Control

The control page is used to show the current status of the VPN sub-system, and allow the administrator to stop and restart the service. This page also displays all currently configured tunnels, including status information and Up and Down tunnel controls.

The Start VPN sub-system automatically tick-box ensures that the VPN sub-system is automatically started whenever the external interface (if configured) becomes active. If there are tunnels configured, it is a good idea to enable this. Select the tick-box control, and click the Save button at the bottom of the configuration page.

Note - This setting will also cause the VPN sub-system to activate automatically if internal VPN tunnels are configured.

The Manual region contains the following controls to restart, stop and view the current status of the VPN sub-system:

• Restart - Used to stop the VPN sub-system and restart it. This is normally only required when making large configuration changes, such as restoring VPN configuration from the Maintenance | backup page. It is not necessary to restart the VPN when adding, deleting, or editing individual tunnels.
• Stop - Used to stop the VPN sub-system.
• Refresh - Used to refresh the page with the current status information.

The VPNs region displays all currently configured IPSec subnets, IPSec Road Warrior and L2TP Road Warrior tunnels. For each VPN, the following status information and configuration controls are available:

• Name - Displays the name assigned to the tunnel from its Comment text field.
• Internal IP - Displays the internal IP address assigned to the Road Warrior connection.
• Control [Up] - Used to initiate the tunnel connection.
• Control [Down] - Used to close a tunnel connection.
• Remote IP - Displays the IP address of the remote VPN gateway.
• Status - Displays the status of the tunnel:
  
  • Open - The tunnel is currently open and operational.
  • Closed - The tunnel is currently closed.
  • Disabled - The tunnel is currently unavailable (it is not Enabled).

Note 1 - If the peer VPN gateway is itself behind a NAT, it will not be possible to bring up the tunnel from the non-NAT end; only the end behind the NAT can do that.

Note 2 - On slow links, it is sometimes necessary to click the Refresh the page a short time after triggering a connection attempt with the Up button, to show the real status.

Certificate Authorities

The ca page can be used to create a local Certificate Authority for use in an X509 authenticated based VPN setup. It is also possible to import and export CA certificates using this page.

The SmoothTunnel module can use the X509 authentication model to ensure the authenticity and integrity of a remote VPN gateway (the remote end of a tunnel). In this model, each VPN gateway is given a digital certificate that it can present to prove its identity, much like a traveller can present his or her passport. Digital certificates are created and issued by a trusted entity called a Certificate Authority (CA), just like a government is entrusted to provide its citizens with passports. In the world of digital certificates, a CA can be called upon to validate the authenticity of a certificate, in the same way that a government can be asked to validate a citizen's passport.

SmoothTunnel can create its own "Self-signed" Certificate Authority in order to create digital certificates. Alternatively, CA certificates can be imported from other CAs.

If the local CA certificate has yet to be created, there will be a panel where you can configure the parameters for the CA. These fields are standard X.509 values. The fields Common Name and Organisation are mandatory. It is also possible to set the life of this certificate, the default being four years. After this time has elapsed, all certificates signed by the CA become invalid.

CA certificates can be imported and exported. Imported certificates must be in PEM format. To import a CA certificate, enter the certificate's filename in the Import PEM filename text field, and click the Import CA cert from PEM button.

To export a CA certificate, tick the box next to the CA certificate that should be export, and select an export format from the Export format drop-down menu. Click the Export button to being the export process.

If the local CA has already been created, you can delete it by clicking the Delete Certificate Authority button, after selecting the confirmation tick-box control. Note that deleting the local CA certificate invalidates all certificates signed by it.

To delete imported CA certificates, select each certificate that should be deleted from the Installed Certificate Authority certificates region using the Mark tick-box controls. Next, click the Delete button.

Note - It is not possible to delete the local CA certificate using this method, refer to the "Deleting the Local CA and its Certificate" section above for details.

To view the full details of a CA certificate, click the name of the certificate from the Installed Certificate Authority certificates region. A new window will be launched containing details of the selected certificate, including its Subject and Issuer fields, and the period for which the certificate is valid.

Certificates

The certificates page can be used to create host certificates if a local CA has been created. This page also provides controls to import, export, view and delete host certificates.

Before certificates can be created, a local CA must have been created using the Tunnel | ca page. The local CA will "sign" all certificates it creates, allowing them to be authenticated as genuine.

Enter the certificate details in the entry boxes provided, and give the certificate a life time, if the default (one year) is not suitable. In addition to the usual certificate fields, host certificates have an optional ID that can be set with the following values:

• No ID - Not recommended, but available for interoperability with other VPN gateways.
• Host & Domain Name - Recommended for most site-to-site VPN connections. This does not need to be a registered DNS name.
• IP address - Recommended for site-to-site VPNs whose gateways use static IP addresses.
• Email address - Recommended for road warrior or internal VPN connections. This does not need to be a real email address, although the use of a real email address is recommended.

The ID is used during the authentication of VPN hosts. Whilst it is possible to configure tunnels without an associated ID, it is generally simpler if one is added to each certificate. A useful approach is to set the ID type for gateway certificates to the domain name of the gateway machine (such as gateway.companyname.com), and for Road Warriors to use the person's Email address (such as user@companyname.com). If this convention is consistently followed, it becomes easier to manage certificate IDs and configure tunnels.

Certificates can be imported in PKCS#12 or PEM format. To import a certificate in PKCS#12 format, enter its password into the Password text field and locate the certificate file by clicking the Browse button. Next, click the Import certificate and key from PKCS#12 button. A message will appear at the bottom of the import panel indicating a successful import.

To import a certificate in PEM format, follow the same steps (without entering a password) and click the Import certificate from PEM.

To export a certificate in PKCS#12 format, select the tick-box control adjacent to the certificate in the Installed signed certificates region and enter an export password into the Password and Again text fields. Next, click the Export certificate and key as PKCS#12 button.

Certificates can be exported in other formats by choosing a format from the Export format drop-down menu and clicking the Export button.

To delete a certificates, select each certificate that should be deleted from the Installed signed certificates region using the Mark tick-box controls. Next, click the Delete button.

Global

The global page is used to configure global settings for the VPN sub-system.

The Default local certificate region is used to select the host certificate that is used by default to identify the local SmoothTunnel VPN gateway.

To select the default local certificate, choose an installed host certificate using the drop-down box. Then click the Save button at the bottom of the configuration page to confirm the default local certificate choice.

Note - It is also possible to use an alternative local certificate on a per-connection basis.

The L2TP Settings region is used to enter configuration settings that are automatically assigned to L2TP Road Warriors upon connection. The most important setting here is the L2TP client internal interface which determines which interface a connected client will be attached to.

It is also possible to configure which servers L2TP Road Warriors will use for DNS resolution. For fairly simple networks this usually requires the SmoothWall IP address to be entered for DNS resolution. You can also configure WINS servers in a similar fashion, to facilitate access to Windows network resources from the Road Warriors.

The following advanced settings are available:

• Enable NAT-Traversal - NAT-T is enabled by default, and allows IPSec clients to connect from behind NATing devices. In some advanced and unusual situations, however, this feature may prevent connections. For this reason, NAT-T can be disable if required.
• Enable Dead Peer Detection - Used to activate a "keep alive" mechanism on tunnels that support it. This feature, commonly abbreviated to DPD, allows the VPN sub-system to almost instantly detect the failure of a tunnel and have it marked as Closed in the control page. If this feature is not used, it can take any time up to the rekeying interval (typically 20 minutes) to detect that a tunnel has failed. Since not all IPSec implementations support this feature, it is not enabled by default. In setups consisting exclusively of SmoothTunnel VPN gateways, it is recommended that this feature is enabled.
• Additional internal VPN interface - Used to specify an additional internal interface which can, in addition to the external interface, be used as a transport for IPSec (and L2TP) VPN connections. Choose an internal interface from the drop-down menu to enable this feature, otherwise choose the "Disabled" value.

To activate any configuration changes made to the above controls, click the Save button at the bottom of the configuration page.

IPSec subnets

The ipsec subnets page is used to configure IPSec subnet VPN tunnels.

To create an IPSec VPN tunnel, first enter a descriptive name for the tunnel into the Name text field. Then use the configuration fields described in each of the sections below to create the tunnel specification. Once all necessary settings have been entered, select the Enabled tick-box to activate the tunnel as ready for use and click the Add button.

Note 1 - Many of these configuration fields are optional; in the more common tunnel configurations, only a few of the fields need be completed.

Note 2 - When a tunnel is added, it not come up automatically. The administrator may manually bring it up using the Tunnel | control page.

The settings listed below are used to identify the local network that the remote VPN Gateway will connect to.

• Local IP - This should be the IP address of the external interface used on the local SmoothTunnel host.
• Local network - This should specify the local subnet that the remote host will have access too. This is specified using the IP address / network mask format E.g. "192.168.10.0/255.255.255.0".
• Local ID type - This drop-down menu specifies the type of the ID that will be presented to the remote system:
  
  • Default local cert subject - Uses the subject field of the default local certificate as the local ID.
  • Default local cert subject alt.name - Uses the subject alt. name field of the default local certificate as the local ID.
  • Local IP - Uses the local IP address of the host as the local ID.
  • User specified Host & Domain Name - Uses a user specified host and domain name as the local ID.
  • User specified IP address - Uses a user specified IP address name as the local ID.
  • User specified Email address - Uses a user specified email address as the local ID.
  • User specified cert Subject - Uses a user specified certificate subject as the local ID.
• Local ID value - This text field is only used if the local ID type is a "User specified" type (this is typically used when connecting to non-SmoothTunnel VPN gateways). In most cases, the Local ID value can be left blank because its value will be automatically retrieved by SmoothTunnel during the connection process (according to the chosen ID type).

Note - The "user specified" ID types are mostly used when connecting to non-SmoothTunnel VPN gateways. Consult your vendor's administration guide for details regarding the required ID type and its formatting.

The settings listed below define the remote network and its identification.

• Remote IP or hostname - This should be the IP address or hostname of the remote system.
• Remote network - This should specify the remote subnet that the local host will have access too. This is specified using the IP address / network mask format E.g. "192.168.20.0/255.255.255.0".
• Remote ID type - This drop-down menu specifies the type of ID that the remote gateway is expected to present:
  
  • Remote IP (or ANY if blank Remote IP) - The remote ID is the remote IP address, or any other form of presented ID
  • User specified Host & Domain Name - Allows the user to specify a custom host and domain name that it should expect the remote gateway to present as ID.
  • User specified IP address - Allows the user to specify a custom IP address that it should expect the remote gateway to present as ID.
  • User specified Email address - Allows the user to specify a custom email address that it should expect the remote gateway to present as ID.
  • User specified cert Subject - Allows the user to specify a custom certificate subject string that it should expect the remote gateway to present as ID (typically used for non-SmoothTunnel VPN gateways).
• Remote ID value - This text field is used to enter the value of the ID used in the certificate that the remote peer is expected to present.

Note - The user specified types are mostly used when connecting to non-SmoothTunnel VPN gateways. Consult your vendor's administration guide for details regarding the type and formatting of the ID it will present to SmoothTunnel.

The settings listed below define the agreed authentication method that will operate between each VPN gateway.

• Authenticate by - This drop-down menu allows the user to choose either Pre-Shared Key or X509 based authentication options.
• Preshared key - This field is used to enter the password when PSK is selected as the authentication method.
• Preshared key again - This field should contain a duplication of the password entered in Preshared key if PSK is selected as the authentication method.

The settings listed below are mostly used for compatibility with other VPN gateway systems, although they can be tweaked for performance gains in SmoothTunnel to SmoothTunnel VPN connections.

• Use compression - This compresses tunnel communication. This is useful for low bandwidth connections, but it does increase CPU utilisation on both host systems. The benefits of compression also vary depending on the type of traffic that will flow through the tunnel. For example, compressing encrypted data such as HTTPS, SSL or VPN tunnels within tunnels may decrease performance. For any tunnel with a high proportion of encrypted traffic, compression is not recommended. For non-encrypted traffic, compression is recommended. This setting must be the same on the tunnel specifications of both connecting gateways.
• Initiate the connection - Only one VPN gateway in a pair of communicating gateways can initiate the tunnel creation process. If this tick-box is selected, this VPN gateway will be responsible for connecting the tunnel.
• Local certificate - This is used in less standard X509 authentication arrangements where a certificate other than the default local certificate should be used.
• Interface - Used to specify whether the "remote" IPSec tunnel will connect via the external IP or a nominated internal interface.
• Perfect Forward Secrecy - This enables the use of the PFS key establishment protocol, ensuring that previous VPN communications cannot be decoded should a key currently in use be compromised. PFS is recommended for maximum security. VPN gateways must agree on the use of PFS.
• Authentication type - Provides a choice of ESP or AH security during the authentication process. This setting should be the same on both tunnel specifications of two connecting gateways:
  
  • ESP - Encapsulating Security Payload uses IP Protocol 50 and ensures confidentiality, authenticity and integrity of messages. Recommended for optimal performance.
  • AH - IP Authentication Header uses IP Protocol 51 and ensure authentication and integrity of messages. This is useful for compatibility with older VPN gateways.
• Phase 1 / 2 cryptographic algo - These controls select the encryption algorithm used for the first and second phases of VPN tunnel establishment. These settings should be the same on both tunnel specifications of two connecting gateways:
  
  • 3DES - A triple strength version of the DES cryptographic standard using a 168-bit key. The 3DES is a very strong encryption algorithm though it has been exceeded in recent years. It is the default encryption scheme on most VPN gateways and is therefore recommended for maximum compatibility.
  • AES (Rijndael) - Advanced Encryption Standard replaces DES/3DES as the US government's cryptographic standard. AES offers faster and stronger encryption than 3DES. It is recommended for maximum security and performance.
  • Twofish - This algorithm is based on Blowfish, and is a former NIST AES-finalist designed to replace the DES algorithm. Although NIST selected the Rijndael algorithm, Twofish is as strong as AES and can outperform it in some scenarios.
  • Blowfish - This algorithm uses a variable-length key, from 32 to 448 bits. It is faster than 3DES but was superceded by Twofish.
  • CAST - This algorithm uses a DES-like cryptosystem with a 128 bit key (also known as CAST-128 or CAST5).
• Phase 1 / 2 hash algo - These controls select the hashing algorithm used for the first and second phases of VPN tunnel establishment. These settings should be the same on both tunnel specifications of two connecting gateways:
• MD5 - A cryptographic hash function using a 128-bit key. Recommended for faster performance and compatibility.
• SHA - Secure Hashing Algorithm uses a 160-bit key and is the US government's hashing standard. Recommended for maximum security.
• Key life - This sets the duration that a set of keys can be used for. After the key-life value has expired, new encryption keys are generated, thus reducing the threat of snooping attacks. The default and maximum value of 60 minutes is recommended.
• Key tries - This sets the maximum number of times the host will attempt to re-try the connection before failing. The default value of zero tells the host to endlessly try to re-key a connection. However, a non-initiating VPN gateway should not use a zero value because if an active connection drops, it will persistently try to re-key a connection that it can't initiate.

