18/04/13

The VPN Menu Endian UTM Appliance 2.5 Reference Manual

The VPN Menu

CHANGED IN VERSION 2.5: The VPN module GUI has been partly redesigned. NEW IN VERSION 2.5.: L2TP support

A VPN allows two separated local networks to directly connect to each other over potentially unsafe networks su network traffic through the VPN connection is securely transmitted inside an encrypted tunnel, hidden fr configuration is called a Gateway-to-Gateway VPN, or Gw2Gw VPN for short. Similarly, a single remote com Internet can use a VPN tunnel to connect to a local trusted LAN. The remote computer, sometimes called a directly connected to the trusted LAN while the VPN tunnel is active.

The Endian UTM Appliance supports the creation of VPNs based either on the IPsec protocol, which is supp systems and network equipment, or on the OpenVPN service.

Unfortunately, there are several weak points in the tools needed to set up IPsec: They vary greatly among diffe of immediate use, or may even exhibit interoperability issues. Therefore, Endian suggests the selection of Ope where there is no need to support an existing IPsec infrastructure. A user friendly OpenVPN client for Micro MacOS X can be downloaded from the Endian Network.

The Endian UTM Appliance can be set up either as an OpenVPN server or as a client, and even play both r order to create a network of OpenVPN-connected appliances. The menu items available in the sub-menu are th

OpenVPN server - set up the OpenVPN server so that clients (both roadwarriors and other Endian UTM to-Gateway setup) can connect to one of the local zones. OpenVPN client (Gw2Gw) - set up the client-side of a Gateway-to-Gateway setup between two or more IPsec/L2TP - set up IPsec-based VPN tunnels and L2TP connections VPN Users - manage users of VPN connections. NEW IN VERSION 2.5: Support for L2TP CHANGED IN VERSION 2.5: Moved the management of all users under a submenu. CHANGED IN VERSION 2.5.1: Moved IPsec and L2TP under the same menu

OpenVPN server

When configured as an OpenVPN server, the Endian UTM Appliance can accept remote connections from th client to be set up and work as if it were a local workstation or server.

The page opens with the summary of the current server configuration, separated into two boxes: Global setting and control. Two additional tabs give access to Advanced settings and to the VPN client download.

Note: Whenever a change to the configuration of the OpenVPN server occurs or the way a user interacts wit modified (e.g., by altering the Networks behind client option, see below), the OpenVPN server must be restarte be propagated to all users. This necessity is shown after some modification by a small box carrying a message restart the server. The connected clients will be disconnected and automatically reconnected after a short time noticing the interruption.

Server configuration

This page shows two boxes: one that allows to set up some global settings, and an informative one that shows th Global settings

The box on the top shows the current settings, that can be changed at will right from there, by simply modify which are all related to the bridged OpenVPN. When the choice is the use of a routed VPN setup, however, the available: VPN Subnet. OpenVPN server enabled
docs.endian.com/vpn.html 1/12

18/04/13

The VPN Menu Endian UTM Appliance 2.5 Reference Manual

Tick this checkbox to make sure the OpenVPN server is started. Bridged Tick this option to run the OpenVPN server in bridged mode, i.e., within one of the existing zones.

Note: If the OpenVPN server is not bridged (i.e., it is routed), the clients will receive their IP addresses f In this case, appropriate firewall rules in the VPN firewall should be created, to make sure the clients c some server/resource (e.g., a source code repository). If the OpenVPN server is bridged, it inherits th zone it is defined in.

VPN subnet This option is only available if bridged mode is disabled. It allows the OpenVPN server to run in its own, d be specified in the text box and should be different from the subnets of the other zones. Bridge to The zone to which the OpenVPN server should be bridged. The drop-down menu shows only the available

Dynamic IP pool start address The first possible IP address in the network of the selected zone that should be used for the OpenVPN clien

Dynamic IP pool end address The last possible IP address in the network of the selected zone that should be used for the OpenVPN clien Note: Traffic directed to this IP pool has to be filtered using the VPN firewall.

The first time the service is started a new, self-signed CA certificate for this OpenVPN server is generated, an o long time. After the certificate has been generated, it can be downloaded by clicking on the Download CA certi must be used by all the clients that want to connect to this OpenVPN server, otherwise they will not be able to ac

After the server has been set up, it is possible to create and configure accounts for clients that can con Appliance in the Accounts tab. Connection status and control

The box at the bottom shows a list of the currently connected clients, although the list will be empty until the O and clients have been created and have accessed the OpenVPN server. This box is identical to the one in connections, and contains for each client, its name, assigned and real IP address, the traffic (received and connection time, the uptime, and the only possible action: kill Immediately close the connection for that client.

Troubleshooting VPN connections.

While several problem with VPN connections can be easily spotted by looking at the configuration, one subtl hiccups is a wrong value of the MTU size. The Endian UTM Appliance sets a limit of 1450 bytes to the siz prevent problems with the common MTU value used by the ISP, which is 1500. However, some ISP may use a M commonly used value, making the Endian MTU value too large and causing therefore connection issues probably the impossibility to download large files). This value can be modified by accessing the Endian UTM and following these guidelines: 1. 2. 3. 4. 5. 6. Write down the MTU size used by the ISP (see link below). Login to the CLI, either from a shell or from Menubar System Web Console. Edit the OpenVPN template with an editor of choice: nano /etc/openvpn/openvpn.conf.tmpl. Search for the string mssfix 1450. Replace 1450 with a lower value, for example 1200. Restart OpenVPN by calling: restartopenvpn .

See also: More information about the MTU size.

Advanced

In this tab, three boxes allow to specify advanced settings for the OpenVPN server. Among other s
docs.endian.com/vpn.html 2/12

18/04/13

The VPN Menu Endian UTM Appliance 2.5 Reference Manual

authentication (as opposed to password-based) can be set here. Note: For a normal use these settings can be left at their default values.

Advanced settings The first box contains some global settings about the daemon:

Port, Protocol The combination (1194, UDP) for port and protocol is the default OpenVPN setting and it is a good pract To make OpenVPN accessible via other ports, appropriate port forwarding rules (see Menubar Firew redirect incoming traffic to port 1194 should be defined. The protocol should be set as TCP only in some when accessing the OpenVPN server through a third-party HTTP proxy, otherwise the default settings (1 be used.

Block DHCP responses coming from tunnel Tick this checkbox when receiving DHCP responses from the LAN at the other side of the VPN tunnel t DHCP server.

Dont block traffic between clients By default, the OpenVPN server isolates clients from each other. To change this behaviour, and allow traf clients, tick this option.

Allow multiple connections from one account: Normally, one client is allowed to connect from one location at a time. Selecting this option permits multipl different locations. However, when the same client is connect twice or more, the VPN firewall rules do not ap NEW IN VERSION 2.5: An option to allow multiple connections. Global push options

In the second box the network setting sent to the client can be modified. Each option, after having been chang ticking the respective checkbox. Push these networks The routes to the specified networks defined here are sent to the connected clients. Push these nameservers The specified nameservers are sent to the connected clients. Push domain The search domains used for local name resolution are added to those of the connected clients. Authentication settings

The last box concerns the choice of the authentication method among the three available, which also dete options available. PSK (username/password)

Endian UTM Appliances default method is PSK (username/password): The client authenticates using usernam this method, no additional change is needed, while the other two methods are described below.

By clicking on the Download CA certificate link, the public certificate of this OpenVPN server is downloaded. It is verify the authenticity of the server they are connecting to. Furthermore, a click on the Export CA as PKCS# certificate in PKCS#12 format (which should be kept private), which can be imported into any OpenVPN server fallback server. Finally, should this system be a fallback system, two further option are available:

PKCS#12 Use the Browse button to select the certificate file that exported from the primary server, or provide its path

Challenge password The password to read the certificate. Leave it empty if the certificate comes from another Endian UTM Appl X.509 certificate and X.509 certificate & PSK (two factor)
docs.endian.com/vpn.html 3/12

18/04/13

The VPN Menu Endian UTM Appliance 2.5 Reference Manual

When configuring the X.509-certificate-based authentication method (either certificate only or certificate plus u the configuration becomes a bit more complicated. It is assumed (and required) that an independent cer employed for this purpose. It is neither possible nor desired to host such a certificate authority on Endian UTM A It is necessary to generate and sign certificates for the server and for every client using the chosen certificate type must be explicitly specified and be one of server and client in the Netscape certificate type field.

The server certificate file in PKCS#12 format must be uploaded in this section (specify the Challenge password to the certificate authority before or during the creation of the certificate). The client certificates need to have the common name fields equal to their OpenVPN user names.

Warning: When employing certificate-only authentication, a client with a valid certificate will be granted acces server even if it has no valid account!

Finally, a revocation list (CRL) can be uploaded, in case a client certificate has been lost, to revoke that client c

VPN client download

Click on the link to download the Endian VPN client for Microsoft Windows, MacOS X, and Linux from the Endian is needed to download the client.

OpenVPN client (Gw2Gw)

In this page appears the list of the Endian UTM Appliances connections as OpenVPN clients, i.e., all tunnelle OpenVPN servers. For every connection, the list reports the status, the name, any additional option, a remark, The status is closed when the connection is disabled, and established when the connection is enabled. Beside t connection, the available actions are to edit or delete it. In the former case, a form will open, that is the same as adding a connection (see below) in which to see and modify the current settings, whereas in the latter case o from the Endian UTM Appliance is permitted.

The creation of a new OpenVPN client connections is straightforward and can be done in two ways: Either configuration button and enter the necessary information about the OpenVPN server to which to connect (ther or import the client settings from the OpenVPN Access Server by clicking on Import profile from OpenVPN Acces

Note: The Access Server mentioned throughout this section is the OpenVPN Access Server, not to be confu Access Server. NEW IN VERSION 2.5: Import from Access Server. Add tunnel configuration

There are two types of settings that can be configured for each tunnel configuration: The basic one includes m tunnel to be established, while the advanced one is optional and normally should be changed only if the Ope standard setup. To access the advanced settings, click on the >> button next to the Advanced tunnel confi settings are: Connection name A label to identify the connection.

Connect to The remote OpenVPN servers FQDN, port, and protocol in the form m y e f w . e x a m p l e . c o m : p o r t : p r o t o c o l optional and left on their default values which are 1194 and udp respectively when not specified. The pro lowercase letters.

Upload certificate The server certificate needed for the tunnel connection. Browsing the local filesystem is admitted, to sear and filename can be entered. If the server is configured to use PSK authentication (password/usern certificate (i.e., the one downloaded from the Download CA certificate link in the servers Menubar VPN must be uploaded to the Endian UTM Appliance. Otherwise, to use certificate-based authentication, the se the one downloaded from the Export CA as PKCS#12 file link on the servers Menubar VPN OpenVPN s must be uploaded.
docs.endian.com/vpn.html 4/12

18/04/13

The VPN Menu Endian UTM Appliance 2.5 Reference Manual

PKCS#12 challenge password Insert here the Challenge password, if one was supplied to the CA before or during the creation of th needed when uploading a PKCS#12 certificate.

Username, Password If the server is configured to use PSK authentication (password/username) or certificate plus password au the username and password of the account on the OpenVPN server. Remark A comment on the connection. Advanced tunnel configuration

In this box, that appears when clicking on the >> button in the previous box, additional options can be modified, box should be modified only if the server side has not been configured with standard values.

Fallback VPN servers One or more (one per line) fallback OpenVPN servers in the same format used for th m y e f w . e x a m p l e . c o m : p o r t : p r o t o c o l . The port and protocol values default to 1194 and udp respectiv connection to the main server fails, one of these fallback servers will take over. The protocol must be writte Device type The device used by the server, which is either TAP or TUN. Connection type This drop-down menu is not available if TUN has been selected as Device type, because in this case the routed. Available options are routed (i.e., the client acts as a gateway to the remote LAN) or bridged as part of the remote LAN). Default is routed. Bridge to This field is only available if TAP has been selected as Device type and the connection type is bridged select the zone to which this client connection should be bridged. NAT

This option is only available if the Connection type is routed. Tick this checkbox to hide the clients conne UTM Appliance behind the firewalls VPN IP address. This configuration will prevent incoming connections other words, incoming connections will not see the clients in the local network.

Block DHCP responses coming from tunnel Tick this checkbox to avoid receiving DHCP responses from the LAN at the other side of the VPN tunne DHCP server. Use LZO compression Compress the traffic passing through the tunnel, enabled by default.

Protocol The protocol used by the server: UDP (default) or TCP. Set to TCP only if an HTTP proxy should be use show up to configure it.

If the Endian UTM Appliance can access the Internet only through an upstream HTTP proxy, it can still be used a Gateway-to-Gateway setup, but the TCP protocol for OpenVPN must be selected on both sides and fill in information in the text fields: HTTP proxy The HTTP proxy host, e.g., p r o x y . e x a m p l e . c o m : p o r t , with the port defaulting to 8080 if not entered. Proxy username, Proxy password The proxy account information: The username and the password.

Forge proxy user-agent A forged user agent string can be used in some cases to disguise the Endian UTM Appliance as a reg contact the proxy as a browser. This operation may prove useful if the proxy accepts connections only for s

Once the connection has been configured, a new box at the bottom of the page will appear, called TLS auth upload a TLS key file to be used for the connection. These options are available: TLS key file The key file to upload, searchable on the local PCs file system. MD5
docs.endian.com/vpn.html 5/12

The MD5 checksum of the uploaded file, which will appear as soon as the file has been stored on the Endia

18/04/13

The VPN Menu Endian UTM Appliance 2.5 Reference Manual

Direction This field is set to 0 on servers and to 1 on clients. Import profile from OpenVPN Access Server

The second possibility to add an account is to directly import the profile from an OpenVPN Access Server: I information must be provided: Connection name A custom name for the connection. Access Server URL The URL of the OpenVPN Access Server.

Note: Note that the Endian UTM Appliance only supports XML-RPC configuration of the OpenVPN Acc URL input here has the form: h t t p s : / / < S E R V E R N A M E > / R P C 2 . Username, Password The username and password on the Access Server.

Verify SSL certificate If this checkbox is ticked and the server is running on an SSL encrypted connection, then the SSL certi validity. Should the certificate not be valid then the connection will be immediately closed. This feature migh a self-signed certificate. Remark A comment to recall the purpose of the connection.

IPsec/L2TP
The IPsec page contains two tabs (IPsec and L2TP), that allow to set up and configure the IPsec tunnels support, respectively.

IPsec

The IPsec tab contains three boxes: First, Global settings, serves to enable and configure IPsec. The secon control, shows all the connections and allows to add a new one. Finally, the Certificate authorities box allows to Note that by adding a new connection, new boxes will be shown, that help in the configuration of the conne options.

IPsec in a nutshell.

IPSEC is a generic standardised VPN solution, in which the encryption and the authentication tasks are carrie as an extension to the IP protocol. Therefore, IPsec must be implemented in the kernels IP stack. Although protocol and it is compatible to most vendors that implement IPsec solutions, the actual implementation ma vendor to vendor, sometimes causing severe interoperability issues.

Moreover, the configuration and administration of IPsec is usually quite difficult due to its complexity and desig situations might even be impossible to handle, for example when there is the necessity to cope with NAT.

Compared to IPsec, OpenVPN is easier to install, configure, and manage. The Endian UTM Appliance imp administration interface that supports different authentication methods. It is suggested to use IPsec only if example to support existing IPsec installations or when dealing with devices that do not support OpenVPN, be problems that may arise, while the use of OpenVPN is encouraged in all other cases, especially if there is th NAT.

Global settings In this box can be done the configuration of the main parameters for the IPsec configuration: Enabled Enable IPsec by ticking the checkbox (it is disabled by default).
docs.endian.com/vpn.html 6/12

18/04/13

The VPN Menu Endian UTM Appliance 2.5 Reference Manual

Debug options By clicking on the small + sign, some checkboxes will appear: Show the structure of input messages messages, Show interaction with kernel IPsec support (KLIPS), and Show interaction with DNS. By tick messages will be logged to the / v a r / l o g / m e s s a g e sfile. Connection status and control

Here there is a list of accounts and their connection status. The list shows the name, type, common name, re connection. New connections are added by clicking on the Add button (see below). Certificate authorities

In the last box of the IPsec main page, the root and host certificates are shown and the existing certificates can host certificates have yet to be generated, a Not present message is shown.

