Follow

Setup of a VPN with IPsec and an XAuth tunnel

  Version 5.0   Version 6.0

Applies to Platform: UTM 5.x, 4i Edge 5.x
Last update: 19 Nov 2022

Applies to Platform: UTM 6.x, 4i Edge 6.x
Last update: 23 Jan 2025

Background

From this lesson, you will learn how to quickly set up on your Endian UTM appliance an IPsec server using Xauth and password-based (PSK) authentication.

The main purpose to adopt IPSec tunnel with XAuth authentication is to add user authentication to IPsec, therefore many clients can connect to the server using the same encrypted tunnel and each client is authenticated by XAuth.

IPSec server configuration steps

1. Click on Menubar > VPN > IPsec.

1. Click on Menubar > VPN > IPsec > Configuration.

2. Fill Roadwarriors virtual IP (inner IP) pool with a virtual IP network in CIDR notation, that will be used to assign dynamically assigned IP to IPsec clients. Such network must not be already used anywhere else in your network. In our example below, we are using 10.10.0.0/24 as IPSec virtual network.

3. Click on Save to apply the settings.

3. Click on Add new connection, then fill the configuration with the following values shown into the picture below:

3. Navigate to Menubar > VPN > IPsec > Connections and click on Add new connection, then fill the configuration with the following values shown into the picture below:

  • Name will be name of the IPsec\Xauth connection into the list. You can use only letters and numbers.
  • Select Connection type as XAuth Host-to-Net (roadwarrior using XAuth).
  • Select Authentication type as Password (PSK).
  • Fill Use a pre-shared key with a safe password.
  • Fill Local subnets with the local subnets that will be accessible from the client.

    Note

    Mobile devices running iOS can not properly connect via XAuth to the Endian UTM Appliance if this value is not set, therefore the special subnet 0.0.0.0/0 is automatically added when the Connection type is set to XAuth.
  • Check the box Roadwarrior virtual IP (inner IP), then click on Add to save IPsec profile.

VPN user configuration steps

In order to be able to connect to our IPSec XAuth tunnel, we need to configure a user that will be used to authenticate onto IPsec XAuth.

1. Click on Menubar > VPN > Authentication, then on Add new local user.

2. Fill the user configuration in the following way:

  • Set a Username as you need.
  • Set a safe Password, and repeat it into Confirm Password.
  • Fill all the other information (Organizational unit name, Organization name, City, State or province, Country, Email address) in order to be able to unequivocally identify who will connect with such username.

3. Click on Add to add the user to Endian UTM appliance.

Configuring client to connect to the server.

In order to verify if the server is reachable, you need to configure clients with the data that you have provided here, namely Username and Password of the XAuth user, the IP address or hostname of the public IP of the Endian UTM appliance, and the pre-shared key you have entered in Section IPSec server configuration steps on step 3.

You can find in this knowledge base lessons to configure IPSec clients for devices running Android and iOS.

Have more questions? Submit a request

Comments