7.0 Introduction
A Virtual Private Network (VPN) is a technology that creates a secure and encrypted connection over a less secure network, such as the Internet. VPNs allow users to send and receive data as if their devices were directly connected to a private network, enhancing privacy and security.
Two common types of VPN protocols are SSL (Secure Sockets Layer) and IPsec (Internet Protocol Security). Both serve the same fundamental purpose of securing data transmission, but they do so in different ways.
| Feature | SSL VPN | IPsec VPN |
|---|---|---|
| Layer | Operates at the Transport Layer | Operates at the Network Layer |
| Usage | Commonly used for remote access (Client-to-site) | Used for site-to-site connections and remote access |
| Configuration | Generally easier to configure; requires only a web browser | More complex; often requires client software or hardware configurations |
| Compatibility | Compatible with various operating systems and devices | May require specific operating systems or configurations |
| Security | Provides strong encryption and secure tunneling | Offers high levels of encryption and integrity checks |
| Authentication | Uses certificates and usernames/passwords | Supports various authentication methods, including pre-shared keys and certificates |
| Performance | May be slower due to encryption overhead | Can be optimized for speed, especially in site-to-site scenarios |
Both SSL and IPsec VPNs serve important roles in securing network communications. The choice between them often depends on specific use cases, security requirements, and the technical environment of the organization.
7.1 SSL
SSL works through a process that involves authentication, encryption, and data integrity, providing a secure environment for online transactions and communications. Although SSL has largely been replaced by TLS (Transport Layer Security), the term "SSL" is still commonly used to refer to both protocols.
- ID: This is a unique identifier for the SSL rule or profile. It helps differentiate between multiple SSL configurations in the system.
- Name: This is a descriptive name for the SSL rule. It should clearly indicate the purpose of the rule, making it easier to manage and recognize.
- Listen: This field specifies the port or ports on which the firewall will listen for SSL traffic. The IP address and port on which the SSL service listens.
- Status: This indicates whether the SSL configuration is currently active (enabled) or inactive (disabled). It allows you to quickly see which rules are in effect.
Clicking the "+Add" button will typically open a new configuration form where you can input details for the new SSL configuration. This form usually includes fields such as:
- Name: A descriptive name for the SSL configuration. This helps in identifying the rule easily.
- Server Address: The IP address of the server that will handle SSL connections.
- Server Port: The port on which the SSL service will listen. This can be a non-standard port, allowing for customization.
- Virtual Pool: The IP range for virtual clients or resources that can connect through the SSL VPN.
- Routed Network: The network that the SSL VPN will route traffic to, allowing access to internal resources.
- Push DNS: The DNS server address that will be pushed to clients connecting through the SSL VPN, allowing them to resolve domain names correctly.
- Users: A dropdown or selection field where you can specify users that will have access to this SSL configuration.
7.2 IPsec
IPsec (Internet Protocol Security) is a robust protocol suite designed to ensure secure communication over IP networks. It operates by encrypting and authenticating data packets, providing confidentiality, integrity, and authentication. Widely used for site-to-site and remote access VPNs, IPsec is critical for protecting sensitive data in transit.
- ID: This is a unique identifier for the IPsec rule or profile. It helps differentiate between multiple IPsec configurations in the system.
- Name: This is a descriptive name for the IPsec rule. It should clearly indicate the purpose of the rule, making it easier to manage and recognize.
- Listen: This field specifies the port or ports on which the firewall will listen for IPsec traffic. The IP address and port on which the IPsec service listens.
- Status: This indicates whether the IPsec configuration is currently active (enabled) or inactive (disabled). It allows you to quickly see which rules are in effect.
Clicking the "+Add" button will typically open a new configuration form where you can input details for the new SSL configuration. This form usually includes fields such as:
- Name: Enter a descriptive name for the IPSec server configuration to easily identify it.
- I_port: Specify the local port number used for the IPSec connection (e.g., 500 for default IPSec).
- I_interface: Select the local network interface (e.g., LAN or specific interface like enp2s0) where the IPSec server will operate.
- I_ipaddress: Enter the local IP address of the server hosting the IPSec connection.
- r_ipaddress: Enter the remote IP address of the peer device connecting to the IPSec server.
- r_port: Specify the remote port number used by the peer device for the IPSec connection (e.g., 500 for default IPSec).
- Key Exchange (keyexchange): Select the key exchange protocol version (IKEv1 or IKEv2) used to establish and secure the connection.
- IKE Lifetime (ikelifetime): Specify the duration (in seconds) for which the IKE SA (Security Association) remains valid before rekeying.
- Force Encapsulation (forceencaps): Choose whether to force UDP encapsulation of IPSec packets (Yes or No), typically used for NAT traversal.
- Phase 1 Pre-Shared Key (p1_psk): Enter the pre-shared key used during the Phase 1 negotiation for authentication between peers.
- Phase 1 Pre-Shared Key 2 (p1_psk_2): Enter an optional second pre-shared key if required for additional authentication.
- Encryption Algorithm: Choose the algorithm for encrypting data during Phase 1 negotiation.
- Authentication Algorithm: Select the algorithm used for verifying data integrity and authenticity.
- Diffie-Hellman Group: Choose the DH group for securely exchanging cryptographic keys.
- Local Networks: Select the local network or subnet that will participate in the VPN tunnel.
- Remote Networks: Select the remote network or subnet that will connect to the local network through the VPN tunnel.