Generate root/host certificates Click on the button to generate new root and host certificates. In the page that will open, all the required in root/host certificates further on) can be provided.

CA name In case that a CA certificate signed by an Authority is available, enter the name of the Authority in th certificate file in the second one. The file selector to facilitate the search for the file can be opened by button, and the certificate uploaded by clicking on the Upload CA certificate button. Reset To erase an already created Certificate, click on this button at the bottom of the page.

Warning: Please note that by resetting the root certificates, not only the certificates but also certificate be erased.

Generate root/host certificates The following information shall be entered to create new host and root certificates.

Organization name The organization name to use in the certificate. For example, if the VPN is connecting together the schools be something like School District of Aberdeen.

Endian Firewall hostname The hostname used to identify the certificate. It should be either the FQDN or the REDIP address of the En Your email address A contact e-mail address. Your department The department name. City The name of the town or city. State or province The name of the state or province. Country Country of residence.

The certificates are created after clicking on the Generate root/host certificates button. The process can take complete. Subject alt name An alternative hostname for identification.

Instead of generating new certificates, a previously created PKCS12 certificate file can be upload using the lowe Upload PKCS12 file Open the file selection dialogue box by clicking on the Browse... button and select the PKCS12 file. PKCS12 file password
docs.endian.com/vpn.html 7/12

18/04/13

The VPN Menu Endian UTM Appliance 2.5 Reference Manual

The password of the certificate, if the file is protected. Upload PKCS12 file Click this button to upload the PKCS12 file. Add a tunnel/Connection type

Upon clicking on Add under Connection status and control, a page will open from which to select either a H Network, a Net-to-Net Virtual Private Network, or an L2TP Host-to-Net Virtual Private Network. After the choice and one click on the Add button, the page for the connection editor will open, that contains two boxes group Connection configuration and Authentication. Connection configuration The first box is used to configure the network parameters: Name The name of the connection. Enabled If ticked, the connection is enabled. Interface The interface through which the host is connecting. In Net-to-Net it is always the uplink. Local subnet The local subnet. Local ID A string that identifies the local host of the connection. Remote host/IP the IP or FQDN of the remote host. Remote subnet Only available for net-to-net connections, it specifies the remote subnet. Remote ID The ID that identifies the remote host of this connection. Dead peer detection action The action to perform if a peer disconnects. Available choices from the drop-down menu are to peer.

Note: Unlike in other places, clicking or moving the mouse over the ? will not provide a tooltip, but o detailed description of the functionalities of the dead peer detection. Remark A comment for the connection.

Edit advanced settings Tick this checkbox to edit more advanced settings. They will be accessible and editable after saving th bottom of the next box). Authentication This box serves to configure the authentication.

Use a pre-shared key Enter a pass phrase to be used to authenticate the other side of the tunnel. Choose this option for a simple Warning: Do not use PSKs to authenticate Host-to-Net connections!

Upload a certificate request Some roadwarrior IPsec implementations do not have their own CA. If they wish to use IPsecs built-in CA, called certificate request, which is a partial X.509 certificate that must be signed by a CA. During the certif request is signed and the new certificate will become available under the Menubar VPN section of the End Upload a certificate
docs.endian.com/vpn.html 8/12

18/04/13

The VPN Menu Endian UTM Appliance 2.5 Reference Manual

In this case, the peer IPsec has a CA available for use. Both the peers CA certificate and host certificate uploaded file.

Upload PKCS12 file - PKCS12 file password Choose this option to upload a PKCS12 file. If the file is secured by a password, it must be supplied in th selection field.

