IPSEC

IPSEC


IPSEC VPN can be used to create a Tunnel between devices. IPSEC settings must match on both units. For units that do not match (i.e. SimpleWAN unit to Cisco or Sonicwall) the settings between each unit is even more crucial. You may need to Switch to Advanced View to see this Under your VPN Dropdown.

Tunnels are commonly affected by connection issues such as Latency and Packet Loss. It is advisable to run a 48 Hour Intensive Latency Test on site prior to setting up a Tunnel to ensure that the tunnel will have good stability.

Within this section you will need to configure the following settings for IPSEC:

  • Interface - Select the interface that handles traffic for the Local Network.
  • NAT-t – Enabling this will help the tunnel communicate from behind another router.
  • DPD Interval (seconds) – Dead Peer Detection (DPD) determines how often to check that the other router is still online (and re-initiate the tunnel if it’s offline).
  • Local Network – The network or IP on this router, which will be able to use this tunnel. Specify an IP for Single Host, or a CIDR block for Network, like 1.2.3.0/24.
  • Remote Network – The network on the other router, which will be accessible via this tunnel. Specify a CIDR block, like 192.168.1.0/24. Do not specify a subnet mask in IP notation, like 255.255.255.0/24. Look up CIDR Addressing if you need assistance.
  • Remote Gateway – The remote router to connect to (usually the WAN IP).
  • Negotiation Mode – Main is more secure, Aggressive starts the connection faster.
  • My Identifier – Some other routers require identifiers such as the router’s WAN IP, or a certificate. This should be unique to this router.
  • Phase 1 Encryption Algorithm – This should match the remote router. AES256 is recommended.
  • Phase 1 Hash Algorithm – This should match the remote router. SHA512 is recommended.
  • DH Key Group – How strong of an authentication key to use. This should match the Phase 1/ Authentication DH Group of the remote router.
  • Authentication Lifetime (seconds) – This should match the Phase 1 / Authentication lifetime of the remote router, and be greater than the SA Lifetime.
  • Authentication Method – This should match the authentication method of the remote router.
  • Pre-Shared Key – A very long password that is used to secure the connection. Must match the remote router.
  • Certificate – Paste this router’s certificate in X509 PEM format here.
  • Private Key – Paste this router’s RSA private key in X509 PEM format here.
  • Peer Certificate – Paste the remote router’s certificate in X509 PEM format here. Leave blank to validate the remote router’s identity with a Certificate Authority.
  • IPSec Protocol – This should match the remote router. Using encryption is recommended.
  • Phase 2 Encryption Algorithms – This should match the remote router. AES 256 is recommended.
  • Phase 2 Hash Algorithms – This should match the remote router. SHA512 is recommended.
  • Perfect Forward Secrecy - This should match the remote router. Recommend at least 2.
  • SA Lifetime (seconds) – This should match the Phase 2 / IPSec SA lifetime of the remote router, and be lower than the Authentication Lifetime.
  • Description - Your own notes about this tunnel.


    • Related Articles

    • Using NCP for Dynamic IPSEC VPN connection

      get the Client, please download from: (https://www.ncp-e.com/en/service-resources/download-vpn-client/) Step 1: Create a Dynamic IPSEC Server. Visuals below can be used as guidelines for your initial attempt. Make sure that the IPSEC Server is ...

    • VPN

      A Virtual Private Network (VPN) extends a private network across a public network, such as the Internet. It enables a computer or network-enabled device to send and receive data across shared or public networks as if it was directly connected to the ...

    • Dynamic IPSEC VPN Server

      Dynamic Server Alternative remote VPN; can be used by phones with remote VPN capabilities, remote desktop, etc.. The main use of dynamic vpn server is to create a Spoke and Hub Type 1 tunnel that allow users to remotely access their network and ...

    • PPTP

      PPTP Settings You can enable or disable PPTP from here, and get the Dial In address. Unless you have VPN users, you should disable this for security. Please keep in mind that PPTP is being Phased Out. This VPN service has been known for breaches and ...

    • Shrew Soft VPN

      Step 1: Create a Dynamic IPSEC Server. Visuals below can be used as guidelines for your initial attempt. Make sure that the IPSEC Server is Enabled. Step 2: Create an IPSEC Key. At the bottom of the page, you will see the IPSEC Keys section. You will ...