Configuring NG Firewall for IPsec Tunnels

Overview

NG Firewall supports IPsec with IKEv1 and IKEv2. Before configuring IPsec tunnels there are a few steps to ensure a successful connection. 

These steps include:

  • Configure a fully qualified Internet hostname
  • Configure a root certificate that matches your Internet hostname
  • Configure a server certificate that matches your Internet hostname
  • Configure the IPsec server
  • Configure user accounts for client access

Configure a fully qualified Internet hostname

A fully qualified Internet hostname is a hostname that Internet devices resolve through DNS to reach the IP Address of your NG Firewall host. Before completing this step, ensure the DNS for your domain name is properly configured to resolve your Internet hostname.

To configure the Internet hostname in NG Firewall:

  1. In the NG Firewall web administration, go to Config > Network > Hostname.
  2. In the Hostname field, enter the local part of your Internet hostname.
  3. In the Domain Name field, enter the domain part of your Internet hostname.
  4. Select Use Hostname and confirm that the value matches your Internet hostname.
  5. Save your changes.
    ipsec-hostname.png

Configure the root certificate to match your Internet hostname

The root certificate validates self-signed server certificates. The name on the root certificate must match the Internet hostname of your NG Firewall host.

To Configure a new root certificate:

  1. Go to Config > Administration > Certificates.
  2. Click Generate Certificate Authority.
  3. Enter the required information.
  4. Save your changes.
    ipsec-generate-ca.png

Configure the server certificate to match your Internet hostname

The server certificate is used by IPsec for authentication and authenticity of your NG Firewall host. The name on the server certificate must match your Internet hostname.

  1. Go to Config > Administration > Certificates.
  2. Click Generate Server Certificate.
  3. Enter the required information.
  4. Select your new certificate for HTTPS, SMTPS, and IPSEC.
  5. Save your changesipsec-generate-cert.png

Configure the IPsec server

After you configure the Internet hostname and certificates, you can install and enable the IPsec VPN server. For more details refer to IPsec VPN in the Edge Threat Management Wiki.

IMPORTANT: To use IKEv2 IPsec you must enable IKEv2 in the VPN Config tab of the IPsec app.

Configure User Accounts for Client Access

To set up client devices to connect via IPsec you need user accounts for authentication. You can set up users in the Local Directory or via the Directory Connector app.

For more information regarding the set up of IPsec tunnels on client devices refer to the links below:

Configuring An IKEv2 IPsec Connection From Windows 10 To NG Firewall

Configuring An IKEv2 IPsec Connection From iOS To NG Firewall

Configuring An IKEv2 IPsec Connection From macOS To NG Firewall

Follow
Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk