4.5. Setup - Services Network Interfaces Network Interfaces A detailed description of creating and configuring each type of network interface is described in the following instructions: Local Ethernet External Ethernet Ethernet + PPTP Ethernet + L2TP Ethernet + PPPoE All created interfaces are presented in the form of a table: In the edit mode, it becomes possible to change the name, network card (by clicking the pencil button), and configuration settings (manually or automatically): If the Network card is already in use by any interface, then UTM will display an error window "NIC/VLAN tag combinations must be unique". When migrating UTM from one physical machine to another (disk transfer or backup restore on new hardware), the settings of all network interfaces specified before the migration will be restored. Use the trash bin button to remove unnecessary interfaces.Example: the original version of UTM 13.X -> migrated UTM to new hardware -> configured new hardware -> upgraded -> in the Network interfaces section, old (before migration) and new (after migration and configuration) network interfaces will be displayed.Configuring Local Ethernet Manual and automatic configuration using the DHCP protocol. Be careful!If you select Local Ethernet and set it as External Ethernet, you will not be able to access the Internet. Manual Configuration To configure the connection in the web interface, follow these steps: 1. Go to the menu Services -> Network Interfaces.2. Click on the icon (+) in the upper right corner of the window and select Local Ethernet. 3. Select a network card.4. Fill in the fields listed below: Title - The name you will use to identify the interface in the future. Maximum 42 characters. Network card - The network adapter that will be used to connect. VLAN tag - VLAN ID. Such network interface is considered a VLAN interface. Also, one Ethernet interface can be created without specifying VLAN belonging to this network segment that will receive untagged traffic. Regular Ethernet interfaces, without specifying the VLAN ID, are created on the physical interface only in a single copy. The field is filled in only if the network card is already in use. Automatic configuration via DHCP - It is used if your Internet provider supports the ability to automatically configure the Ethernet interface using the DHCP protocol. IP address/mask - You can assign multiple IP addresses to the interface. At least one IP address must be specified. Gateway - Gateway IP address. DNS - Two fields are available to specify the DNS server (optional). The Gateway field in the Local interface is set only if:- There is no External UTM interface;- UTM is only used as a proxy. Configuration example: Automatic Configuration It is used if your Internet provider supports the ability to automatically configure the Ethernet interface using the DHCP protocol. Go to menu Services -> Network interfaces. Click on the icon (+) in the upper right corner of the window and select Local Ethernet. Select a network card. Fill in the Title field. The VLAN tag field is filled in only if the network card is already in use. Enable Automatic configuration via DHCP. Make sure that the entered values are correct and click Save. Configuration example:Configuring External Ethernet Manual and automatic configuration using the DHCP protocol. Usually, all necessary information for configuration is contained in the contract with your Internet provider. Manual Configuration To configure the connection in the web interface, follow these steps: 1. Go to the menu Services -> Network Interfaces.2. Click on the icon (+) in the upper right corner of the window and select External Ethernet. 3. Select a network card.4. Fill in the fields listed below: Title - The name you will use to identify the interface in the future. Maximum 42 characters. Network card - The network adapter that will be used to connect. VLAN tag - VLAN ID. Such network interface is considered a VLAN interface. Also, one Ethernet interface can be created without specifying VLAN belonging to this network segment that will receive untagged traffic. Regular Ethernet interfaces, without specifying the VLAN ID, are created on the physical interface only in a single copy. The field is filled in only if the network card is already in use. Automatic configuration via DHCP - It is used if your Internet provider supports the ability to automatically configure the Ethernet interface using the DHCP protocol. IP address/mask - You can assign multiple IP addresses to the interface. At least one IP address must be specified. Gateway - Gateway IP address. DNS - Two fields are available to specify the DNS server (optional). Configuration example: Automatic Configuration It is used if your Internet provider supports the ability to automatically configure the Ethernet interface using the DHCP protocol. Go to menu Services -> Network interfaces. Click on the icon (+) in the upper right corner of the window and select External Ethernet. Select a network card. Fill in the Title field. The VLAN tag field is filled in only if the network card is already in use. Enable Automatic configuration via DHCP. Make sure that the entered values are correct and click Save. Configuration example:Configuring PPTP Connection Connection via PPTP protocol is used by Internet service providers in order to provide a more reliable authorization. To configure such a connection in the web interface, follow these steps: 1. Go to the menu Services -> Network Interfaces.2. Click on the icon (+) in the upper right corner of the window and select Ethernet + PPTP.3. Select a network card.4. Fill in the fields listed in the table below: Parameter Description Title The name you will use to identify the interface in the future. Maximum 42 characters. Network card The network adapter will be used to connect to the Internet provider. VLAN tag The VLAN ID in which UTM will be present. Such network interface is considered a VLAN interface. Fill only in the case a network card is already in use. Automatic configuration via DHCP Used if your Internet provider supports the ability to automatically configure the Ethernet interface using the DHCP protocol. IP address/mask You can assign multiple IP addresses to the interface. At least one IP address must be specified. Gateway Gateway IP address. DNS There are two fields available to specify the DNS server. Optional fields. VPN Server IP address or domain name of the PPTP server. Login Username for the PPTP connection. Password Password for the PPTP connection. 5. Make sure the entered values are correct and click Save. Configuration example:Configuring L2TP Connection Connection via L2TP protocol is sometimes used by Internet service providers in order to provide more reliable authorization. To configure such a connection in the web interface, follow these steps: Go to menu Services -> Network Interfaces. Click on the icon (+) in the upper right corner of the window and select Ethernet + L2TP. Select a network card. Fill in the fields listed in the table below: Parameter Description Title The name you will use to identify the interface in the future. Maximum 42 characters. Network Card The network adapter will be used to connect to the Internet provider. VLAN tag The VLAN ID in which UTM will be present Such network interface is considered a VLAN interface. Fill in only if the network card is already in use. Automatic configuration via DHCP Used if your Internet provider supports the ability to automatically configure the Ethernet interface using the DHCP protocol. IP address/mask You can assign multiple IP addresses to the interface. At least one IP address must be specified. Gateway Gateway IP address. DNS Two fields are available to specify the DNS server (optional). VPN Server IP address or domain name of the L2TP server. Username User name for the L2TP connection. Password Password for the L2TP connection. Make sure that the entered values are correct and click Save. Configuration example:Configuring PPPoE Connection Connection via PPPoE protocol is traditionally used by providers offering connection via xDSL. To configure the connection in the web interface, follow these steps: Go to menu Services -> Network