Generate a certificate A new X.509 certificate can also be created. In this case, the required fields must be defined. Optional fi dots. If this certificate is for a Net-to-Net connection, the Users Full Name or System Hostname field must domain name of the peer. The PKCS12 File Password fields ensure that the hosts generated certificates c compromised while being transmitted to the IPsec peer. Advanced settings

In this page, that opens upon defining and saving a new connection, some advanced setting for that connection Warning: Unexperienced users should not change the following advanced settings! IKE encryption The encryption methods that should be supported by IKE. IKE integrity The algorithms that should be supported to verify the integrity of packets. IKE group type The IKE group type. IKE lifetime How many hours are the IKE packets valid. ESP encryption The encryption methods that should be supported by the ESP. ESP integrity The algorithms that should be supported to verify the integrity of packets. ESP key life How many hours should an ESP key be valid. IKE aggressive mode allowed Tick this box to enable IKE aggressive mode. It is suggested NOT to do so. CHANGED IN VERSION 2.5: This option was removed from the 2.5 version. Perfect Forward Secrecy If this box is ticked, perfect forward secrecy is enabled. Negotiate payload compression Tick this box to use payload compression. Roadwarrior virtual IP This option allows to assign a virtual IP (inner IP) to the user when the connection is established.

How to create a Net-To-Net VPN with IPsec using certificate authentication.

Scenario: Firewall CoreFW - REDIP: 100.100.100.100, GREENIP: 10.10.10.1/24 Firewall LocalFW - REDIP: 200.200.200.200, GREENIP: 192.168.0.1/24 Problem: Connect LocalFW to CoreFW using IPsec. Solution: The following steps have to be performed on CoreFW:

1. Go to Menubar VPN IPsec, enable IPsec, and specify 100.100.100.100 as Local VPN hostname/IP. 2. After saving, click on the Generate host/root certificate button, unless they have already been generated 3. Download the host certificate and save it as fw_a_cert.pem.
docs.endian.com/vpn.html 9/12

18/04/13

The VPN Menu Endian UTM Appliance 2.5 Reference Manual

4. In the Connection status and control box click on the Add button, then select Net-to-Net. In the page appear. 5. In Connection configuration enter 200.200.200.200 in the Remote host/IP field, 10.10.10.0/24 192.168.0.0/24 as Remote subnet. 6. In the Authentication box select Generate a certificate and compile the form. Make sure to set a passwor 7. After saving, download the PKCS12 file and save it as fw_a.p12. The following steps have to be performed on LocalFW:

1. Go to Menubar VPN IPsec, enable IPsec, and specify 200.200.200.200 as Local VPN hostname/IP. 2. After saving click on the Generate host/root certificate button. If they had already been generate certificates. 3. In the Generate host/root certificate, Do not fill in any field in the first section! Instead, upload the CoreFW, enter the password, and click on the Upload PKCS12 file. 4. Click on Add in the Connection status and control box, then select Net-to-Net. In the page that opens, tw 5. In Connection configuration enter 100.100.100.100 in the Remote host/IP field, 192.168.0.0/24 10.10.10.0/24 as Remote subnet. 6. In the Authentication box select Upload a certificate and upload the fw_a_cert.pem that have created o

See also: On the website help.endian.com, the following tutorials are available: 1. 2. 3. 4. 5. 6. IPsec VPN - How to Create a Roadwarrior Connection (Shrewsoft) SSL VPN - How to Create a Net-to-Net Connection SSL VPN - How to Create a Net-to-Net Connection (over HTTP) IPsec VPN - How to Create a Net-to-Net Connection (Endian-to-Endian) SSL VPN - How to Create a Roadwarrior Connection IPsec VPN - How to Create a Net-to-Net Connection (Endian-to-Cisco ASA)

L2TP

L2TP, the Layer Two Tunnelling Protocol, is described in RFC 2661. In a nutshell, it is a protocol that allows carries PPP packets. It is used to support VPN connections using IPSec. The following options are available to configure L2TP. L2TP enabled The checkbox must be ticked to enabled L2TP support in the Endian UTM Appliance.

Zone The zone to which the L2TP connections are directed. Only the activated zones can be chosen from the dr

L2TP IP pool start address, L2TP IP pool end address The IP range from which L2TP users will receive an IP address when connecting to the Endian UTM Applian Enable debug Tick this checkbox to let L2TP produce more verbose logs.

