User Tools

Site Tools


vpn

VPN

A Virtual Private Network (VPN) extends a private network across a public network, such as the Internet. It enables a computer or network-enabled device to send and receive data across shared or public networks as if it was directly connected to the private network, while benefiting from the functionality, security and management policies of the private network. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols or traffic encryption. SimpleWAN devices allow you to implement an IPsec VPN.

Within this section you will need to configure the following settings for IPSEC:

  • Interface - Select the interface that handles traffic for the Local Network.
  • NAT-t – Enabling this will help the tunnel communicate from behind another router.
  • DPD Interval (seconds) – Dead Peer Detection (DPD) determines how often to check that the other router is still online (and re-initiate the tunnel if it’s offline).
  • Local Network – The network or IP on this router, which will be able to use this tunnel. Specify an IP for Single Host, or a CIDR block for Network, like 1.2.3.0/24.
  • Remote Network – The network on the other router, which will be accessible via this tunnel. Specify a CIDR block, like 192.168.1.0/24. Do not specify a subnet mask in IP notation, like 255.255.255.0/24. Look up CIDR Addressing if you need assistance.
  • Remote Gateway – The remote router to connect to (usually the WAN IP).
  • Negotiation Mode – Main is more secure, Aggressive starts the connection faster.
  • My Identifier – Some other routers require identifiers such as the router’s WAN IP, or a certificate. This should be unique to this router.
  • Phase 1 Encryption Algorithm – This should match the remote router. AES256 is recommended.
  • Phase 1 Hash Algorithm – This should match the remote router. SHA512 is recommended.
  • DH Key Group – How strong of an authentication key to use. This should match the Phase 1/ Authentication DH Group of the remote router.
  • Authentication Lifetime (seconds) – This should match the Phase 1 / Authentication lifetime of the remote router, and be greater than the SA Lifetime.
  • Authentication Method – This should match the authentication method of the remote router.
  • Pre-Shared Key – A very long password that is used to secure the connection. Must match the remote router.
  • Certificate – Paste this router’s certificate in X509 PEM format here.
  • Private Key – Paste this router’s RSA private key in X509 PEM format here.
  • Peer Certificate – Paste the remote router’s certificate in X509 PEM format here. Leave blank to validate the remote router’s identity with a Certificate Authority.
  • IPSec Protocol – This should match the remote router. Using encryption is recommended.
  • Phase 2 Encryption Algorithms – This should match the remote router. AES 256 is recommended.
  • Phase 2 Hash Algorithms – This should match the remote router. SHA512 is recommended.
  • Perfect Forward Secrecy - This should match the remote router. Recommend at least 2.
  • SA Lifetime (seconds) – This should match the Phase 2 / IPSec SA lifetime of the remote router, and be lower than the Authentication Lifetime.
  • Description - Your own notes about this tunnel.

PPTP Settings

You can enable or disable PPTP from here, and get the Dial In address. Unless you have VPN users, you should disable this for security.

PPTP User List

Here you can see the list of VPN users, and add new users.

You can also disable users or delete them from here is well.

IPSEC

IPSEC VPN can be used to create a Tunnel between devices. IPSEC settings must match on both units. For units that do not match (i.e. SimpleWAN unit to Cisco or Sonicwall) the settings between each unit is even more crucial.

Tunnels are commonly affected by connection issues such as Latency and Packet Loss. It is advisable to run a 48 Hour Intensive Latency Test on site prior to setting up a Tunnel to ensure that the tunnel will have good stability.

L2TP

The L2TP feature is recommended over PPtP access being that it is more secure. Simply enable the L2TP server as well as the IPsec server. Create a user on the L2TP page, and configure the L2TP settings. It is recommended to configure with the highest options for both Encryption and Hash algorithms. MAC's have a built in client that needs no configuration changes. If you are using a Windows computer there is a registry change that will need to be applied prior to connecting. A link to a Windows form is pasted below that will document this process.

https://answers.microsoft.com/en-us/windows/forum/windows_10-networking/l2tp-registry-change-to-work-with-nat-t-not/f864ba86-a01b-42b5-93cd-e70c5fdf4fb3

vpn.txt · Last modified: 2018/02/07 13:43 by jacob