Setup without configuration guide, Set up your vpn gateway – equinux VPN Tracker 8.1.1 User Manual

Setup without Configuration Guide

Almost all IPsec VPN gateways can be used with VPN Tracker,

even if they have not been tested with VPN Tracker.

Set up Your VPN Gateway

Network Setup

If you haven’t already done so, set up your VPN gateway so it is connected to
the Internet and to the internal network that you want to access using
VPN Tracker. Please refer to your VPN gateway’s manual for more information
on how to do this.

It is a good idea to carefully choose the address of the VPN
gateway’s LAN network if you plan to access it through VPN. To
avoid address conflicts, use a private network that is not used
very frequently (e.g. 192.168.142.0/24, or 10.42.23.0/24).

VPN Setup

Once you have completed the initial setup of your VPN gateway, it is time to
configure VPN on the VPN gateway. Go for the simplest possible configuration
first. You can always move to a more sophisticated setup later.

If your VPN gateway’s manual has instructions for setting up a VPN connec-
tion, follow it. Otherwise, please follow these basic settings as closely as pos-
sible:

Authentication

‣ Choose pre-shared key authentication.
‣ For now, use a pre-shared key that is not too complex to avoid typos. But

don’t forget to change it to a very strong password later!

Aggressive Mode vs. Main Mode

‣ For most devices, you should use Aggressive Mode for now.

‣ Main Mode is considered more secure, but may not work with all devices

for clients connecting from dynamic IP addresses. You can try Main Mode
once you’ve got everything else working.

Identifiers

‣ Choose Fully-Qualified Domain Name (FQDN) identifiers, if possible.
‣ With most devices, you can enter any identifier you want, it doesn’t have to

be a valid domain name. Good choices would be:

Local identifier:

vpngateway.local

Remote identifier: vpntracker.local

(the remote identifier is sometimes called “peer identifier”)

‣ Some devices use the group name as the remote identifier.

Proposals (Phase 1 and 2 Settings)

‣ Encryption algorithms: AES-128 or 3DES
‣ Hash/Authentication algorithms: SHA-1
‣ Diffie-Hellman (DH) group 2 (1024 bit)
‣ Enable Perfect Forward Secrecy (PFS) using DH group 2 (1024 bit)
While these are not the most secure settings, they are compatible with a wide
variety of devices. Use them as a starting point. Once you’ve got the VPN
working, switch to stronger algorithms if available (e.g. AES-256, SHA-2, DH
group 5 or higher).

Local Endpoint (Network Access / Policy)

‣ On most VPN gateways, you will have to configure the network(s) VPN us-

ers can access. This setting is often called “

local endpoint”, or “policy”.

‣ Enter the address of the network you would like to access. Usually this will

be the same as the VPN gateway’s LAN network (e.g. 192.168.142.0/24).

‣ This setting will later be configured in VPN Tracker as the Remote Network.

Remote Endpoint

‣ Some VPN gateways will also ask you to configure the “remote endpoint”

of the VPN. The remote endpoint is the address VPN clients will be using
when connected through VPN.

‣ Whenever possible, set this to “any address” or “dynamic” (sometimes also

referred to as “0.0.0.0/0”).

17