  4. To include a private subnet behind the remote server’s firewall, enter the internal subnet containing the internal IP address of the remote unit in the Remote Subnet field. For example, if the unit’s internal IP address is 192.168.10.1 with a subnet mask of 255.255.255.0, you would enter 192.168.10.0/24.
  5. Enter your the remote IKE key. This is a password that should be unique and entered on both ends of the IPSec connection.
  6. Enable the Perfect Forward Secrecy (PFS) feature. The two ends do not negotiate this automatically, so make sure that the setting is the same on both ends.
  7. Click Save Changes.

 

Setting up Third Party IPsec Clients

With the large number of IPsec servers available, we cannot provide configuration parameters for each device on the market. The following does, however, provide the best configuration for allowing a Nitix-powered server to create a virtual private network (VPN), with third party devices:

 

Nitix Setup:

  • Remote server: Enter the external IP address of the remote unit.
  • Remote subnet: Enter the internal IP address of the remote unit as well as the subnet. For example, if the unit’s internal IP address is 192.168.10.1 with a subnet mask of 255.255.255.0, you would enter “192.168.10.0/24”.
  • Remote IKE key: Enter your shared key that is being used.
  • Key Type: Select PSK.
  • Perfect Forward Secrecy (PFS): Select Yes.
 

Third Party IPsec Client Setup:

  • Encryption / Tunnel: 3DES and MD5.
  • Security Association (SA) Lifetime: set to 3600 seconds.
  • Mode: If there are different modes available, select Main Mode.
  • Private Key Secret: Use preshared secret keys (PSK), not RSA keys or other keys such as PKI, as these are not supported on Nitix.
  • Perfect Forward Secrecy: Perfect Forward Secrecy (PFS) must be enabled on both ends of the connection. The IPsec protocols do not provide a method for the two ends to negotiate this, so you must ensure to set it correctly.

Was this article helpful?

Similar Articles

Retrieved from "http://kb.nitix.com/3035"
Account Info
Was this article helpful?
How can we improve
this article?
Have more detailed feedback?
Email: