Configuring a VPN tunnel

Name of the network interface on which the VPN connection is open.

The software can decide automatically which interface to use by selecting Any.

We recommend choosing this option if the tunnel being configured is to be deployed on a different workstation.

NOTE
When the network interface has several IP addresses, you can specify the address using the dynamic parameter local_subnet (see section Displaying more parameters).
Only IPv4 addresses are supported. The address format to be entered as a dynamic parameter value is as follows: aaa.bbb.ccc.ddd/xx. If the subnet mask is omitted by entering only aaa.bbb.ccc.ddd, the address will correspond to aaa.bbb.ccc.ddd/32.

Password or key shared by the remote gateway.

NOTE
The preshared key is an easy way to configure a VPN tunnel. However, it is less flexible in terms of security management than the use of certificates.
Refer to chapter Security recommendations.

Use a certificate to authenticate the VPN connection.

NOTE
Using the Certificate option strengthens the security in terms of VPN connection management (mutual authentication, verification of validity periods, revocation, etc.).
Refer to chapter Security recommendations.

Refer to the dedicated chapter Managing certificates.

The Extensible Authentication Protocol (EAP) mode is used to authenticate the user based on a login name and password. When the EAP mode is selected, a pop-up window will prompt the user to enter a login name and password every time the tunnel is opened.

When the EAP mode is selected, you can choose to display a prompt for the EAP login name and password every time the tunnel is opened (using the EAP popup checkbox) or to store them in the VPN configuration by entering them in the Login and Password fields.

We recommend not to use the latter mode (see chapter Security recommendations).

Encryption algorithm negotiated during the authentication phase:

Auto, AES CBC (128, 192, 256), AES CTR (128, 192, 256), AES GCM (128, 192, 256).

Integrity algorithm negotiated during the authentication phase:

Auto, SHA2 256, SHA2 384, SHA2 512.

Local ID is the identifier that the VPN Client sends to the remote VPN gateway during the authentication phase.

According to the type selected, this identifier can be any of the following:

• IPv4 Address: an IPv4 address (type = IPV4 ADDR), e.g. 195.100.205.101

• DNS: a domain name (type = FQDN), e.g. gw.mydomain.net

• KEY ID: a character string (type = KEY ID), e.g. 123456

• Email: an e-mail address (type = USER FQDN),

• IPv6 Address: an IPv6 address (type = IPV6 ADDR), e.g. 2345:0:9d38:6ab8:1c47:3a1c:a96a:b1c3

• DER ASN1 DN: X.509 subject of a certificate (type = DER ASN1 subject DN); this field is automatically filled in with the subject of an X.509 certificate when the tunnel is associated with a user certificate (see chapter Managing certificates)

If this parameter is not set, the VPN Client's IP address is used by default.

Enables IKEv2 packet fragmentation in accordance with RFC 7383.

This function prevents IKEv2 packets from being fragmented by the IP network they’re passing through.

The fragment size must generally be set to a value that is smaller by 200 bytes than the MTU of the physical interface, e.g. 1300 bytes for a typical 1500-byte MTU.

IKE Init exchanges (during the IKE Authentication phase) use the UDP protocol and port 500 by default. IKE port configuration can bypass the networking hardware (firewalls, routers) that filter port 500.

NOTE
The remote VPN gateway must also be able to perform the IKE Auth exchanges on a port other than 500.

IKE Auth exchanges, IKE Child SA exchanges, and IPsec traffic use the UDP protocol and port 4500 by default. NAT port configuration can bypass the networking hardware (firewalls, routers) that filter port 4500.

NOTE
The remote VPN gateway must also be able to perform the IKE Child SA exchanges on a port other than 4500.

The Dead Peer Detection (DPD) function enables the VPN Client to detect whether the VPN gateway has become unreachable or inactive.

The check interval is the time period between two consecutive DPD check messages sent, expressed in seconds.

The DPD function is enabled upon opening the tunnel (after the authentication phase). When linked to a redundant gateway, DPD allows the VPN Client to automatically switch between gateways when one of them is unavailable.

Used to define the address of a spare VPN gateway that the VPN Client will switch to when the initial gateway is unavailable or unreachable.

The address of the redundant VPN gateway can be either an IP or a DNS address.

IMPORTANT
The Redundant Gateway function cannot be configured together with the Fallback Tunnel function. You must choose one or the other, failing which the VPN Client could invoke undefined behavior.

Refer to chapter Redundant gateway.

“Virtual” IP address of the workstation, the way it will be “seen” on the remote network.

From a technical standpoint, it is the source IP address of the IP packets going through the IPsec tunnel.

NOTE
The default size of the local virtual network is 24. To use another network size (e.g. 32), you must add the dynamic parameter local_virtual_network_size set to the desired value (possible values: 1 to 32; see section Displaying more parameters).

The endpoint of the tunnel can be a network or a remote workstation.

Refer to section Configuring the address type below.

Encryption algorithm negotiated during the IPsec phase:

Auto, AES CBC (128, 192, 256), AES CTR (128, 192, 256), AES GCM (128, 192, 256).