For SmoothTunnel to SmoothTunnel connections, the following settings are recommended for maximum security and optimal performance:

• Encryption: AES
• Authentication type: ESP
• Hashing algorithm: SHA
• Perfect Forward Secrecy: Enabled
• Compression: Enabled (unless predominant VPN traffic is already encrypted)

IPSec Road Warriors

The ipsec road warriors page is used to configure IPSec Road Warrior VPN tunnels.

Creating an IPSec Road Warrior tunnel is similar to creating a IPSec subnet tunnel. The differences are that PSK authentication (or "shared secret" is not supported, and ID types are not required.

The settings listed below are used to identify the local network that the Road Warrior will connect to.

• Local network - This should specify the local subnet that the remote host will have access too. This is specified using the IP address / network mask format E.g. "192.168.10.0/255.255.255.0".
• Local ID type - This drop-down menu specifies the type of the ID that will be presented to the remote system:
  
  • Default local cert subject - Uses the subject field of the default local certificate as the local ID.
  • Default local cert subject alt.name - Uses the subject alt. name field of the default local certificate as the local ID.
  • Local IP - Uses the local IP address of the host as the local ID.
  • User specified Host & Domain Name - Uses a user specified host and domain name as the local ID.
  • User specified IP address - Uses a user specified IP address name as the local ID.
  • User specified Email address - Uses a user specified email address as the local ID.
  • User specified cert Subject - Uses a user specified certificate subject as the local ID.
• Local ID value - This text field is only used if the local ID type is a "User specified" type. In most cases, the Local ID value can be left blank because its value will be automatically retrieved by SmoothTunnel during the connection process (according to the chosen ID type).

The settings listed below define the remote network and its identification.

• Client IP - Used to set the IP address that the client will receive when it connects. This IP address should be somewhere on the physical local network. It should also be outside of the dynamic scope range of any DHCP servers on your network, and unused by any other computers.
• Remote ID type - This drop-down menu specifies the type of ID that the Road Warrior is expected to present:
  
  • Remote IP (or ANY if blank Remote IP) - The remote ID is the remote IP address, or any other form of presented ID
  • User specified Host & Domain Name - Allows the user to specify a custom host and domain name that it should expect the Road Warrior to present as ID.
  • User specified IP address - Allows the user to specify a custom IP address that it should expect the Road Warrior to present as ID.
  • User specified Email address - Allows the user to specify a custom email address that it should expect the Road Warrior to present as ID.
  • User specified cert Subject - Allows the user to specify a custom certificate subject string that it should expect the Road Warrior to present as ID.
• Remote ID value - This text field is used to enter the value of the ID used in the certificate that the remote peer is expected to present.
• Authenticate by - This drop-down menu allows the user to choose which certificate the tunnel is authenticated by.

The following advanced controls and settings are provided:

• Use compression - This compresses tunnel communication. This is useful for low bandwidth connections, but it does increase CPU utilisation on both host systems. The benefits of compression also vary depending on the type of traffic that will flow through the tunnel. For example, compressing encrypted data such as HTTPS, SSL or VPN tunnels within tunnels may decrease performance. For any tunnel with a high proportion of encrypted traffic, compression is not recommended. For non-encrypted traffic, compression is recommended. This setting must be the same on the Road Warrior and the local tunnel specification.
• Interface - Used to specify whether the Road Warrior will connect via the external IP or a nominated internal interface.
• Local certificate - This is used in less standard X509 authentication arrangements where a certificate other than the default local certificate should be used.
• Perfect Forward Secrecy - This enables the use of the PFS key establishment protocol, ensuring that previous VPN communications cannot be decoded should a key currently in use be compromised. PFS is recommended for maximum security. The tunnel specification and the Road Warrior client software must agree on the use of PFS.
• Authentication type - Provides a choice of ESP or AH security during the authentication process. This setting must be the same on the tunnel specification and the Road Warrior client:
  
