IPSec

Branches and Head Office

This type of connection allows you to combine the LANs of several SafeUTM servers.


Features of IPsec technology implementation in SafeUTM assume two roles of using SafeUTM:


Setting up Connection Between Branch and Head Office

Head offices and Branches are added on the tabs with the same names in the section Services -> IPsec.

- Before creating a connection between the Branch and the Head Office, make sure that the time zone is correctly configured on each of the connected parties. It is impossible to establish a connection without this.
- Before configuring IPsec, it should be taken into account that for it to work, no IP subnets involved in connections, including the networks of the Head Office and all Branches, should overlap and, moreover, coincide.
- Networks of local interfaces of the Head offices and Branches to which you want to give access, must be set statically.
- Before setting up the connection, you need to make sure that one of the servers has a public (white) IP address from the Internet provider. If it turns out that the Head Office does not have a public IP address, and the Branch has such an address, then the server roles for this connection should be reversed.
- When replacing/reissuing the root certificate in the TLS Certificates section, IPsec connections Head Office <-> Branch will stop working and they will need to be recreated.

Step 1. Creating a connection in a Branch

In order to create a connection on SafeUTM, which will act as a Branch, it is necessary to perform the following settings in the web interface of this UTM:

1. Open the section Services -> IPsec -> Branch office and click Add in the upper left corner of the screen.
2. Fill in the following fields:

3. After filling in the fields, click Add head Office.
4. Click on the edit icon next to the added Head Office.
2. Branches and Head Office.png

5. Copy the contents of the Branch office settings field. The contents need to be pasted when setting up the Head Office to which the connection is being made (see step 2).
3. Branches and Head Office.png

Step 2. Creating a connection in the Head Office

In order to create a connection on SafeUTM which will act as the Head Office it is necessary to perform the following settings in the web interface of this UTM:

1. Open the section Services -> IPsec -> Head Office and click Add.
2. Fill in the following fields:

3. Click Add branch office.
4. Click the edit icon next to the added Branch.
5. Branches and Head Office.png

5. Select the LANs of the Head Office and click Save.
6. Branches and Head Office.png

6. Go back to editing the added Branch and copy the contents of the Head office settings field. The contents need to be added to the Branch settings (see step 3).
7. Branches and Head Office.png

Step 3. Final setup of the Branch

In order to complete the creation of a connection on SafeUTM which will act as a Branch it is necessary to perform the following settings in the web interface of this UTM:

1. Open section Services -> IPsec -> Branch office.
2. Select the desired head office and click Edit.
3. Insert into the Head Office Settings field the settings text received from the Head Office during step 2.
8. Branches and Head Office.png

4. Click Save.
5. Open section Services -> IPsec -> Branch office on UTM acting as a Branch and section Services -> IPsec -> Head Office on UTM acting as the Head Office and make sure that the connection to the Head Office is established. The confirmation Established should appear in a green frame.
9. Branches and Head Office.png


Routing of additional networks located behind the router in the local UTM network through an IPsec tunnel.

In order to configure the routing of networks located behind the router in the local UTM network, it is necessary to create a route to an additional network via the router's IP on SafeUTM (UTM, router and target host will be on the same network).

- If SafeUTM is behind NAT, then in order to work with IPsec you need to forward ports 500 and 4500 UDP.
- When installing an IPsec tunnel between SafeUTM servers (Branch and Head Office), 256-bit AES encryption is always used, as it is common and very reliable.

Connecting Devices

Description of options for connecting various routers (Mikrotik, Zyxel Keenetic, etc.) to SafeUTM for site-to-site VPN using IPsec IKEv2 protocol.


Devices that are not described in this manual as a rule can be connected using similar settings.

When combining networks using a VPN, LANs in different offices should not overlap.


The choice of crypto algorithms on remote devices.

When configuring third-party devices, you must explicitly specify the crypto algorithms used for the connection. SafeUTM supports the most up-to-date and at the same time sufficiently secure algorithms that do not load the server and devices. At the same time, outdated algorithms and those considered unsafe (MD5, SHA1, AES128, DES, 3DES, Blowfish, etc.) are not supported. When configuring third-party devices, as a rule, you can enter several supported algorithms at the same time. In fact, one algorithm of each kind is needed. Unfortunately, not all devices support the best algorithms, so SafeUTM supports several at once. Find below the list of algorithms of each type in descending order of priority for selection.

Example

An example of setting up a pfSense connection to SafeUTM via IPsec is shown in the screenshots below:
2. Connecting Devices.png
3. Connecting Devices.png


Connecting SafeUTM to MikroTik Using PSK

If there is a public IP address on the MikroTik device, follow the steps below to configure the SafeUTM connection to MikroTik.

Step 1.
Setting up SafeUTM

1. In SafeUTM, open the tab Services -> IPsec -> Devices, click on the icon (+), and fill in the following fields:

2. After filling in all the fields, click Add connection. Your connection will appear in the list of connections:
5. Connecting Devices.png

Step 2.

You can configure the MikroTik device in several ways - through the GUI, and through the device console.


Connecting MikroTik to SafeUTM Using PSK

If there is a public IP address on SafeUTM, follow the steps below to configure the connection of the MikroTik device to SafeUTM.

Step 1.

You can configure the MikroTik device in several ways - through the GUI, and through the device console

Step 2.
Setting up SafeUTM

1. In SafeUTM, open the tab Services -> IPsec -> Devices, click on the icon (+), and fill in the following fields:

2. After filling in all the fields, click Add connection. Your connection will appear in the list of connections.
7. Connecting Devices.png


Connecting SafeUTM to MikroTik Using Certificates

Connection with certificates is used because it is more secure than a PSK connection, or in cases when the device does not support PSK.

For the correct operation of certificate connections, it is necessary that the time on MikroTik be synchronized via NTP. To do this, it is sufficient for the device to have access to the Internet.
The creation of outgoing IPsec connections using certificates to MikroTik below version 6.45 does not work due to the inability to use modern crypto algorithms in certificates.

Step 1.
Setting up SafeUTM

1. In SafeUTM, open the tab Services -> IPsec -> Devices, click on the icon (+), and fill in the following fields:

2. After the request is signed, you will need to continue configuring the connection in SafeUTM.

Do not close the settings tab!

Step 2.
Setting up MikroTik

At this stage, you should configure MikroTik to continue configuring UTM.

The UTM.csr file obtained from SafeUTM must be uploaded to the MikroTik file storage. To do this, open the File section, click Browse, select the file and upload it.

You can configure MikroTik in several ways - through the GUI, and through the device console.

Two files will appear in the MikroTik file system which you need to download in order to upload to UTM later.

9. Connecting Devices.png

The file of the type cert_export_device_<random character set>.ipsec.crt is a signed UTM certificate. The file of the type cert_export_mk_ca.crt is the root certificate of MikroTik.

At this point, the MikroTik setup can be considered complete.

Step 3.
Finishing up the SafeUTM setup

Go back to SafeUTM to the tab with the device connection settings and continue filling in the following fields:

After filling in the fields, click Add connection. Your connection will appear in the list of connections.


Connecting MikroTik to SafeUTM by certificates

Connection with certificates is used because it is more secure than a PSK connection, or in cases when the device does not support PSK.

For the correct operation of certificate connections, it is necessary that the time on MikroTik be synchronized via NTP. To do this, it is sufficient for the device to have access to the Internet.

Step 1.
Setting up MikroTik

You can configure MikroTik in several ways - through the GUI, and through the device console.

Two files will appear in the MikroTik file storage which must be downloaded since they are required for further configuration.:

14. Connecting Devices.png

Next, you will need to fill in the Certificate Signing Request field in SafeUTM, here is how to configure it.

Step 2.
Setting up SafeUTM

1. In SafeUTM, open the tab Services -> IPsec -> Devices, click on the icon (+), and fill in the following fields:

2. After the settings, click Add connection. Your connection will appear in the list of connections. Click on the edit connection button to continue the setup.
12. Connecting Devices.png

3. The connection settings editing area will appear. You need to download the files that are in the fields UTM root certificate and Signed device certificate for their subsequent use in MikroTik.
13. Connecting Devices.png


Problems when reactivating an incoming connection to SafeUTM

If after using this connection you turned it off, for example, as unnecessary, and when trying to re-enable the connection failed to be established, then most likely the remote device got into fail2ban (a tool that tracks attempts to access services in log files, and if it finds repeated unsuccessful authorization attempts from the same IP-address or host, it blocks further attempts).


Connecting Mikrotik to SafeUTM via L2TP/IPsec

Configure the connection by running the following commands:

  1. Edit the IPsec profile:
    ip ipsec profile set default hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp2048
  1. Edit IPsec proposals:
    ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc pfs-group=modp2048
  1. Create a connection to SafeUTM:
    interface l2tp-client add connect-to={server} profile=default disabled=no name={interface_name} password="{password}" user="{login}" use-ipsec="yes" ipsec-secret="{psk}"

Connecting users

Connecting remote users via L2TP/IPsec protocol.


The settings for connecting users (client-to-site VPN) are described in the article VPN connection L2TP IPsec.


Allow remote users to connect via L2TP/IPsec protocol

1. Go to Users -> VPN connections.
2. Check the item L2TP/IPsec connection. Unchecking the box disables all users connected via L2TP/IPsec and makes their connection impossible.
1. Connecting users.png

3. Change the default PSK. The pre-shared key is a line that will need to be entered in the L2TP/IPsec connection settings on end devices.

When changing the Pre-shared key, all remotely connected users will be disconnected. To restore connectivity, specify a new PSK on remote user devices.