When creating a site-to-site IPsec tunnel between 2 Untangle appliances, it is best to use the KISS policy and leave the custom Phase 1 and Phase 2 configurations set to the default (unchecked & unchanged)
To configure the tunnel, go to APPS > IPsec > IPsec Tunnels. Remove any default tunnels that may remain from the initial installation. Click ADD to configure the tunnel:
Description: This is where you enter a description that best describes the tunnel
Connection Type: Use Tunnel between Untangle appliances
IKE Version: If you are connecting only 1 subnet/interface on either side of the tunnel, use IKEv1. IKEv2 is used primarily when adding more than 1 local and/or remote network.
Connection Mode: This option is going away soon as we will be blending these 2 choices together.
Interface: Use this to choose which WAN interface you want the tunnel to use.
External IP: This is the WAN IP of the Untangle that you would like the tunnel to use. This will be grayed out if you selected a specific WAN interface rather than custom
Remote Host: This is the WAN IP of the other side of the tunnel
Local & Remote Identifier: These are only used if either side of the tunnel is behind a NAT
Local Network: This is the local subnet that you would like to allow access to the tunnel. You can list more than one subnet (IKEv2) by separating each with a comma, no spaces. I.E. 192.168.1.1/24,10.10.10.1/32
Remote Network: This is the remote subnet that you would like to allow access to the tunnel. You can list more than one subnet (IKEv2) by separating each with a comma, no spaces. I.E. 192.168.1.1/24,10.10.10.1/32
Shared Secret: Please use a LONG password here with no special characters. Complexity is not as important as length
DPD Interval: Dead Peer Detection is the tunnel's way of determining if the other side is up and responding. Default setting is best when connecting 2 Untangle devices.
DPD Timeout: This is how long before the tunnel is restarted if the other side of the tunnel is not responding. Default setting is best when connecting 2 Untangle devices.
Ping Address: Choose the IP of a device on the remote network that is reliable and configured to respond to ICMP requests. This is primarily used to create alerts for tunnel connectivity.
Ping Interval: Time between ICMP requests to the above address
Phase 1 & Phase 2: These should be left unchanged when connecting 2 Untangle devices.
Here is an example of an IPsec config between 2 Untangle devices:
NOTE: If you are having trouble accessing resources on the other end of the tunnel, make sure to enable bypassing on the IPsec tunnel:
Follow
Comments