Chapter 7 VPN

STEP 3

STEP 4

STEP 5

STEP 6

STEP 7

For client-to-site VPNs, determine whether you will use the PPTP, L2TP, or L2TP over IPSec tunneling protocol. PPTP and L2TP are not recommended because they are not very secure.

For site-to-site VPN connections, you must use the IPSec protocol. For authentication, you can use either X.509 certificates or Pre-Shared Key (PSK). X.509 certificates are recommended because they are more secure.

If you are using PPTP or L2TP, configure the User Accounts, Privilege groups, and RADIUS Server settings for user authentication. Then, configure the PPTP or L2TP VPN tunnel. For details, see “Enable PPTP Server and Configure PPTP Client and Addresses” on page 215 and “Enable L2TP Server and Configure L2TP Client and Addresses” on page 211.

If you are using L2TP over IPSec or IPSec with X.509 Certificates for authentication as recommended, configure the certificates. For details, see “X.509 Certificates” on page 255.

For IPSec or L2TP over IPSec, configure the IKE proposals that can be used to encrypt and authenticate VPN tunnel connections. You will use the proposal when you configure the IPSec Security Association for each remote site. To simplify configuration for client-to-site (L2TP over IPSec) and site-to-site VPN connections, you can edit the default IKE proposal pre-configured on the X family device.

For site-to-site connections, if the VPN traffic will come from multiple subnets or go to multiple subnets, configure IP address groups with the subnets that will be used. For details, see “IP Addresses: Configuration Overview” on page 142.

Enable IPSec and configure the Security Associations that setup authentication and determine what traffic is allowed over the VPN connection.

For site-to-site configuration, see “Configure an IPSec SA for a Site-to-Site VPN Connection” on page 195. You must configure a separate Security Association for each remote site.

For client-to-site configuration using L2TP over IPSec, use the default SA pre-configured on the device. For details, see “Edit the Default SA for Client-to-Site VPN Connections using L2TP over IPSec” on page 194.

IPSec Configuration

IPSec is a security protocol that can be used to secure IP traffic between two remote private networks connected through a public network. It is a flexible protocol with a wide range of encryption options. IPSec is commonly used for both site-to-site connections between separate private networks (tunnels) and for client-to-site connections between remote PCs and private networks. IPSec is the standard X family method of setting up a network-to-network VPN connection.

Note You must enable IPSec globally in order to use it for IPSec VPNs.

To use the IPSec protocol, you need to configure an IPSec Security Association (IPSec SA) which consists of configuration parameters that allow two devices to establish an IPSec tunnel for secure communication across a public network.

You can view and manage IPSec configuration from the IPSec Status page (VPN > IPSec Status).

184 X Family LSM User’s Guide V 2.5.1