Configuring IPsec VPN tunnels in Micro Edge
Micro Edge version 4.1 and above supports site-to-site IPsec VPN to enable devices on local networks to securely access remote resources using a Virtual Private Network. If your VPN connects to a security gateway such as NG Firewall, you can route specific types of Internet traffic over the tunnel for added security, content filtering, user-based access control, and reporting.
Adding a site-to-site tunnel
To begin configuring a tunnel, go to Settings > Interfaces and click Add Interface. From the drop-down menu, select IPsec Tunnel.
Configuring the tunnel
First, give your tunnel a name so you can recognize it. Next, select the WAN which the tunnel should be bound to: this is the WAN the tunnel will use to connect through. You can specify a particular WAN or choose "Any WAN" to route via WAN Rules.
|Use single subnet negotiation||
This option is enabled by default and is recommended in most cases. In special situations, you may be required to disable this option if your tunnel uses multiple local subnets. If disabled, the appliance configures a unique tunnel for each local subnet.
The gateway IP address that serves as the local endpoint of the tunnel.
If you have bound your tunnel to "Any WAN", the only selection will be "Any", accepting connections inbound to any public IP the Micro Edge has.
If your tunnel is bound to a specific WAN, you will have two additional options: you can select the WAN (i.e., WAN0) to automatically fill in the IP of the WAN the tunnel is bound to or Custom to specify a different public IP, such as a WAN alias.
|Full Tunnel Mode (local config)||
Enable this option to inform Micro Edge that the remote end of the tunnel is configured as a full-tunnel connection and will send all internet-bound traffic to this Micro Edge.
This option makes no changes in the local Micro Edge, but allows full-tunnel traffic to be received from the remote end.
Enabling this option disables it under the remote config section.
|Local Networks||Any local networks that should be accessible to the remote side of the tunnel. By default, this section will include any internal interfaces configured on the Micro Edge.|
The remote endpoint IP that the tunnel will connect to.
Select the "Any" option to allow connections to any remote IP address. (This option is recommended when the remote endpoint has a dynamic IP address.)
|Full Tunnel Mode (remote config)||
Enable this option if you want all traffic leaving the remote site to cross this VPN tunnel.
Enabling this option disables it under the local config section.
|Remote Networks||Configure at least one remote network that should be accessible from the local end of the tunnel.|
Note that you must provide at least one endpoint IP address. If you attempt to choose "Any" for both the Local and Remote Gateway attributes, you will receive an error message:
On the Authentication tab, enter the pre-shared key to use for this tunnel.
On the Cipher Suites tab, configure the desired Phase 1 and Phase 2 settings. Be sure to match these with the remote endpoint's settings.
By default IPsec attempts to determine the Maximum Transmission Unit (MTU). If you prefer to specify an MTU value, uncheck the Auto MTU selection and enter a value.
Click Save to finish tunnel configuration. If you enabled the tunnel during the creation process, it will automatically attempt to connect to the remote endpoint.
Routing traffic through the tunnel
Micro Edge will automatically create the appropriate WAN Rules to route traffic across the tunnel. Please note that these rules are not automatically reordered, so you will need to reorganize your rules to place the newly-created WAN Rules above your normal routing policy rules.
The rules which Micro Edge creates for IPsec tunnel routing cannot be disabled, as they are necessary for correct routing across the tunnel.
For further information about creating & using WAN Policies and WAN Rules, please refer to these articles:
Configuring WAN Policies in Micro Edge
Configuring WAN Rules in Micro EdgeFollow
Please sign in to leave a comment.