Interfaces. Click on the icon (+) in the upper right corner of the window and select Ethernet + PPPoE. Select a network card. Fill in the fields listed in the table below: Parameter Description Title The name you will use to identify the interface in the future. Maximum 42 characters. Network card The network adapter will be used to connect to the Internet provider. VLAN tag The VLAN ID in which UTM will be present Such network interface is considered a VLAN interface. Fill in only if the network card is already in use. Login Username for PPPoE connection. Password Password for PPPoE connection. Service Service ID. If you don't know what to enter, leave the field empty. Access concentrator (Hub) Hub ID. If you don't know what to enter, leave the field empty. Make sure the entered values are correct and click Save. Configuration example:Connection via 3G and 4G To connect to the networks of mobile operators, it is possible to use 4G routers with Ethernet interfaces. The server also supports some models of USB modems, for example, Huawei E8372. When connected, the USB modem will be displayed in SafeUTM as a new Ethernet interface.Channel Aggregation & Failover Routing BGP OSPF Proxy Proxy Setting up a direct connection to the proxy server. Proxy Server for Web Traffic You do not need to explicitly specify the proxy settings on the LAN hosts. Specifying UTM as the default gateway for devices on the network is sufficient. By default, caching of traffic to disk is disabled, but it is carried out in the server RAM. You can enable caching of web traffic to disk in Services -> Proxy, but we do not recommend doing this because of excessive load on the disk subsystem. As a rule, caching to RAM is sufficient. Direct connections to the proxy server can be configured by checking the corresponding box in the section Services -> Proxy and specifying the IP address and port on the UTM side. Then these details should be specified on those LAN network devices whose web traffic needs to be passed through a proxy. To configure HTTPS traffic filtering, you need to add a root UTM certificate to users' computers. Read more in the article on Setting up HTTPS filtering. Below is a screenshot of the General tab in the Proxy section. Role of Proxy Server in the Operation of SafeUTM Gateway The proxy server, in addition to proxying web traffic, plays the role of a master service for several services related to processing, monitoring, and accounting for user web traffic on the gateway, namely: Antivirus for web traffic (ClamAV). Web traffic reporting service for users. Content filter. Direct Connections to Proxy Server This mode is used when SafeUTM is not the default gateway for network clients. Setting up the mode Specify the SafeUTM local IP address as a web proxy on the local network on client devices. It is possible to use a proxy server for all protocols. In the proxy settings on SafeUTM, the IP address and port for direct connections to the proxy must be specified (you can select ports from the list: 3128, 1080, 8000, 8080, 8888, 8081, 8088, and 10080). In this mode, UTM will be able to provide hosts with web content and traffic on other ports (by default on all, if necessary, you can close the ports with a firewall), in case of necessity performing accounting (quotas), monitoring and checking web traffic for viruses, content and malicious content if the following conditions are met: SafeUTM server has Internet access (its external interface must be in a range that does not overlap with the local subnet and have access to the Internet). Authorization of the web traffic consumer host on the UTM server by one of the authorization types supported by UTM. Explicit indication of the web proxy address to the host (in the proxy server settings in browsers). For Single Sign-On authorization via Active Directory, you must specify the SafeUTM domain name in the settings, and not its IP address. If it is not possible to specify a proxy server in the program settings for Windows or Mac OS X, then you can use third-party software to route all workstation traffic to the proxy server. For example, Proxifier provides such an opportunity. For more information on how to configure Proxifier for direct connections to the proxy server, see an article by following the link. Exclusion of Resources from Proxy Server Processing On the Exceptions tab, it is possible to exclude resources from processing by the proxy server and all related services (content filter, web reporting, antiviruses). Source Networks: The proxy server is excluded from processing requests from the specified internal networks or IP addresses. Destination networks: The proxy server is excluded from processing requests to external networks or IP addresses (usually addresses of websites or web services). We strongly discourage you from excluding the ENTIRE LAN from proxy server processing. When connecting directly to a proxy server, traffic cannot be excluded from proxy processing. You need to exclude traffic in the proxy server settings on the device (in the web browser or the proxy server system settings).Configuring Proxy with Single Interface If necessary, you can use SafeUTM as a proxy server with direct connections of clients to the proxy, with a single interface. To do this, you need to perform the following settings: When creating a local interface in Services -> Network interfaces, Gateway needs to be specified: Allow direct connections to the proxy server on the tab Services -> Proxy by selecting the desired port from the list: When using SafeUTM as a proxy server with direct connections to the proxy, most of the functions will work normally, but with some peculiarities: In the firewall rules for users, it is necessary to specify INPUT paths instead of FORWARD. In-depth traffic analysis by the intrusion prevention system and the application control module will be carried out only for traffic passing through the proxy server (part of the rules will not work). Exceptions from the proxy server must be made by means of the browser or routes on the end devices. Settings on tab Services -> Proxy -> Exceptions apply only to the transparent mode of operation of the proxy server. Exclude IP Addresses from Proxy Server Processing Setting up exceptions for the traffic of individual users or traffic to certain Internet resources from passing and processing by a web proxy available as part of UTM. Resource exclusions from proxy server processing only work for transparent proxy mode. With direct connections to the proxy server, it is impossible to exclude anything from proxy processing. Two types of exceptions can be configured: Exclusion of traffic of local UTM network hosts directed externally from proxy processing (Source networks). Exclusion of traffic of all hosts in the local network served by UTM to certain resources in external networks (Destination networks). You can only specific IP addresses or IP networks. Traffic excluded from proxy processing will not participate in Reports, and also cannot be tested for viruses and processed by the Content filter module. At the same time, such traffic will be checked by a firewall, intrusion prevention services, and application control. Programs Running on Protocols Other Than HTTP(S) via Web Proxy Some programs that send traffic to their servers on ports 80 and 443, but at the same time work on protocols other than HTTP(S), cannot be processed by a web proxy server on UTM with HTTPS traffic filtering enabled. The traffic of such programs should be excluded from proxy processing in the Destination networks field.Connecting to External ICAP Services Sending HTTP(S) traffic for analysis to third-party servers using ICAP protocol. In this case, traffic to these servers (which may include DLP systems, antiviruses, and web filters) is transmitted in decrypted form. You can configure the connection to servers via ICAP in Services -> Proxy on the ICAP tab. It is possible to establish a connection to several ICAP services simultaneously.Reverse Proxy DNS DHCP Server IPSec Branches and Head Office This type of connection allows you to combine the LANs of several SafeUTM servers. Features of IPsec technology implementation in SafeUTM assume two roles of using SafeUTM: Head office – SafeUTM must have a public address on the Internet and accept connections from other SafeUTM (Branches), network equipment, or workstations (Remote Users). Branch office – SafeUTM connects to the Head Office and, as a rule, does not have a public address on the Internet. But if the Branch has a public address, then any other device can also be connected to it. Setting up Connection Between Branch and Head Office Head offices and Branches are added on the tabs with the same names in the section Services -> IPsec. - Before creating a connection between the Branch and the Head Office, make sure that the time zone is correctly configured on each of the connected parties. It is impossible to establish a connection without this.- Before configuring IPsec, it should be taken into account that for it to work, no IP subnets involved in connections, including the networks of the Head Office and all Branches, should overlap and, moreover, coincide.- Networks of local interfaces of the Head offices and Branches to which you want to give access, must be set statically.- Before setting up the connection, you need to make sure that one of the servers has a public (white) IP address from the Internet provider. If it turns out that the Head Office does not have a public IP address, and the Branch has such an address, then the server roles for this connection should be reversed.- When replacing/reissuing the root certificate in the TLS Certificates section, IPsec connections Head Office <-> Branch will stop working and they will need to be recreated. Step 1. Creating a connection in a Branch In order to create a connection on SafeUTM, which will act as a Branch, it is necessary to perform the following settings in the web interface of this UTM: 1. Open the section Services -> IPsec -> Branch office and click Add in the upper left corner of the screen.2. Fill in the following fields: Head office name – maximum 42 characters. Head office's external address – the domain name or external IP address of the head office issued by the provider. If necessary, you can enter the Head office's additional address. Branch office LANs – the IP address of the Branch's subnet that will be available to users in the Head Office, in the IP address/mask format. 3. After filling in the fields, click Add head Office.4. Click on the edit icon next to the added Head Office. 5. Copy the contents of the Branch office settings field. The contents need to be pasted when setting up the Head Office to which the connection is being made (see step 2). Step 2. Creating a connection in the Head Office In order to create a connection on SafeUTM which will act as the Head Office it is necessary to perform the following settings in the web interface of this UTM: 1. Open the section Services -> IPsec -> Head Office and click Add.2. Fill in the following fields: Branch office name – maximum 42 characters. Branch office settings – paste the settings that you copied from the Branch after completing step 1. 3. Click Add branch office.4. Click the edit icon next to the added Branch. 5. Select the LANs of the Head Office and click Save. 6. Go back to editing the added Branch and copy the contents of the Head office settings field. The contents need to be added to the Branch settings (see step 3). Step 3. Final setup of the Branch In order to complete the creation of a connection on SafeUTM which will act as a Branch it is necessary to perform the following settings in the web interface of this UTM: 1. Open section Services -> IPsec -> Branch office.2. Select the desired head office and click Edit.3. Insert into the Head Office Settings field the settings text received from the Head Office during step 2. 4. Click Save.5. Open section Services -> IPsec -> Branch office on UTM acting as a Branch and section Services -> IPsec -> Head Office on UTM acting as the Head Office and make sure that the connection to the Head Office is established. The confirmation Established should appear in a green frame. Routing of additional networks located behind the router in the local UTM network through an IPsec tunnel. In order to configure the routing of networks located behind the router in the local UTM network, it is necessary to create a route to an additional network via the router's IP on SafeUTM (UTM, router and target host will be on the same network). - If SafeUTM is behind NAT, then in order to work with IPsec you need to forward ports 500 and 4500 UDP.- When installing an IPsec tunnel between SafeUTM servers (Branch and Head Office), 256-bit AES encryption is always used, as it is common and very reliable.Connecting Devices Description of options for connecting various routers (Mikrotik, Zyxel Keenetic, etc.) to SafeUTM for site-to-site VPN using IPsec IKEv2 protocol. Devices that are not described in this manual as a rule can be connected using similar settings. When combining networks using a VPN, LANs in different offices should not overlap. The choice of crypto algorithms on remote devices. When configuring third-party devices, you must explicitly specify the crypto algorithms used for the connection. SafeUTM supports the most up-to-date and at the same time sufficiently secure algorithms that do not load the server and devices. At the same time, outdated algorithms and those considered unsafe (MD5, SHA1, AES128, DES, 3DES, Blowfish, etc.) are not supported. When configuring third-party devices, as a rule, you can enter several supported algorithms at the same time. In fact, one algorithm of each kind is needed. Unfortunately, not all devices support the best algorithms, so SafeUTM supports several at once. Find below the list of algorithms of each type in descending order of priority for selection. Phase 1 (IKE): encryption: AES256-GCM AES256 integrity (hash): for AES256-GCM - not required, since integrity check is built into AEAD algorithms. for AES256, by priority: SHA512, SHA256. prf (random value generation function): as a rule, it is configured automatically, depending on the choice of integrity algorithms (therefore, in the example below, the value of prf is PRF-HMAC-SHA512). for AES-GCM, you may need to specify explicitly. In this case, by priority: AESXCBC, SHA512, SHA384, SHA256. DH (Diffie-Hellman Group): Curve25519 (group 31) ECP256 (group 19) modp4096 (group 16) modp2048 (group 14) modp1024 (group 2) Timeouts: Lifetime: 14400 seconds DPD Timeout (for L2TP/IPsec): 40 seconds DPD Delay: 30 seconds Phase 2 (ESP): encryption: AES256-GCM AES256 integrity: for AES256-GCM - not required, since integrity check is built into AEAD algorithms for AES-256, by priority: SHA512, SHA384, SHA256 DH (Diffie-Hellman Group, PFS). ATTENTION! if not specified, it will connect, but rekey will not work after a while: Curve25519 (group 31) ECP256 (group 19) modp4096 (group 16) modp2048 (group 14) modp1024 (group 2) Timeouts: Lifetime: 3600 seconds Example Phase 1 (IKE) (one of the lines is needed): AES256-GCM\PRF-HMAC-SHA512\Curve25519 AES256\SHA512\PRF-HMAC-SHA512\ECP384 AES256\SHA256\PRF-HMAC-SHA256\MODP2048 Phase 2 (ESP) (one of the lines is needed): AES256-GCM\ECP384 AES256\SHA256\MODP2048 An example of setting up a pfSense connection to SafeUTM via IPsec is shown in the screenshots below: Connecting SafeUTM to MikroTik Using PSK If there is a public IP address on the MikroTik device, follow the steps below to configure the SafeUTM connection to MikroTik. Step 1. Setting up SafeUTM 1. In SafeUTM, open the tab Services -> IPsec -> Devices, click on the icon (+), and fill in the following fields: Connection name – specify an arbitrary name for the connection. Maximum 42 characters. Connection type – select Outcoming, since the connection is made from UTM to MikroTik. Remote device address – specify the external IP address of the MikroTik device. Authentication type – select the PSK PSK – a random PSK key will be generated. You will need it to set up a connection in MikroTik. UTM identifier – the key you enter will be used to identify the outgoing connection. Home local network – list all UTM LANs that will be available in an IPsec connection, i.e. will be visible to the opposite side. Remote local networks – list all MikroTik LANs that will be available in an IPsec connection, i.e. will be visible to the opposite side. 2. After filling in all the fields, click Add connection. Your connection will appear in the list of connections: Step 2. You can configure the MikroTik device in several ways - through the GUI, and through the device console. Connecting MikroTik to SafeUTM Using PSK If there is a public IP address on SafeUTM, follow the steps below to configure the connection of the MikroTik device to SafeUTM. Step 1. You can configure the MikroTik device in several ways - through the GUI, and through the device console Step 2. Setting up SafeUTM 1. In SafeUTM, open the tab Services -> IPsec -> Devices, click on the icon (+), and fill in the following fields: Connection name – specify an arbitrary name for the connection. Maximum 42 characters. Connection type – select Incoming, since the connection to UTM is being made. Authentication type – select the PSK type. PSK – insert the PSK key received from MikroTik. Remote side identifier – insert the MikroTik ID (Key ID parameter in /ip ipsec peers). Home local network – list all UTM LANs that will be available in an IPsec connection, i.e. will be visible to the opposite side. Remote local networks – list all MikroTik LANs that will be available in an IPsec connection, i.e. will be visible to the opposite side. 2. After filling in all the fields, click Add connection. Your connection will appear in the list of connections. Connecting SafeUTM to MikroTik Using Certificates Connection with certificates is used because it is more secure than a PSK connection, or in cases when the device does not support PSK. For the correct operation of certificate connections, it is necessary that the time on MikroTik be synchronized via NTP. To do this, it is sufficient for the device to have access to the Internet.The creation of outgoing IPsec connections using certificates to MikroTik below version 6.45 does not work due to the inability to use modern crypto algorithms in certificates. Step 1. Setting up SafeUTM 1. In SafeUTM, open the tab Services -> IPsec -> Devices, click on the icon (+), and fill in the following fields: Connection name – specify an arbitrary name for the connection. Maximum 42 characters. Connection type – select Outcoming, because the connection is made from UTM. Authentication type – specify the type of Certificate. Address of the remote device – specify the external IP address of MikroTik. Certificate signing request – a request will be generated which must be sent to MikroTik for signing. 2. After the request is signed, you will need to continue configuring the connection in SafeUTM. Do not close the settings tab! Step 2. Setting up MikroTik At this stage, you should configure MikroTik to continue configuring UTM. The UTM.csr file obtained from SafeUTM must be uploaded to the MikroTik file storage. To do this, open the File section, click Browse, select the file and upload it. You can configure MikroTik in several ways - through the GUI, and through the device console. Two files will appear in the MikroTik file system which you need to download in order to upload to UTM later. The file of the type cert_export_device_.ipsec.crt is a signed UTM certificate. The file of the type cert_export_mk_ca.crt is the root certificate of MikroTik. At this point, the MikroTik setup can be considered complete. Step 3. Finishing up the SafeUTM setup Go back to SafeUTM to the tab with the device connection settings and continue filling in the following fields: Signed UTM certificate – upload a signed UTM certificate to MikroTik. Remote Device Root Certificate – download the MikroTik root certificate. Home local networks – list all UTM LANs that will be available in an IPsec connection, i.e. will be visible to the opposite side. Remote local networks – list all MikroTik local networks that will be available in an IPsec connection, i.e. will be visible to the opposite side. After filling in the fields, click Add connection. Your connection will appear in the list of connections. Connecting MikroTik to SafeUTM by certificates Connection with certificates is used because it is more secure than a PSK connection, or in cases when the device does not support PSK. For the correct operation of certificate connections, it is necessary that the time on MikroTik be synchronized via NTP. To do this, it is sufficient for the device to have access to the Internet. Step 1. Setting up MikroTik You can configure MikroTik in several ways - through the GUI, and through the device console. Two files will appear in the MikroTik file storage which must be downloaded since they are required for further configuration.: File certificate-request.pem is a certificate signing request. File certificate-request_key.pem is a private key. Next, you will need to fill in the Certificate Signing Request field in SafeUTM, here is how to configure it. Step 2. Setting up SafeUTM 1. In SafeUTM, open the tab Services -> IPsec -> Devices, click on the icon (+), and fill in the following fields: Connection name – specify an arbitrary name for the connection. Maximum 42 characters. Connection type – select Incoming, since the connection to UTM is being made. Authentication type – select the type Certificate. Certificate Signing Request - Upload the signature request received from MikroTik. Home local network – it is necessary to list all UTM LANs that will be available in an IPsec connection, i.e. they will be visible to the opposite side. 2. After the settings, click Add connection. Your connection will appear in the list of connections. Click on the edit connection button to continue the setup. 3. The connection settings editing area will appear. You need to download the files that are in the fields UTM root certificate and Signed device certificate for their subsequent use in MikroTik. Problems when reactivating an incoming connection to SafeUTM If after using this connection you turned it off, for example, as unnecessary, and when trying to re-enable the connection failed to be established, then most likely the remote device got into fail2ban (a tool that tracks attempts to access services in log files, and if it finds repeated unsuccessful authorization attempts from the same IP-address or host, it blocks further attempts). Connecting Mikrotik to SafeUTM via L2TP/IPsec Configure the connection by running the following commands: Edit the IPsec profile:ip ipsec profile set default hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp2048 Edit IPsec proposals:ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc pfs-group=modp2048 Create a connection to SafeUTM:interface l2tp-client add connect-to={server} profile=default disabled=no name={interface_name} password="{password}" user="{login}" use-ipsec="yes" ipsec-secret="{psk}" Connecting users Connecting remote users via L2TP/IPsec protocol. The settings for connecting users (client-to-site VPN) are described in the article VPN connection L2TP IPsec. Allow remote users to connect via L2TP/IPsec protocol 1. Go to Users -> VPN connections.2. Check the item L2TP/IPsec connection. Unchecking the box disables all users connected via L2TP/IPsec and makes their connection impossible. 3. Change the default PSK. The pre-shared key is a line that will need to be entered in the L2TP/IPsec connection settings on end devices. When changing the Pre-shared key, all remotely connected users will be disconnected. To restore connectivity, specify a new PSK on remote user devices.Connecting offices (site-to-site) PPTP VPN Using the PPTP protocol, you can connect Branches that use outdated routers supporting only PPTP to the Head Office (if the device supports IPsec, it is recommended to use PPTP). If possible, use a more reliable and secure protocol for connecting branches - IPsec. For details on setup, see the article Connecting devices.For SafeUTM communication with SafeUTM, also use IPsec (see article Branches and Head Office). The setup process consists of two stages: Server preparation and configuration of local networks. Creating VPN tunnels and configuring routing. Server Preparation and Configuration of Local Networks To combine local office networks, you need to ensure the uniqueness of the IP address space in them. Each office should have its own unique network. Otherwise, when creating a VPN tunnel, you may encounter incorrect routing. Below is an example of combining networks of two offices. Configure your network and SafeUTM security gateway according to the data in the table below: Parameter Office No1 (SafeUTM) Office No2 (Router) IP Address Space IP address: 192.168.0.0 Netmask: 255.255.255.0 IP address: 192.168.1.0 Netmask: 255.255.255.0 Local IP address IP address: 192.168.0.1 Netmask: 255.255.255.0 IP address: 192.168.1.1 Netmask: 255.255.255.0 Creating VPN tunnels and configuring routing Internet gateway in Office No1 1. Create a user account, for example, "office2", on behalf of which the SafeUTM server in office No2 will connect to the SafeUTM server in office No1. 2. Allow the created account to have Allow remote access via VPN. This parameter can be activated in the section Users -> User & Group -> General by selecting the desired user. 3. Add routes to the routing table. To do this, go to Services -> Routing -> Static routes and click the add button. We need to add the following route: Destination address: 192.168.1.0/255.255.255.0 Gateway: user "office2" Configuring the router in office No2 In the example, the settings are given for SafeUTM acting as a router. As a rule, routers from different manufacturers are configured similarly. You need to create a VPN connection to a remote server and register a route to a remote network via a VPN connection. To do this, follow these steps: Create a new interface of the type Ethernet + PPTP. As a VPN server, specify the external IP address or domain name of office No1 and use the data of the account created on the server in office No1 (in our example, office2) as a username and password. Add routes to the routing table. To do this, in the web interface go to the section Services -> Routing and click the add button. Specify the required values and click Save. We need to add the following route:Destination address: 192.168.0.0/24 Gateway: Select the Ethernet + PPTP interface that you have created. Incoming Connection of Cisco IOS to SafeUTM via IPsec Following the steps in this article, you can combine Cisco and SafeUTM networks via IPsec using PSK. Find below the connection setup according to the scheme shown in the figure: Step 1. Initial Setup of SafeUTM Configure the local and external interfaces on SafeUTM. Detailed information can be found in the article Initial setup. Step 2. Initial setup of Cisco IOS EX Cisco configuration can be done through the device console (the configuration is described below) 1. Setting up the local interface: enable conf t interface GigabitEthernet2 ip address {local IP Cisco} {subnet mask} no shutdown ip nat inside exit 2. Configuring the external interface: interface GigabitEthernet1 ip address {Cisco external IP} {subnet mask} no shutdown ip nat outside exit 3. Check if there is a connection between the external interfaces of SafeUTM and Cisco. To do this, use the ping {external IP UTM} command in the Cisco console. The result of the command output is the presence of ICMP responses. 4. Creating an access list with local network addressing: ip access-list extended NAT permit ip {Cisco local subnet} {reverse subnet mask} any exit 5. Configuring NAT (for more information on configuring this item, you can read the article on the official Cisco website): ip nat inside source list NAT interface GigabitEthernet1 overload exit 6. Saving configuration settings: write memory 7. Having saved the settings, make sure that there is Internet access from the Cisco LAN. To do this, visit any website (for example: https://www.cisco.com) from a device on the Cisco LAN. Step 3. Configuring IKEv2+IPsec on Cisco 1. Creating a proposal (you can read detailed information on setting up this item in the article on the official Cisco website): conf t crypto ikev2 proposal ikev2proposal encryption aes-cbc-256 integrity sha256 group 19 exit 2. Creating a policy (you can read detailed information on setting up this item in the article on the official Cisco website): crypto ikev2 policy ikev2policy match fvrf any proposal ikev2proposal exit 3. Creating a peer (key_id is the ID of the remote party, i.e. SafeUTM). Detailed information on setting up this item can be found in the article on the official Cisco website. crypto ikev2 keyring key peer strongswan address {UTM external IP} identity key-id {key_id} pre-shared-key local {psk} pre-shared-key remote {psk} exit exit 4. Creating an IKEv2 profile (you can read detailed information on configuring this item in the article on the official Cisco website): crypto ikev2 profile ikev2profile match identity remote address {UTM external IP} 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local key exit 5. Setting up encryption in esp: crypto ipsec transform-set TS esp-gcm 256 mode tunnel exit 6. Creating ipsec-isakmp: crypto map cmap 10 ipsec-isakmp set peer {UTM external IP} set transform-set TS set ikev2-profile ikev2profile match address cryptoacl exit 7. Configuring the crypto map on the external interface: interface GigabitEthernet1 crypto map cmap exit 8. Creating an access list for traffic between Cisco and UTM local networks: ip access-list extended cryptoacl permit ip {Cisco local subnet} {reverse subnet mask} {UTM local subnet} {reverse subnet mask} exit 9. Adding traffic exceptions between Cisco and UTM local networks to the NAT access list (the deny rule should be higher than permit): ip access-list extended NAT no permit ip {Cisco local subnet} {reverse subnet mask} any deny ip {Cisco local subnet} {reverse subnet mask} {local UTM subnet} {reverse subnet mask} permit ip {Cisco local subnet} {reverse subnet mask} any exit end 10. Saving configuration settings: write memory Step 4. Creating an incoming IPsec connection on UTM 1. In the SafeUTM web interface, open tab Services -> IPsec -> Devices.2. Add a new connection: Connection name – any. Type – incoming. Authorization type – PSK. PSK – specify the PSK key that you entered in Step 3 item 3. Remote side identifier – insert the Cisco ID (Key ID parameter in Step 3 item 3). Home local network – specify the SafeUTM local area network. Remote local networks – specify the Cisco local network. 3. Save the created connection, then click on Turn on4. Check that the connection is established (your connection will appear in the list of connections, in column Statuses the word Installed will be highlighted in green).5. Check for traffic between local networks (TCP and web). The final configuration of Cisco IOS The final configuration of IKEv2 IPsec on Cisco IOS should look like this: crypto ikev2 proposal ikev2proposal encryption aes-cbc-256 integrity sha256 group 19 crypto ikev2 policy ikev2policy match fvrf any proposal ikev2proposal crypto ikev2 keyring key peer strongswan address 5.5.5.5 pre-shared-key local QWEqwe1234567890 pre-shared-key remote QWEqwe1234567890 crypto ikev2 profile ikev2profile match identity remote key-id key-id authentication remote pre-share authentication local pre-share keyring local key crypto ipsec transform-set TS esp-gcm 256 mode tunnel crypto map cmap 10 ipsec-isakmp set peer 5.5.5.5 set transform-set TS set ikev2-profile ikev2profile match address cryptoacl interface GigabitEthernet1 ! external interface ip address 1.1.1.1 255.255.255.0 ip nat outside negotiation auto no mop enabled no mop sysid crypto map cmap interface GigabitEthernet2 ! local interface ip address 2.2.2.2 255.255.255.0 ip nat inside negotiation auto no mop enabled no mop sysid ip nat inside source list NAT interface GigabitEthernet1 overload ip access-list extended NAT deny ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255 permit ip 2.2.2.0 0.0.0.255 any ip access-list extended cryptoacl permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255Outgoing SafeUTM Connection to Cisco IOS via IPsec Following the steps in this article, you can combine Cisco and SafeUTM networks via IPsec using PSK. Find below the connection setup according to the scheme shown in the figure: Step 1. Initial Setup of SafeUTM Configure the local and external interfaces on SafeUTM. Detailed information can be found in the article Initial setup. Step 2. Initial Setup of Cisco IOS EX Cisco configuration can be done through the device console (the configuration is described below). 1. Setting up the local interface: enable conf t interface GigabitEthernet2 ip address {Cisco local IP} {subnet mask} no shutdown ip nat inside exit 2. Configuring the external interface: interface GigabitEthernet1 ip address {Cisco external IP} {subnet mask} no shutdown ip nat outside exit 3. Check if there is a connection between the external interfaces of SafeUTM and Cisco. To do this, use the ping {external IP UTM} command in the Cisco console. The result of the command output is the presence of ICMP responses. 4. Creating an access list with local network addressing: ip access-list extended NAT permit ip {Cisco local subnet} {reverse subnet mask} any exit 5. Configuring NAT (for more information on configuring this item, you can read the article on the official Cisco website): ip nat inside source list NAT interface GigabitEthernet1 overload exit 6. Saving configuration settings: write memory 7. Having saved the settings, make sure that there is Internet access from the Cisco LAN. To do this, visit any website (for example: https://www.cisco.com) from a device on the Cisco LAN. Step 3. Configuring IKEv2+IPsec on Cisco 1. Creating a proposal (you can read detailed information on setting up this item in the article on the official Cisco website): conf t crypto ikev2 proposal ikev2proposal encryption aes-cbc-256 integrity sha256 group 19 exit 2. Creating a policy (you can read detailed information on setting up this item in the article on the official Cisco website): crypto ikev2 policy ikev2policy match fvrf any proposal ikev2proposal exit 3. Creating a peer (key_id is the ID of the remote party, i.e. SafeUTM). Detailed information on setting up this item can be found in the article on the official Cisco website. crypto ikev2 keyring key peer strongswan address {UTM external IP} identity key-id {key_id} pre-shared-key local {psk} pre-shared-key remote {psk} exit exit 4. Creating an IKEv2 profile (you can read detailed information on configuring this item in the article on the official Cisco website): crypto ikev2 profile ikev2profile match identity remote address {UTM external IP} 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local key exit 5. Setting up encryption in esp: crypto ipsec transform-set TS esp-gcm 256 mode tunnel exit 6. Creating ipsec-isakmp: crypto map cmap 10 ipsec-isakmp set peer {UTM external IP} set transform-set TS set ikev2-profile ikev2profile match address cryptoacl exit 7. Configuring the crypto map on the external interface: interface GigabitEthernet1 crypto map cmap exit 8. Creating an access list for traffic between Cisco and UTM local networks: ip access-list extended cryptoacl permit ip {Cisco local subnet} {reverse subnet mask} {UTM local subnet} {reverse subnet mask} exit 9. Adding traffic exceptions between Cisco and UTM local networks to the NAT access list (the deny rule should be higher than permit): ip access-list extended NAT no permit ip {Cisco local subnet} {reverse subnet mask} any deny ip {Cisco local subnet} {reverse subnet mask} {local UTM subnet} {reverse subnet mask} permit ip {Cisco local subnet} {reverse subnet mask} any exit end 10. Saving configuration settings: write memory Step 4. Creating an outgoing IPsec connection on SafeUTM 1. In the SafeUTM web interface, open tab Services -> IPsec -> Devices.2. Add a new connection: Connection name – any. Type – Outgoing. Authorization type – PSK. PSK – a random PSK key will be generated. You will need it to set up a connection in Cisco (see Step 3 item 3). UTM identifier – The key you entered will be used to identify the outgoing connection. Also, enter this ID in Cisco (see Step 3 item 3). Home local network – specify the SafeUTM local area network. Remote local networks – specify the Cisco local network. 3. Check that the connection has been established (your connection will appear in the list of connections, in the column Statuses the word Installed will be highlighted in green).4. Check for traffic between local networks (TCP and web). Final Configuration of Cisco IOS The final configuration of IKEv2 IPsec on Cisco IOS should look like this: crypto ikev2 proposal ikev2proposal encryption aes-cbc-256 integrity sha256 group 19 crypto ikev2 policy ikev2policy match fvrf any proposal ikev2proposal crypto ikev2 keyring key peer strongswan address 5.5.5.5 pre-shared-key local QWEqwe1234567890 pre-shared-key remote QWEqwe1234567890 crypto ikev2 profile ikev2profile match identity remote key-id key-id authentication remote pre-share authentication local pre-share keyring local key crypto ipsec transform-set TS esp-gcm 256 mode tunnel crypto map cmap 10 ipsec-isakmp set peer 5.5.5.5 set transform-set TS set ikev2-profile ikev2profile match address cryptoacl interface GigabitEthernet1 ! external interface ip address 1.1.1.1 255.255.255.0 ip nat outside negotiation auto no mop enabled no mop sysid crypto map cmap interface GigabitEthernet2 ! local interface ip address 2.2.2.2 255.255.255.0 ip nat inside negotiation auto no mop enabled no mop sysid ip nat inside source list NAT interface GigabitEthernet1 overload ip access-list extended NAT deny ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255 permit ip 2.2.2.0 0.0.0.255 any ip access-list extended cryptoacl permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255Incoming pfSense connection to SafeUTM via IPsec Following the steps in this article, you can combine pfSense and SafeUTM networks via IPsec using PSK. The combined LANs should not overlap! Setting up SafeUTM 1. In the SafeUTM web interface, open tab Services -> IPsec -> Devices.2. Add a new connection: Connection name – any. Type – incoming. Authorization type – PSK. PSK – specify the PSK key to be used for the connection. Remote side identifier – any. Home local network – Specify the SafeUTM local area network that will be visible from the pfSense subnet. Remote local networks – Specify the pfSense local network that will be visible from the SafeUTM subnet. 3. Save the created connection, then click on the "Enable" button.4. Two configuration files will be generated on SafeUTM in the /etc/strongswan/autogen/ folder. You need to go to the console and open the file of the type device_.peer for editing.5. From this file, you need to copy the value of the rightid line (approximate type –@#746573745f70736b). In the future, this value will need to be registered on pfSense.6. The setup is complete, now let’s set up pfSense. Setting up pfSense 1. In the pfSense web interface, go to tab VPN -> IPsec –> Tunnels.2. Add a new connection: Key Exchange version – IKEv2. Internet Protocol – IPv4. Interface – Select the pfSense external interface that will be used to connect to SafeUTM. Remote Gateway – IP of the SafeUTM external interface. Description – any. Authentication Method – Mutual PSK. My identifier and Peer identifier – insert the value of the rightid line on SafeUTM here (see step 5 in setting up SafeUTM). Pre-Shared Key – insert the PSK key that was previously registered on SafeUTM. Encryption Algorithm: For SafeUTM version 13.0 and later, use the following parameters: Algorithm - AES256-GCM; Key length - 128 bit; Hash - SHA256; DH Group - Elliptic Curve 25519- 256. All other values can be left by default. 3. Save the connection.4. Click on the button Show Phase 2 Entries and add a new Phase 2. Specify here: Encryption Algorithm: For SafeUTM version 13.0 and later, use the following parameters: Algorithm - AES256-GCM; Key length - 128 bit; Hash - SHA256; DH Group - Elliptic Curve 25519- 256. Local Network – pfSense LAN which will be accessible from the SafeUTM subnet. Remote Network – SafeUTM LAN, which will be accessible from the pfSense subnet. All other values can be left by default. 5. Save the connection.6. Then you need to allow traffic to flow between the pfSense and SafeUTM local networks in the pfSense firewall (go to tab Firewall -> Rules -> IPsec and create two rules that allow traffic to flow between the SafeUTM and pfSense local networks).Also, pay attention to the WAN firewall section – by default, incoming traffic from "gray" subnets is prohibited in it, so you need to remove this restriction. 7. Now go to tab Status -> IPsec (the created connection should appear there), and click on the Connect VPN button. The setup is complete, the connection should be successfully established. If the connection could not be established, and the pfSense firewall settings were made correctly, you should recreate the connection on UTM by specifying in the Key ID field the value that was specified in My identifier and Peer identifier for pfSense and try to connect again. No changes are required on the pfSense side.Outgoing pfSense Connection to SafeUTM via IPsec Setting up SafeUTM 1. In the SafeUTM web interface, open tab Services -> IPsec -> Devices.2. Add a new connection: Connection name – any. Type – outgoing. Authentication type – PSK. PSK – specify the PSK key to be used for the connection. UTM identifier – any. Home local network – specify the SafeUTM local area network that will be visible from pfSense subnets. Remote local networks – specify the pfSense local network that will be visible from the SafeUTM subnet. Setting up pfSense 1. In the pfSense web interface, go to tab VPN > IPsec > Advanced Options, and in the Child SA Start Action field select option None (Responder Only).2. Add a new connection: Key Exchange version – IKEv2. Internet Protocol – IPv4. Interface – Select the pfSense external interface that will be used to connect to SafeUTM. Remote Gateway – IP of external interface SafeUTM. Description - any. Authentication Method – Mutual PSK. My identifier - My IP address. Peer identifier - KeyID tag. Enter the ID of the remote party, i.e. SafeUTM. Pre-Shared Key – enter the PSK key. Encryption Algorithm: Algorithm - AES256-GCM; Key length - 128 bit; Hash - SHA256; DH Group - Elliptic Curve 25519-256. 3. Save the connection.4. Click the button Show Phase 2 Entries and add a new Phase 2 and enter the following values: Encryption Algorithm: Algorithm - AES256- GCM; Key length - 128 bit; Hash - SHA256; DH Group - Elliptic Curve 25519-256. Local Network – pfSense LAN which will be accessible from the SafeUTM subnet. Remote Network – SafeUTM LAN, which will be accessible from the pfSense subnet. All other values can be left by default. 5. Save the connection.6. Then you need to allow traffic to flow between the pfSense and SafeUTM local networks in the pfSense firewall (go to tab Firewall -> Rules -> IPsec and create two rules that allow traffic to flow between the SafeUTM and pfSense local networks).7. Also pay attention to the WAN firewall section – by default, incoming traffic from "gray" subnets is prohibited in it, so you need to remove this restriction.8. Now go to tab Status -> IPsec (the connection that was created should appear there), and click on the Connect VPN button. The setup is complete, the connection should be successfully established. If the connection could not be established, and the pfSense firewall settings are correct, you should recreate the connection to UTM by specifying in the field Key ID the value specified in My identifier and Peer identifier of pfSense, and try to connect again. On the pfSense side, no changes are necessary.Connecting Keenetic via SSTP You can connect routers with SSTP protocol support in site-to-site VPN mode. If you do not need access from the central office to the network for Keenetic, then use the article Connecting Wi-Fi Keenetic Routers via SSTP on client-to-site connection. Setting up SafeUTM 1. Enable and configure the port and domain for SSTP in Users -> VPN connections.2. In Users -> User & Group create a special user for the remote router. Check the box Allow remote access via VPN. The username/password of the user will be used on the router, save or write them down. 3. Register the routes to the remote network. For example, if the network behind the router is 192.168.10.0/24, you need to add the following route to the section Services -> Routing -> Static routes: Configuring Keenetic Router Configure the VPN connection of the Keenetic router according to the instructions for client-to-site connections. Do not forget to follow all three steps: Set up a VPN connection. Set up routes. Configure DNS to resolve the local domain (if using Active Directory). Verification and Possible Problems To check the connection, use the ping and traceroute utilities. If a VPN connection is established, but there is no access to the resources of one local network from another, use the instructions from the article to diagnose possible problems. Most often, access is blocked in Windows due to network profile settings. You can allow access to "non-local" networks in all profiles, by running the command in PowerShell (launched with elevated administrator rights): Enable-NetFirewallRule -Group "@FirewallAPI.dll,-28502"Connecting Kerio Control to SafeUTM via IPsec Following the steps of the article below, you can combine Kerio Control and SafeUTM networks via IPsec using PSK. The combined LANs should not overlap! Setting up SafeUTM 1. In the SafeUTM web interface, open tab Services -> IPsec -> Devices.2. Add a new connection and fill in the following fields: Connection name – specify an arbitrary name for the connection. Maximum 42 characters. Type – select Incoming. Authentication type – select the PSK type. PSK – specify the PSK key to be used for the connection. Remote side identifier – specify the key that will be used to identify the connection on Kerio. Home local network – Select the SafeUTM LAN that will be visible from the Kerio Control subnet. Remote local networks - specify the Kerio Control LAN that will be visible from the SafeUTM subnet. 3. Save the created connection, then activate the connection by clicking on the Enable icon in the column Operations.4. The setup is complete, Kerio Control needs to be configured. Configuring Kerio Control 1. By default, Kerio Control uses IKEv1 to create connections to third-party devices. You can enable IKEv2 via the console. To do this, follow these steps: 1.1. Connect to Kerio Control via SSH.1.2. Go to the folder /var/winroute 1.3. Open winroute.cfg file for editing.1.4. In it, find the section starting with the text 1.5. In this section, find the line ikev1 and change ikev1 in it to ikev21.6. After that, it is advisable to restart the server and make sure that the changes in the settings are saved. 2. In the section Traffic rules, allow VPN services traffic.3. Then go to the section Interfaces and click Add. In the drop-down list, select VPN tunnel...4. The connection creation window will open. In it, select: Type – IPsec. The name is arbitrary. Activate Enable this tunnel. Select type Active and in the field below it, enter the IP address of the SafeUTM external interface that will be used for the connection. Select the Predefined key and enter the PSK key that will be used to connect. Local ID - specify the key that was set in the Remote side identifier field (p. 2); Remote ID - specify the IP address of the SafeUTM external interface; Under setting the ciphers, click on Edit. Set ciphers as in the screenshot: An example of the final settings is shown in the screenshot below. 5. Go to the section Remote networks, click Add and enter the information about SafeUTM local network, which will be visible from the Kerio Control subnet.6. Then in the section Local networks either click on the button Use automatically defined local networks, or configure networks that will be visible from the SafeUTM subnet manually, as in the previous step.7. Setup is complete. After adding a new interface, you need to click Apply. After that, the connection should be successfully established, and the information about this is displayed in the table in the Interfaces section. In case of problems, first of all, pay attention to Kerio Control firewall settings.Connecting Keenetic via IPsec On the SafeUTM side, configure the connection settings in the Services -> IPSec -> Devices section. On the Keenetic device side, use the following encryption protocol settings: Certificates TLS Certificates Section with information about SSL certificates. This section displays SSL certificates/certificate chains, the list of which is formed by the following modules: reverse proxying module, IKEv2, SSTP VPN servers, web interface, web authorization, mail, etc. Valid certificates The table Valid Certificates shows the ones generated automatically, as well as the downloaded certificate chains used by SafeUTM. If the same certificate chain is listed in several rows of the Valid Certificates table, then this chain is used by several modules. Downloaded certificates The Downloaded Certificates table shows all downloaded certificate chains, as well as the SafeUTM root certificate. For more information, see Uploading your SSL certificate to server. To view basic information about the certificate (serial number, expiration date, etc.), click the eye icon. How is the certificate issued? A local certificate chain is created, and signed by a root (self-signed) certificate. Simultaneously with the creation of a local certificate chain, a request is sent to issue the chain to Let's Encrypt. If the Let's Encrypt certificate chain is successfully issued, it will replace the local chain. If the Let's Encrypt certificate chain issue fails, then the local certificate chain will be used. How is the certificate reissued? When reissuing a non-root certificate chain, UTM will try to update the chain as follows: It checks the downloaded certificates. If the certificate is found, it will replace the previous chain with the found downloaded one. If there are no downloaded certificates, then SafeUTM will turn to Let's Encrypt to issue a new certificate chain. If the chain from Let's Encrypt is received, it will be displayed in the table. If it was not possible to get a chain of certificates from Let's Encrypt, then a local chain of certificates is created and signed by the root certificate. When the root certificate is reissued, UTM will replace the previous certificate with an automatically generated root certificate. Features If you want to try again to get a Let's Encrypt certificate instead of a self-signed one, you need to click Reissue in column Management.When replacing/reissuing the root certificate chain, IPsec connections Head office <–> Branch will stop working and they will need to be recreated.If you want to replace an automatically issued certificate chain with your own, then when uploading your own certificate chain, the CN (Common name) of the last certificate in the chain must match the domain for which the certificate is being uploaded.Let's Encrypt certificate is issued for 3 months and will be automatically reissued upon expiration.From this section, you can download the root (self-signed) certificate by clicking on the corresponding link. To upload an SSL certificate to the server, see the article Uploading your SSL certificate to server.Uploading your SSL certificate to server After purchasing a trusted SSL certificate from Certificate Authority (CA), you need to create a text file of the type: -----BEGIN PRIVATE KEY----- ..... ..... -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- ..... ..... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ..... ..... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ..... ..... -----END CERTIFICATE----- This file consists of two logical blocks: The block with a private key and the block of certificates consisting of a root certificate, a domain certificate, and vendor certificates. The block with certificates that the CA will send you follows the block with the private key. Be careful: in addition to the root and domain certificate, the CA will most likely send additional vendor certificates consisting of several additional certificates in one file (bundle). This bundle of certificates must be added after the main certificate is issued for your domain. The order of the blocks in the file can be represented as follows: Private key Certificate for domain Certificate from the vendor-certificates bundle 4Certificate from the vendor-certificates bundle ... The main (root) certificate After that, you can upload the received file with the private key and certificate to UTM via the web interface. To do this, go to Services -> TLS Certificates. The generally accepted standard for creating a certificate chain file can also be found here: https://www.digicert.com/ssl-support/pem-ssl-creation.htm. Encrypted private key Only the standard private key format is supported: decrypted PEM. Such a key starts with the line: -----BEGIN RSA PRIVATE KEY----- Sometimes the CA issues an encrypted private key using a passphrase. In this case, you need to decrypt (convert) the encrypted key into a regular one using the openssl utility or, if the CA provides other tools for this, use them. The list of parameters for calling openssl to convert the key into an unencrypted form depends on CA's key encryption technology and should be described in the instructions for installing the certificate from the CA. You cannot upload and use an encrypted private key on the SafeUTM server. Instructions for Creating Certificate on Windows OS. To create a certificate, follow these steps: 1. Download the OpenSSL program. Link to the program: http://slproweb.com/products/Win32OpenSSL.html.2. Install OpenSSL.3. If the certificate file is in pkcs12 format: (if it is in .pem format, then you can immediately proceed to Subparagraph d): a. Place this file in the directory C:\OpenSSL-Win64\bin  (in the folder with the OpenSSL program installed). b. Open the command prompt. c. In the command prompt, go to the directory with the OpenSSL program installed. d. Enter command openssl pkcs12 -in certificate.pkcs12 -out certificate.pem (with this command, you will convert the certificate to the desired format). certificate.pkcs12 is the source certificate that you received from the certification authority (hereinafter CA); certificate.pem is the result of the conversion. e. Open the resulting file in a text editor (for example, in notepad). f. The file has the following structure: ``` -----BEGIN CERTIFICATE----- .............. .............. -----END CERTIFICATE----- -----BEGIN ENCRYPTED PRIVATE KEY----- .............. .............. -----END ENCRYPTED PRIVATE KEY----- ``` or this structure: -----BEGIN CERTIFICATE----- .............. .............. -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- .............. .............. -----END PRIVATE KEY----- If it is written in the certificate --BEGIN ENCRYPTED PRIVATE KEY--, then you need to decrypt it using the OpenSSL utility. Command to decrypt: openssl rsa -in certificate.pem -out certificate_decoded.pem. certificate.pem is the file that you received after conversion in Step d; certificate_decode.pem is the result of decryption. If in the certificate it says --BEGIN PRIVATE KEY--, then the certificate file has already been decrypted. You can proceed to the next step. 4. Create an empty file with extension .pem (my_certificate.pem).5. Open it with a text editor.6. Open the file that you got in Step 3 (certificate_decode.pem). From this file you need to copy the text of the type (private key): -----BEGIN PRIVATE KEY----- .............. .............. -----END PRIVATE KEY----- 7. Paste the copied text into the file created in Step 4 (my_certificate.pem).8. Go to the file created in Step 3 (certificate_decode.pem). From this file you need to copy the text of the type (your domain certificate): -----BEGIN CERTIFICATE----- .............. .............. -----END CERTIFICATE----- 9. Paste the copied text into the file created in Step 4 (my_certificate.pem).10. The CA, in addition to your certificate, should have sent you a certificate bundle (there may be several of them) and a root certificate. If you don't have these certificates, you can download them online or request them from your CA.11. From the certificate bundle and the root certificate, copy the text of the type: ```text -----BEGIN CERTIFICATE----- .............. .............. -----END CERTIFICATE----- ``` 12. Paste the copied text into the file created in Step 4 (my_certificate.pem). In the beginning, you will need to insert the text from the certificate bundle, and at the very end the text of the root certificate.13. As a result, you will get a file of blocks: ``` Private key domain certificate Certificate from the vendor-certificates bundle Certificate from the vendor-certificates bundle ......... Root certificate ``` 14. Upload the resulting file to UTM. To do this, go to Services -> TLS Certificates.