  • ESP - Encapsulating Security Payload uses IP Protocol 50 and ensures confidentiality, authenticity and integrity of messages. Recommended for optimal performance.
  • AH - IP Authentication Header uses IP Protocol 51 and ensure authentication and integrity of messages. This is useful for compatibility with older VPN gateways.
• Phase 1 / 2 cryptographic algo - These controls select the encryption algorithm used for the first and second phases of VPN tunnel establishment. These settings should be the same in the tunnel specification and the Road Warrior client settings:
  
  • 3DES - A triple strength version of the DES cryptographic standard using a 168-bit key. The 3DES is a very strong encryption algorithm though it has been exceeded in recent years. It is the default encryption scheme on most VPN gateways and is therefore recommended for maximum compatibility.
  • AES (Rijndael) - Advanced Encryption Standard replaces DES/3DES as the US government's cryptographic standard. AES offers faster and stronger encryption than 3DES. It is recommended for maximum security and performance.
  • Twofish - This algorithm is based on Blowfish, and is a former NIST AES-finalist designed to replace the DES algorithm. Although NIST selected the Rijndael algorithm, Twofish is as strong as AES and can outperform it in some scenarios.
  • Blowfish - This algorithm uses a variable-length key, from 32 to 448 bits. It is faster than 3DES but was superceded by Twofish.
  • CAST - This algorithm uses a DES-like cryptosystem with a 128 bit key (also known as CAST-128 or CAST5).
• Phase 1 / 2 hash algo - These controls select the hashing algorithm used for the first and second phases of VPN tunnel establishment. These settings should be the same on the tunnel specification and the Road Warrior settings:
• MD5 - A cryptographic hash function using a 128-bit key. Recommended for faster performance and compatibility.
• SHA - Secure Hashing Algorithm uses a 160-bit key and is the US government's hashing standard. Recommended for maximum security.
• Key life - This sets the duration that a set of keys can be used for. After the key-life value has expired, new encryption keys are generated, thus reducing the threat of snooping attacks. The default and maximum value of 60 minutes is recommended.
• Key tries - This sets the maximum number of times the host will attempt to re-try the connection before failing. The default value of zero tells the host to endlessly try to re-key a connection. However, a non-initiating VPN gateway should not use a zero value because if an active connection drops, it will persistently try to re-key a connection that it can't initiate.

L2TP Road Warriors

This page is used to configure L2TP Road Warrior VPN tunnels.

Creating an L2TP Road Warrior tunnel is similar to creating a IPSec Road Warrior tunnel, except that a username and password is required for authentication, in addition to a valid certificate. The following configuration controls are used:

• Name - This is a short (one or two word) identifier for the Road Warrior tunnel.
• Client IP - Enter the IP address that the client will receive when it connects. This IP address should be somewhere on the physical local network. It should also be outside of the dynamic scope range of any DHCP servers on your network, and unused by any other computers.
• Username - The username for this Road Warrior. This username will be required by the client when it authenticates, and is used in a similar fashion to a dialup password.
• Password - The password for this Road Warrior. It is entered twice for confirmation and must be at least six characters in length.
• Authenticate by - Here there are several options:
  • Certificate provided by peer - The peer will furnish its certificate, which will be validated to ensure it has been signed by the local CA. The peer is required to have its local certificate set to a certificate created by the issuing CA, and to have said CA's certificate installed.
  • Common Name's Organisation certificate - The peer has a copy of the public part of the hosts certificate. Here both ends are Certificate Authorities, and each has installed the peers public certificate.
• Comment This is a space for the administrator to write a comment about the connection, if this is required.

Beneath the horizontal rule are the advanced connection settings:

• Local certificate - This option can be used to specify an alternative local certificate for this connection, if an alternative to the default local certificate is required.
• Interface - This can either be set to External, where the connection will be made or received on the external interface, or Internal which indicates the connection should be made on the nominated internal interface.

After entering all the required details, press Add.