Skip to content

IPSec VPN (Site to Site)

IPsec (Internet Protocol Security) is a suite of protocols designed to protect communications over an IP network by both authenticating and encrypting each IP packet during a session. Operating at the network layer, IPsec secures data exchanges between two hosts, between two security gateways, or between a security gateway and a host. It begins by establishing mutual authentication between the communicating agents and then negotiates cryptographic keys to protect the session. IPsec supports two primary modes: Transport mode, which encrypts and authenticates only the payload of the IP packet, and Tunnel mode, which encrypts the entire IP packet and encapsulates it within a new packet. This technology is commonly used in Virtual Private Networks (VPNs) to ensure that data transmitted across untrusted networks like the internet remains secure. IPsec is especially useful for scenarios requiring secure communications, such as connecting remote offices to a central network, safeguarding sensitive data transmissions, and securing communications in mobile and telecommuting contexts.

CyberEdge Site to Site IPSec VPN utilizes tunnel mode only.

Note

Configuration of remote equipment is outside the scope of this guide.

Tunnel Creation

The following steps describe how to create a Site to Site VPN IPSec Tunnel:

  1. Navigate to the Networks > Connections page, click "+ Add" and choose "IPSec Tunnel". Add the following:
    • Name: Add a meaningful name for the IPSec Tunnel
    • External Identifier: Set this to the IP address or fully qualified domain name to listen on or connect out from (this will usually be the primary IP of your internet connection) e.g. 123.45.6.7 or 12345.slsecure.zone
    • Remote Identifier: Set this to the IP address or fully qualified domain name to connect to. Consult the documentation of the other end of the tunnel for this value
    • Validate Remote ID: This checks that the Local ID sent by the remote end matches our Remote Identifier configured above. In general these should be set the same unless NAT is in use
    • Preshared Key: Enter the Preshared Key (Shared Secret) configured on the remote end of the tunnel
    • IKE Protocol: Select IKE version to negotiate (recommended IKEv2)
    • Dead Peer Detection: Enable Dead Peer Detection to bring this tunnel down if something happens to the remote end
    • Zone: Choose the network zone that the Remote Networks will be placed in. This will affect how VPN client traffic is routed to other networks managed by the CyberEdge, and how firewall policies are applied
    • Remote Networks: Enter IPv4 or IPv6 networks in CIDR format to connect to via the tunnel. e.g. 10.123.0.0/16
    • Set the IKE Phase 1 & 2 settings to match the remote end of the tunnel
  2. Click "Save"
  3. Click "Save and "Apply Changes"

Internet over IPSec

The following steps describe how to create a Site to Site VPN tunnel to use a remote gateway as an internet connection:

  1. Navigate to the Networks > Connections page and create a new IPSec tunnel following the steps from Tunnel Creation
  2. Update the following settings:
    • Remote Networks: Ensure that the gateway from the remote end of the tunnel is available in the Remote Networks
    • Zone: Place this connection in the Internet Zone or a similar custom zone
    • IPv4 Gateway: Enter the IP Address of the remote gateway
    • Local IPv4 Address: Create a new IP address (not in any other local subnet) to use as the source of this connection
  3. Click "Save"
  4. Ensure that the remote end of the IPSec tunnel has been updated to route traffic to the configured Local IPv4 Address: via the tunnel, and any local networks if SNAT should be disabled
  5. Navigate to Routing > SNAT and ensure that the desired SNAT conditions are configured
  6. Add a static route on all other active internet connections to the IP address(es) of the remote end of the VPN tunnel. If this step is not followed, traffic for the tunnel will be configured to run through the tunnel by Balance & Failover
  7. Apply changes
  8. Attempt to ping the remote gateway, and confirm that the IPSec tunnel establishes
  9. Navigate to the Routing > Balance & Failover page and re-order connections as desired
  10. Navigate to the Networks > System DNS page and add a remote DNS server if desired
  11. Click "Save" and apply changes

Important tip

Ensure that the other side is exposing 0.0.0.0/0 or is otherwise configured to allow forwarding traffic to the internet.

Sharing Resources

To enable access to both LAN and WAN resources from a remote host, it is advisable to set up two IPSec tunnels on the CyberEdge device, along with a single IPSec configuration on the remote end that covers both 0.0.0.0/0 and any local resource. Place one IPSec tunnel in an Internet-like zone and another in a Local-like zone.

Important note

  • Once an IPSec Tunnel has been created, it is dormant until the remote end attempts to make connection or until packets from the CyberEdge attempt to transit to one of the Remote Networks. To test the connection create some traffic to the destination
  • Logs for Site to Site IPSec tunnels are available under Status > Log Viewer under the "IPSec" source

View Connection Status

Information about the parameters for any active Site to Site IPSec tunnels is available under Status > Site-to-Site Tunnels