IPSec VPN site-to-site

Keenetic has a built-in IPSec VPN client/server. Thanks to this function, it is possible to combine several Keenetic routers into one network via a IPSec VPN tunnel in accordance with the strictest security requirements.
In most cases, IPSec VPN is used for secure connection to the office network (e.g., from home network to corporate server) or for combining networks (e.g., two remote offices). With the IPSec VPN tunnel, you don't have to worry about file server data privacy, IP telephony or video surveillance streams. IPSec is one of the most secure VPN protocols due to the use of crypto-resistant encryption algorithms.

Let's take a look at an example of combining two local area networks (192.168.2.x and 192.168.0.x) over an IPSec VPN.

ipsec-site-to-site-en.png

NOTE: Important! To build an IPSec VPN tunnel over the Internet, at least one of the routers must have a public IP address (on WAN interface). For simplicity it is recommended to use a permanent (static) IP-address on the WAN interface and also to use the KeenDNS domain name service to get a permanent name.
The addresses of the connected networks should belong to different subnets. It is not recommended to use the same address space in the local and remote network, as it can lead to a conflict of IP-addresses.

Two Keenetic routers will be needed for IPSec VPN connection. This type of connection is called a 'site-to-site connection'.
One Keenetic will act as an IPSec responder (let's call it a server), and the other Keenetic will act as the initiator of IPSec connection (let's call it a client).
The router acting as an IPSec server has a public static IP address to connect to the Internet. The second Keenetc, that acts as an IPSec client, uses a private IP address.

So, let's move directly to configuring the routers to establish a secure IPSec VPN tunnel between them and connect the two networks.

Both routers must have an 'IPsec VPN' system component installed on them.
You can do this by clicking 'Component options' on the 'General system settings' page in the 'Updates and component options' section.

ipsec-comp-en.png

1. Configuring Keenetic as a server (responder, waiting for IPSec connection).

On the 'Other connections' page, under 'IPsec connections', click 'Create connection'.

ipsec-0-en.png

The 'IPsec connection setup' window will open.

In our case, this Keenetic will act as a server, so enable the 'Wait for connection from a remote peer' option (in this case, the client will be the initiator of the connection and the server will be waiting for the connection).

The 'Nailed-up' option is intended to keep the connection active and restore the tunnel in case of a break (this parameter can be enabled at one end of the tunnel).
The 'Dead peer detection' option is intended for determining the operability of the tunnel.

ipsec-01-en.png

In the 'Phase 1' settings, 'Local Gateway Identifier' field you can use any identifier: 'IP address', 'FQDN' (full domain name), 'DN' (domain name), 'e-mail' (e-mail address). In our example, we use the identifier 'DN' (domain name) and enter a random name in the blank field of the identifier.

NOTE: Important! Pay attention to the local and remote gateway identifiers in the IPSec tunnel Phase 1 settings. The IDs must be different and must be crossed out. For example, by selecting 'DN' as the identifier, set the server to 'DN':
Local gateway ID: server
Remote gateway ID: client
and the client:
Local gateway ID: client
Remote Gateway ID: server

In case of multiple tunnels, the settings of local and remote identifiers must be unique for each tunnel.

In the Phase 2 settings, field 'Local subnet IP' you should specify the address of the local network (in our example 192.168.0.0), and in the field 'Remote subnet IP' you should specify the address of the remote network that will be behind the IPSec tunnel (in our example 192.168.2.0).

NOTE: Important! On both sides of the IPSec VPN tunnel, the Phase 1 and Phase 2 settings must be the same. Otherwise, the tunnel will not be installed.

After creating the IPsec connection, set the switch to 'On'.

ipsec-02-en.png

2. Configuring Keenetic as a client (IPSec connection initiator).

On the 'Other connections' page, under 'IPsec connections', click 'Create connection'.

ipsec-0-en.png

The 'IPsec connection setup' window opens. In our case, this Keenetic acts as a client, so enable the 'Autoconnect' option (in this case, the client initiates the connection).

The 'Nailed-up' option is intended to keep the connection active and restore the tunnel in case of a break (this parameter is enough to enable at one end of the tunnel).
The option 'Dead peer detection (DPD)' is intended for determining the operation of the tunnel.

In the 'Remote gateway' field, specify the IP address or domain name of the remote Keenetic.

ipsec-03-en.png

NOTE: Important! In the Phase 1 settings, the 'Local gateway ID' and 'Remote gateway ID' fields must have the same identifiers that you used on the remote router, but they must be crossed out. For example, by selecting 'DN' as the identifier, set it on the server:
Local gateway ID: server
Remote gateway ID: client
and the client:
Local gateway ID: client
Remote Gateway ID: server

In case of multiple tunnels, the settings of local and remote identifiers must be unique for each tunnel.

In the Phase 2 settings, field 'Local subnet IP' you should specify the address of the local network (in our example 192.168.2.0), and in the field 'Remote subnet IP' you should specify the address of the remote network that will be behind the IPSec tunnel (in our example 192.168.0.0).

NOTE: Important! On both sides of the IPSec VPN tunnel, the Phase 1 and Phase 2 settings must be the same. Otherwise, the tunnel will not be installed.

After creating the IPsec connection, set the switch to 'On'.

ipsec-04-en.png

3. Verifying the status of the IPsec connection.

If the IPSec connection settings were set correctly on both devices, the IPSec VPN tunnel must be established between the routers.

The IPsec connections' section on the 'Other connections' page shows the connection status. If the tunnel is established, the connection status will be 'Connected'.
Here is an example of the tunnel status on a Keenetic (as a client):

ipsec-05-en.png

And here is an example of the tunnel status on a Keenetic (as a server):

ipsec-06-en.png

To check if the tunnel is working, ping the remote Keenetic or a computer from the remote network behind the IPSec VPN tunnel.

TIP: Tip: Broadcast packets (e.g. NetBIOS) will not pass through the VPN tunnel, so the names of the remote hosts will not be displayed in the network environment (they can be accessed via IP address, e.g. \\192.168.2.27).

If an IPSec VPN tunnel has been installed, but you are can only ping the remote Keenetic and not the hosts on the remote network, then it is most likely that the Windows Firewall or similar software (Firewall or Firewall) is blocking ICMP traffic (ping) on the hosts themselves.

TIP: Tip: We recommend using the IKE v2 version of the protocol. Use IKE v1 only when your device does not support IKE v2.
If you are experiencing interruptions in your VPN connection, try disabling the 'Nailed-up' and 'Dead peer detection (DPD)' options in the Keenetic router.

 

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.