Documentation for Kerio WinRoute

VPN using IPSec Protocol

IPSec (IP Security Protocol) is an extended IP protocol. It provides encrypted security services. These services enable authentication, as well as for access and trustworthiness control. IPSec provides similar services as SSL, but it works on a network layer. Through IPSec you can create encrypted tunnels (VPN) or encrypt traffic between two hosts.

WinRoute includes so called IPSec pass-through. This implies that WinRoute does not include tools for establishing an IPSec connection (tunnel), however, it is able to detect IPSec protocol and enable it for traffic between the local network and the Internet.

Note: The IPSec Pass-Through function guarantees full functionality of existing IPSec clients and servers after deployment of WinRoute at the Internet gateway. If you consider designing and implementation of new virtual private networks, we recommend you to use the WinRoute proprietary VPN solution (see chapter Kerio VPN).

IPSec preferences

IPSec preferences can be set in the IPSec pass-through area in the Security Settings tab of the Configuration / Advanced Options section. For detailed information on IPSec refer to chapter WinRoute's IPSec configuration.

Enable

This option enables IPSec pass-through.

It is necessary to set idle timeout for IPSec connections (default time is 3600 seconds which is exactly 1 hour). If no data is transferred for this time and a connection is not closed properly, WinRoute will consider the connection closed and the pass-through is available to another computer (another IP address).

Enable pass-through only for hosts

It is possible to narrow the number of hosts using IPSec pass-through by defining a certain scope of IP addresses (typically hosts on which IPSec clients will be run). Use the Edit button to edit a selected IP group or to add a new one.

WinRoute's IPSec configuration

Generally, communication through IPSec must be permitted by firewall policy (for details refer to chapter Definition of Custom Traffic Rules). IPSec protocol uses two traffic channels:

• IKE (Internet Key Exchange exchange of encryption keys and other information).

• encrypted data (IP protocol number 50 is used)

Open the Configuration / Traffic Policy section to define a rule which will permit communication between IPSec clients (VPN address group is described in the example) and IPSec server for the services (ipsec.server.cz server is described in the example).

Note: Predefined IPSec and IKE services are provided in WinRoute.

IPSec client in local network

This section of the guide describes WinRoute configuration for cases when an IPSec client or the server is located in the local network and WinRoute provides translation of IP addresses (NAT for details see chapter Traffic Policy).

1. IPSec client on WinRoute host

   In this case IPSec traffic is not influenced by NAT (IPSec client must be set so that it uses the public IP address of the WinRoute host). It is only necessary to define a traffic rule permitting IPSec communication between the firewall and the IPSec server.

   

   The Translation column must be blank no IP translation is performed. The pass-through setting is not important in this case (it cannot be applied).

2. One IPSec client in the local network (one tunnel)

   If only one IPSec tunnel from the local network to the Internet is created at one moment, then it depends on the type of IPSec client:

   • If IPSec client and the IPSec server support the NAT Traversal function (the client and the server are able to detect that the IP address is translated on the way between them), IPSec must be disabled (otherwise a collision might arise).

     NAT Traversal is supported for example by Nortel Networks' VPN software (http://www.nortelnetworks.com/).

   • If the IPSec client does not support NAT Traversal, it is necessary to enable IPSec pass-through in WinRoute.

   In both cases, IPSec communication between the client and the IPSec server must be permitted by a traffic rule. NAT must be defined in the Translation column (in the same way as for the communication from the local network to the Internet).

   

3. Multiple IPSec clients in the local network (multiple tunnels)

   If multiple IPSec tunnels from the local network to the Internet are supposed to be created, all IPSec clients and corresponding servers must support NAT Traversal (see above). Support for IPSec in WinRoute must be disabled so that no collisions arise.

   Again, traffic between the local network and corresponding IPSec servers must be permitted by a traffic rule.

   

IPSec server in local network

An IPSec server on a host in the local network or on the WinRoute host must be mapped from the Internet. In this case, traffic between Internet clients and the WinRoute host must be permitted by a traffic rule and mapping to a corresponding host in the local network must be set.

Warning: Only a single IPSec server can be mapped from the public IP address of the firewall. For mapping of multiple IPSec servers, the firewall must use multiple public IP addresses.

Example: We want to set that two IPSec servers will be available from the Internet one on the WinRoute host and another on a host with the IP address 192.168.100.100. The firewall interface connected to the Internet uses IP addresses 60.80.100.120 and 60.80.100.121.