See also: On the website help.endian.com, there are several tutorials available, that help in the set up of the as IPsec server and smartphones as clients: 1. 2. 3. 4. Setup of a VPN with IPsec and an L2TP tunnel Connecting to an Endian UTM via L2TP (IPSec) using Android Connecting to an Endian UTM via L2TP (IPSec) using iOS Connecting to an Endian UTM via L2TP (IPSec) using Windows 7

VPN Users
CHANGED IN improved.
VERSION

2.5: This configuration page was moved from Menubar VPN OpenVPN server Acc

The box in this page contains the list of OpenVPN users, which is initially empty. The only available action is th
docs.endian.com/vpn.html 10/12

18/04/13

The VPN Menu Endian UTM Appliance 2.5 Reference Manual

while the list contains the list of the accounts already defined with some information on it: The accounts name, OpenVPN or L2TP user, the networks used by the account, its status and the available actions.

Click on Add new User to add a VPN account. In the form that will show up, the following options can be specified Add User Username The login name of the user

Enabled Tick the checkbox to enable the user, i.e., to allow her to connect to the OpenVPN server on the Endian UT

Password, Confirm password The password for the user, to be entered twice. The passwords are actually not shown: To see them, tic their right. Remark An additional comment. Under the VPN protocols panel, two checkboxes allow to chose the protocol used for the VPN connection: OpenVPN Tick this checkbox to allow the OpenVPN protocol to be used.

L2TP Tick this checkbox to allow the L2TP protocol to be used. This option can not be selected if no L2 configured. In such a case, an informative message appears as a hyperlink: Clicking on it opens the IP quickly add a new L2TP Host-to-Net connection, which is a mandatory requirement to allow users to connec will be possible to allow a VPN user to connect using the L2TP Protocol.

Right below, it is possible to specify more advanced settings for each of the protocols that the user shall use. Settings hyperlink shows two more hyperlinks: Clicking on each of them reveals a new panel in which to configu connection. OpenVPN Options

Direct all client traffic through the VPN server If this option is checked, all the traffic from the connecting client, regardless of the destination, is routed Endian UTM Appliance. The default is to route all the traffic whose destination is outside any of the interna hosts) through the clients uplink.

Push only global options to this client For advanced users only. Normally, when a client connects, tunneled routes to networks that are accessi the clients routing table, to allow it to connect to the various local networks reachable from the Endian UT should be enabled if this behaviour is not wanted, but the clients routing tables (especially those for the modified manually.

Push route to blue zone, Push route to orange zone When this option is active, the client will have access to the blue or the orange zone. These optio corresponding zones are not enabled.

Networks behind client This option is only needed if this account is used as a client in a Gateway-to-Gateway setup. In the b networks laying behind this client that should be pushed to the other clients. In other words, these networ other clients.

Push only these networks The local network routes that should be pushed to the client. This options overrides all automatically pushe

Static IP addresses Dynamic IP addresses are assigned to clients, but a static IP address provided here will be assigned to the

Enable push these nameservers Assign custom nameservers on a per-client basis here. This setting (and the next one) can be defined, b will. Enable push domain Assign custom search domains on a per-client basis here.
docs.endian.com/vpn.html 11/12

18/04/13

The VPN Menu Endian UTM Appliance 2.5 Reference Manual

Note: When planning to have two or more branch offices connected through a Gateway-to-Gateway VPN, it i choose different subnets for the LANs in the different branches. For example, one branch might have a GREEN 1 9 2 . 1 6 8 . 1 . 0 / 2 4subnet while the other branch uses 1 9 2 . 1 6 8 . 2 . 0 / 2 4 . Using this solution, several possible sour conflicts will be avoided. Indeed, several advantages come for free, including: The automatic assignment of co need for pushing custom routes, no warning messages about possibly conflicting routes, correct local name re WAN network setup.

L2TP Options

IPsec Tunnel This drop-down menu allows to choose the tunnel that will be employed by the user, among those already d

docs.endian.com/vpn.html

12/12