# Connecting Devices
Description of options for connecting various routers (Mikrotik, Zyxel Keenetic, etc.) to SafeUTM for site-to-site VPN using IPsec IKEv2 protocol.
---
Devices that are not described in this manual as a rule can be connected using similar settings.
When combining networks using a VPN, LANs in different offices should not overlap.
---
#### The choice of crypto algorithms on remote devices.
When configuring third-party devices, you must explicitly specify the crypto algorithms used for the connection. SafeUTM supports the most up-to-date and at the same time sufficiently secure algorithms that do not load the server and devices. At the same time, outdated algorithms and those considered unsafe (MD5, SHA1, AES128, DES, 3DES, Blowfish, etc.) are not supported. When configuring third-party devices, as a rule, you can enter several supported algorithms at the same time. In fact, one algorithm of each kind is needed. Unfortunately, not all devices support the best algorithms, so SafeUTM supports several at once. Find below the list of algorithms of each type in descending order of priority for selection.
- **Phase 1 (IKE):**
- encryption:
- **AES256-GCM**
- **AES256**
- integrity (hash):
- for **AES256-GCM** - not required, since integrity check is built into AEAD algorithms.
- for **AES256**, by priority: **SHA512, SHA256**.
- prf (random value generation function):
- as a rule, it is configured automatically, depending on the choice of integrity algorithms (therefore, in the example below, the value of prf is PRF-HMAC-SHA512).
- for AES-GCM, you may need to specify explicitly. In this case, by priority: **AESXCBC, SHA512, SHA384, SHA256**.
- DH (Diffie-Hellman Group):
- **Curve25519 (group 31)**
- **ECP256 (group 19)**
- **modp4096 (group 16)**
- **modp2048 (group 14)**
- **modp1024 (group 2)**
- Timeouts:
- **Lifetime**: 14400 seconds
- **DPD Timeout** (for L2TP/IPsec): 40 seconds
- **DPD Delay**: 30 seconds
- **Phase 2 (ESP):**
- encryption:
- **AES256-GCM**
- **AES256**
- integrity:
- for **AES256-GCM** - not required, since integrity check is built into AEAD algorithms
- for AES-256, by priority: **SHA512, SHA384, SHA256**
- DH (Diffie-Hellman Group, PFS). **ATTENTION! if not specified, it will connect, but rekey will not work after a while**:
- **Curve25519 (group 31)**
- **ECP256 (group 19)**
- **modp4096 (group 16)**
- **modp2048 (group 14)**
- **modp1024 (group 2)**
- Timeouts:
- **Lifetime:** 3600 seconds
Example
- **Phase 1 (IKE)** (one of the lines is needed)**:**
- AES256-GCM\\PRF-HMAC-SHA512\\Curve25519
- AES256\\SHA512\\PRF-HMAC-SHA512\\ECP384
- AES256\\SHA256\\PRF-HMAC-SHA256\\MODP2048
- **Phase 2 (ESP)** (one of the lines is needed)**:**
- AES256-GCM\\ECP384
- AES256\\SHA256\\MODP2048
An example of setting up a pfSense connection to SafeUTM via IPsec is shown in the screenshots below:
[](https://docs.safedns.com/uploads/images/gallery/2022-09/Rd5dOK1p3DZKKhW9-2-connecting-devices.png)
[](https://docs.safedns.com/uploads/images/gallery/2022-09/dkZrIMDaSDtTooYT-3-connecting-devices.png)
Setting up SafeUTM
1\. In SafeUTM, open the tab **Services -> IPsec -> Devices,** click on the icon (+), and fill in the following fields:
- **Connection name** **–** specify an arbitrary name for the connection. Maximum 42 characters.
- **Connection type** **–** select **Outcoming**, since the connection is made from UTM to MikroTik.
- **Remote device address –** specify the external IP address of the MikroTik device.
- **Authentication type** **–** select the **PSK**
- **PSK** **–** a random PSK key will be generated. You will need it to set up a connection in MikroTik.
- **UTM identifier –** the key you enter will be used to identify the outgoing connection.
- **Home local network** **–** list all **UTM LANs** that will be available in an IPsec connection, i.e. will be visible to the opposite side.
- **Remote local networks** **–** list all **MikroTik LANs** that will be available in an IPsec connection, i.e. will be visible to the opposite side.
[](https://docs.safedns.com/uploads/images/gallery/2022-09/6jLho9p2z4dLIL4d-4-connecting-devices.png)
2\. After filling in all the fields, click **Add connection**. Your connection will appear in the list of connections:
[](https://docs.safedns.com/uploads/images/gallery/2022-09/h7V5kpjwaYbVabhD-5-connecting-devices.png)
Setting up SafeUTM
1\. In SafeUTM, open the tab **Services -> IPsec -> Devices,** click on the icon (+), and fill in the following fields:
- **Connection name** **–** specify an arbitrary name for the connection. Maximum 42 characters.
- **Connection type** – select **Incoming**, since the connection to UTM is being made.
- **Authentication type –** select the PSK type.
- **PSK** **–** insert the PSK key received from MikroTik.
- **Remote side identifier –** insert the MikroTik ID (Key ID parameter in `/ip ipsec peers`).