Integrity algorithm negotiated during the IPsec phase:

Auto, SHA2 256, SHA2 384, SHA2 512.

Length of Diffie-Hellman key:

Auto, DH14 (MODP 2048), DH15 (MODP 3072), DH16 (MODP 4096), DH17 (MODP 6144), DH18 (MODP 8192), DH19 (ECP 256), DH20 (ECP 384), DH21 (ECP 521), DH28 (BrainpoolP256r1).

Domain suffix to be added to all machine names.

This is an optional parameter. When it is specified, the VPN Client will try to translate the machine address without adding the DNS suffix. However, if translation fails, the DNS suffix will be added, and the Client will try to translate the address again.

The VPN Client can be configured so that connectivity to the remote network is checked on a regular basis. If connectivity has been lost, the VPN Client will automatically close the tunnel and attempt to open it again.

The IPV4/IPV6 field is the address of a machine within the remote network, which should reply to pings sent by VPN Client. If a ping goes unanswered, the connection is considered lost.

NOTE
If the tunnel is configured in IPv4 (see the button at the top right of the tab), then the IPv4 field is displayed. If the tunnel is configured in IPv6, then the IPv6 field is displayed.

Name of the network interface on which the VPN connection is open.

The software can decide automatically which interface to use by selecting Any.

We recommend choosing this option if the tunnel being configured is to be deployed on a different workstation.

Authentication algorithm negotiated for traffic:

Auto, SHA-224, SHA-256, SHA-384, SHA-512.

NOTE
If the Extra HMAC option is enabled (see below), the authentication algorithm cannot be set to Auto. It will have to be configured explicitly and must be identical to the one chosen at the gateway end.

Traffic encryption algorithm:

Auto, AES-128-CBC, AES-192-CBC, AES-256-CBC.

Period, expressed in seconds, between two pings sent by the VPN Client to the gateway. Sending this ping enables the gateway to determine whether the VPN Client is still active.

Time, expressed in seconds, after which the gateway is considered down if no ping has been received.

This parameter configures the VPN Client to send a specific VPN tunnel closing frame to the gateway when closing the tunnel.

If this option is not selected, the gateway will use DPD to close the tunnel at its end, which is less effective.

Specifies the control level applied to the gateway certificate.

In the current version, two levels are available:

• Yes (the certificate’s validity is checked)

• No (the certificate’s validity is not checked)

The Lite option is reserved for future use. In this version, it is equivalent to the Yes option.

If the Check gateway certificate signature option is enabled in the PKI Options (see section PKI Options), the present option on the Gateway tab is grayed out and the option is set to Yes.

Used to determine the level of consistency between the VPN tunnel and gateway parameters (encryption algorithms, compression, etc.).

• Yes: Consistency is checked for all VPN parameters. The VPN tunnel will not open if any parameter is different.

• No: Consistency is not checked before opening the tunnel. The VPN tunnel will try to open, even though no traffic may pass through because certain parameters are not consistent.

• Lite: Consistency between the VPN Client and the gateway is only checked for essential parameters.

• Apply: Gateway parameters will be applied.

If this field is filled in, the VPN Client will check that the subject of the certificate received from the gateway is, indeed, the one specified.

Maximum size of OpenVPN packets.

Used to set a packet size so that OpenVPN frames are not fragmented at the network level.

The default value for MTU is 0, meaning that the software will use the MTU value of the physical interface.

Virtual interface MTU.

When values have been entered, we recommend setting a lower value for the tunnel MTU than that of the physical interface MTU.

The default value for MTU is 0, meaning that the software will use the MTU value of the physical interface.

Defines the VPN Client’s behavior when it receives an IPv4 configuration from the gateway:

• Auto: Accepts the information sent by the gateway

• Yes: Checks whether the information sent by the gateway matches the configured behavior. If this is not the case, a warning message is displayed in the Console and the tunnel is not established.

• No: Ignores

NOTE
Please check that IPV4 tunnel and IPV6 tunnel aren’t both set to No.

Port number used to establish the tunnel. The default port value is set to 1194.

The tunnel will use UDP by default. The TCP option is used to transport the tunnel over TCP.

Time allowed to establish the authentication phase. When this time expires, it is assumed that the tunnel will not open. When this timeout expires, the tunnel is closed.

Number of retries for sending a protocol message.

If there is no response by the time the defined number of retries is reached, the tunnel is closed.

With OpenVPN, the remote network’s details are not configured (they are automatically obtained during the tunnel opening exchange with the gateway). To implement traffic detection with OpenVPN, the remote network’s details must therefore be stated explicitly. That is the purpose of the IPv4 and IPv6 fields.

It is not mandatory to fill in both fields.

The IP field is a sub-network address, configured as an IP address and a prefix length.

Example: IP = 192.168.1.0 / 24: the first 24 bits of the IP address are taken into account, i.e. the network: 192.168.1.x

NOTE
These parameters are linked to the traffic detection function. The Automatically open this tunnel on traffic detection box must be checked on the Automation tab for the IPv4 and IPv6 fields to be enabled.