IPSec VPN
You can use the web-based administration tool to create a connection with other ClearOS systems.
Installation
If you did not select this module to be included during the installation process, you must first install the module.
Menu
You can find this feature in the menu system at the following location:
Dynamic VPN and ClearSDN
The ClearSDN Dynamic VPN enhances the IPsec VPN experience with: i) support for dynamic IPs ii) automatic re-connections iii) easier and less error prone configuration.
Configuring Connections with Dynamic VPN
Dynamic VPN support not only simplifies configuration, but also improves the up-time of the connections. In order to create a connection between to systems, you need to configure both ClearOS systems.
From the webconfig tool, click on in the Dynamic VPN Connections box. You need to:
- Select the target system name from the list
- Type in a pre-shared secret (password)
On the first connection or when an IP address changes, it may take a minute for the connection to synchronize.
Configuring Unmanaged VPN Connections
If you are using static IP addresses, you can also configure unmanaged VPN connections. Please keep in mind, unmanaged VPNs have the following limitations:
- 4 tunnels are created per VPN connection instead of 1 single tunnel used in managed VPN
- Unmanaged VPNs do not properly handle routing in a multi-WAN environment
- Connections are not monitored as they are in managed VPN, so manual corrective action will be required for VPN outages
Select Headquarters and Satellite
Pick one server to be the “Headquarters” and the other to be the “Satellite”. This is just a naming convention – pick a convention and stick with it!
Gather Network Information
You must gather some network information for the IPsec server configuration, namely: the IP address, next hop (gateway), and network for both sides of the network. Make sure these settings are correct – you will save many hours of pain and frustration. The information for the local ClearOS system is shown when you start to configure an unmanaged VPN connection.
Select a Connection Name and Pre-Shared Secret
Once you have your network settings in hand, enter the information on both ends of the VPN connection. Enter a simple nickname for the connection along with a strong pre-shared secret. When configuring the other end of the VPN connection, do not be tempted to swap the Headquarters and Satellite information! The configuration screens on both ends of the connection will look exactly the same.
Sanity Checking
Start the IPsec server on both ends of the connection. Do not use Windows Network Networking to verify the VPN. Instead, make sure you can ping from:
- gateway to gateway
- gateway to remote PC
- remote PC to gateway
- remote PC to remote PC
If the connection fails, double check your network settings and restart your firewall.
Configuration for Road Warriors
The web-based administration tool does not support Road Warrior connections or interoperability with other IPsec servers. The software is capable of these configurations (including X.509 solutions), however, you must manually configure these connection types - a non-trivial task.
For road warriors/telecommuters, we suggest using the 128-bit encrypted PPTP VPN or more modern and certificated base OpenVPN. This option is not only more cost effective, but also easier to configure.
Interoperability
The IPsec protocol is an industry standard, but one with many of loose ends. This means that other IPsec servers may not be able to connect to a ClearOS IPsec server. If you are familiar with the command line environment, you may be able to successfully connect a ClearOS system to a third party system. You can find more information in the OpenSwan Interoperability Documentation.
Troubleshooting
- Make sure your firewall allows incoming connections for IPsec traffic
- The IPsec protocol does not pass through NAT-based routers. In other words, if your external IP address is 192.168.x.x or 10.x.x.x, then your system is behind a NAT-based router.