- **Home local network** **–** list all **UTM LANs** that will be available in an IPsec connection, i.e. will be visible to the opposite side.
- **Remote local networks** **–** list all MikroTik LANs that will be available in an IPsec connection, i.e. will be visible to the opposite side.
[](https://docs.safedns.com/uploads/images/gallery/2022-09/UUvOvYk1pQSl3aw7-6-connecting-devices.png)
2\. After filling in all the fields, click **Add connection**. Your connection will appear in the list of connections.
[](https://docs.safedns.com/uploads/images/gallery/2022-09/jvDJKbLbNW2FbRxj-7-connecting-devices.png)
For the correct operation of certificate connections, it is necessary that the time on MikroTik be synchronized via NTP. To do this, it is sufficient for the device to have access to the Internet.
The creation of outgoing IPsec connections using certificates to MikroTik below version 6.45 does not work due to the inability to use modern crypto algorithms in certificates.
##### Step 1.
Setting up SafeUTM
1\. In SafeUTM, open the tab **Services -> IPsec -> Devices,** click on the icon (+), and fill in the following fields:
- **Connection name** **–** specify an arbitrary name for the connection. Maximum 42 characters.
- **Connection type** – select **Outcoming**, because the connection is made from UTM.
- **Authentication type** **–** specify the type of **Certificate**.
- **Address of the remote device –** specify the external IP address of MikroTik.
- **Certificate signing request –** a **request** will be generated **which must be sent to MikroTik for signing.[](https://docs.safedns.com/uploads/images/gallery/2022-09/H3XiYxwUq7hw6avS-8-connecting-devices.png)**
2\. After the request is signed, you will need to continue configuring the connection in SafeUTM.
**Do not close the settings tab!**
Setting up MikroTik
At this stage, you should configure MikroTik to continue configuring UTM.
The **UTM.csr** file obtained from SafeUTM must be uploaded to the MikroTik file storage. To do this, open the **File** section, click **Browse**, select the file and upload it.
You can configure MikroTik in several ways - through the GUI, and through the device console.
Two files will appear in the MikroTik file system which you need to download in order to upload to UTM later.
[](https://docs.safedns.com/uploads/images/gallery/2022-09/GnR4El7stSOyKQZS-9-connecting-devices.png)
The file of the type `cert_export_device_.ipsec.crt` is **a signed UTM certificate.** The file of the type `cert_export_mk_ca.crt` is **the root certificate of MikroTik.**
At this point, the MikroTik setup can be considered complete.
Finishing up the SafeUTM setup
Go back to SafeUTM to the tab with the device connection settings and continue filling in the following fields:
- **Signed UTM certificate –** upload a signed UTM certificate to MikroTik.
- **Remote Device Root Certificate –** download the MikroTik root certificate.
- **Home local networks** **–** list all **UTM LANs** that will be available in an IPsec connection, i.e. will be visible to the opposite side.
- **Remote local networks** **–** list all **MikroTik local networks** that will be available in an IPsec connection, i.e. will be visible to the opposite side.
[](https://docs.safedns.com/uploads/images/gallery/2022-09/Dtn9YvRxz8OXehPL-10-connecting-devices.png)
After filling in the fields, click **Add connection**. Your connection will appear in the list of connections.
For the correct operation of certificate connections, it is necessary that the time on MikroTik be synchronized via NTP. To do this, it is sufficient for the device to have access to the Internet.
##### Step 1.
Setting up MikroTik
You can configure MikroTik in several ways - through the GUI, and through the device console.
Two files will appear in the MikroTik file storage which must be downloaded since they are required for further configuration.:
[](https://docs.safedns.com/uploads/images/gallery/2022-09/884HL9oE4UOGQqEb-14-connecting-devices.png)
- File `certificate-request.pem` is a **certificate signing request.**
- File `certificate-request_key.pem` is a **private key.**
Next, you will need to fill in the **Certificate Signing Request** field in SafeUTM, here is how to configure it.
Setting up SafeUTM
1\. In SafeUTM, open the tab **Services -> IPsec -> Devices,** click on the icon (+), and fill in the following fields:
- **Connection name** **–** specify an arbitrary name for the connection. Maximum 42 characters.
- **Connection type** – select **Incoming**, since the connection to UTM is being made.
- **Authentication type –** select the type **Certificate**.
- **Certificate Signing Request** - Upload the signature request **received from MikroTik.**
- **Home local network** **–** it is necessary to list all UTM LANs that will be available in an IPsec connection, i.e. they will be visible to the opposite side.
[](https://docs.safedns.com/uploads/images/gallery/2022-09/DLbDFWFu3yf9PGTW-11-connecting-devices.png)
2\. After the settings, click **Add connection**. Your connection will appear in the list of connections. Click on the edit connection button to continue the setup.
[](https://docs.safedns.com/uploads/images/gallery/2022-09/SjqXII3zuuX3s3md-12-connecting-devices.png)
3\. The connection settings editing area will appear. You need to download the files that are in the fields **UTM root certificate** and **Signed device certificate** for their subsequent use in MikroTik.
[](https://docs.safedns.com/uploads/images/gallery/2022-09/48fTJT7CfhYN6H9G-13-connecting-devices.png)