Tunnel - Default

Top  Previous  Next

The card Default offers the possibility to configure the basic settings for an IPSec tunnel.

 

Description: Enter a description of the tunnel in this textfield.
State after start: Choose the state the IPSec tunnel should have after starting the IPSec service from this select box. Possible values are (deactivated), (standby) and (started).

(deactivated): No connection from outside or to outside can be created.

(standby): The tunnel waits for a connection establishment from outside.

(started): If you choose this status, the tunnel will be established directly after starting IPSec, as far as the remote computer has the status (standby).

Local IP address: Choose a local IP address for this tunnel from this select box. The values in the select box depend on how many interfaces and IP addresses have been configured for Gibraltar. The value consists of the IP address and the network interface name (e.g: "10.0.0.1 - int0").
Local subnet: Enter the local subnet for this tunnel to which the remote user should have access in this textfield. So the remote user can also access computers behind the gateway in the specified subnet by the tunnel.
Local certificate: Choose the local certificate for the authorization from this select box. If no local certificate is available, you have to generate a certificate in the certification management.
Remote IP or FQDN: Enter the remote IP address or the FQDN of the computer with which you want to communicate via IPSec, if the tunnel should reach only one certain computer. In this case, you have to select Host at the options fields right from the textfield. If you want to allow several hosts to connect to the end point, select the option field Any remote IP. So the entry in the textfield Remote IP address will be ignored, and different computers can establish the IPSec tunnel.
Remote subnet: Enter the network address of the remote subnet in this textfield. So the local users have access to the remote subnet. The Option "Special handling for road warriors behind NAT gateways: rightsubnetwithin" must be activated only in special situations when you use a roadwarrior that switches to different local area networks and connects to the Gibraltar firewall via IPSec. In this case you can enter 0.0.0.0/0 here to allow connecting to the subnet behind the Gibraltar firewall.
Authorization: Choose the authorization method from the right option field. You can choose Password, X509 certificate or Signed by Certified Authority.

Password: Enter a password. The remote receiver has to enter the same password. This authorization method is called "Shared secret", as both remote receivers share the same key.

X509 certificate: Both remote receivers are exchanging certificates with which they can authenticate each other. Thereby the certificate with which you want to enable authentication has to be chosen from the selection field beside. To be listed in the selection field, the certificate has at first got to be uploaded at the certificate administration in Gibraltar.

Signed by Certified Authority: Certificates are signed by a certified authority, that guarantees the authenticity of the host.

Use for L2TP: Mark this checkbox, if the defined tunnel is supposed for building up a L2TP connection. When you mark this checkbox, you mustn't enter anything in both subnet textfields. Authorization option should be Signed by Certified Authority.
Local ID: Enter the local ID for this tunnel. This value is only used if you want to create tunnels to third party products.
Remote ID: Enter the remote ID for this tunnel. This value is only used if you want to create tunnels to third party products.
Next router IP: Enter the IP address of the next router. This option is used if you use two internet connections, for example. Normally GibADMIN recognizes this value automatically and you do not need to enter anything.

 

ATTENTION: In order to activate data traffic over IPSec tunnels you have to configure filter rules for the corresponding interfaces (e.g. incoming "ipsec0" or outgoing "int0").

 

ipsec_standard