Skip to main content

Policy based IPsec VPN (IKEv1)

What will be done

  • Setup a IKEv1 Remote Access VPN with PSK + XAuth Authentication
  • Policy-based Split Tunneling

Prerequesits

  • Static IP
  • Port 500 (UDP) for IKE open
  • Port 4500 (UDP) for NAT-T open
  • ESP open
  • User Group for XAuth

I'll be referring to this Tunnel as VPN-RA-Test. Give it whatever name you need!

1. Creating a VPN Tunnel

  1. Go to VPN - IPsec Tunnels
  2. Click Create New and select IPsec Tunnel
    • Template Type: Custom
    • Name: VPN-RA

1.1. Network Settings

    1. Set IP Version to IPv4
    2. Set Remote Gateway to Dialup User
      • Interface: Your WAN Interface
    3. Disable Local Gateway
    4. Enable Mode Config
    5. Set Client Address Range manually or Assign Range Address Object
    6. Set Subnet Mask 255.255.255.255 to prevent Inter-Device Communication inside the Tunnel or specify explicitly
    7. Set your preferred DNS Server.
    8. Enable Enable IPv4 Split Tunnel
      • Select your Address Object representing the Networks that should be accessable
    9. Disable IPv6 Mode Config - Client Address Range
    10. Set NAT Traversal to Enable
    11. Set Dead Peer Detection to On Idle

image.png

1.2. Authentication

  1. Set Method to Pre-shared Key
  2. Write your PSK to the Pre-shared Key Input Field
  3. Set IKEVersion to 1
  4. Set IKE - Mode to Agressive
  5. Set Peer Options - Accept Types to Any Peer ID

image.png

You can set a Peer ID here to differentiate different Tunnels that might share Settings and/or PSKs

1.3. Phase 1 Proposal

Remove all existing Phase 1 Proposals beforehand by clicking the X Button the right side

  1. Add the following Proposals
    • Encryption: AES256, Authentication: SHA256
    • Encryption: AES256, Authentication: SHA1
  2. Check Diffie-Hellmann Groups 14, 19, 20
  3. Set Key Lifetime (seconds) to 28800

image.png

1.4. XAuth

  1. Set Type to Auto Server
  2. Set User Group to Inherit from policy

image.png

1.5. Phase 2 Selectors

There should only be one Phase 2 Selector pre-existing with the Name of the Tunnel you specified

1.5.1 Edit Default Phase 2 Selector
  1. Click on the Pen Icon at the Right Side of the Row to Edit
  2. Expand the Advanced Menu by clicking on Advanced

  1. Set Name to VPN-RA-P2
  2. Set Local Address to Type Subnet and Value 0.0.0.0/0
  3. Set Remote Address to Type Subnet and Value 0.0.0.0/0
  4. Delete all existing Phase 2 Proposals
  5. Add the following Phase 2 Proposals (same as with Phase 1)
    • Encryption: AES256, Authentication: SHA256
    • Encryption: AES256, Authentication: SHA1
  6. Enable Enable Replay Detection
  7. Enable Enable Perfect Forward Secrecy (PFS)
  8. Check Diffie-Hellmann Groups 14, 19, 20
  9. Enable Local Port
  10. Enable Remote Port
  11. Enable Protocol
  12. Set Key Lifetime to Seconds and set 3600

image.png

Back to top