Cipafilter Support:
309 517 2022 option 2
Mon - Fri 7 AM - 6 PM CT
Cipafilter Documentation - VPN
Posted by Jim Giseburt, Last modified by Jim Giseburt on 11 April 2017 03:35 PM


End-User VPN

Any user with the VPN access option checked on the Management Users page can access the local network via the Cipafilter's end-user (client-to-server) VPN services, if enabled. The following protocols are supported:

L2TP over IPsec

Secure, easy to use, and supported by all major desktop and mobile operating systems, L2TP is the recommended protocol for end-user VPN access. Cipafilter's implementation uses a pre-shared key (PSK) instead of certificate-based authentication — this makes it much simpler to deploy and use, but it is essential to the security of the tunnel that the chosen PSK be long and complex, and that it not be made public. A PSK that balances complexity with user-friendliness is auto-generated when the L2TP option is selected, but, generally speaking, the longer and more complex the PSK, the better.


PPTP is an older, simpler protocol which has traditionally been very common, especially on Windows machines. However, it is now considered insecure, and it is gradually being phased out — ChromeOS, iOS 10+, and macOS 10.12+ do not support it. Cipafilter retains this protocol strictly for backwards compatibility; it is not recommended.

Site-to-Site VPN

IPsec tunnels are supported for site-to-site (router-to-router) VPNs. Cipafilter's implementation uses IKEv1/ESP with "next generation" cryptographic suites for the greatest security and performance.

To create an IPsec tunnel, simply enter the IP address of the remote endpoint (e.g., a second filter) and the subnets on each side's network which should be able to talk to each other. A secure PSK will be automatically generated, but this can be overridden if necessary. After configuring the filter, set up the remote endpoint with the reverse options (point it to the filter's IP, etc.).

If you need to connect a filter running recent firmware to a filter running older firmware (or a legacy third-party device), the legacy mode feature can be used. Enabling legacy mode causes all site-to-site tunnels to use the legacy cipher suites used by old versions of Cipafilter firmware. This feature is not secure and should not be used unless absolutely necessary. The option to enable it will likely be removed in a future version of firmware. Refer to the section below for more details.

IPsec implementation and compatiblity

Although these technologies are industry-standard and in wide deployment, the site-to-site VPN functionality is designed primarily to interconnect two Cipafilter units — it may or may not function with other devices. If you would like to create a site-to-site VPN with a third-party device, Cipafilter support will try to assist you, but compatibility is not guaranteed.

The following settings are used for all site-to-site tunnels:

Phase Setting Value
1 (IKEv1) exchange mode main
1 (IKEv1) NAT traversal enabled
1 (IKEv1) DPD (Dead Peer Detection) enabled, 10 second interval
1 (IKEv1) authentication method PSK (shared secret)
1 (IKEv1) encryption algorithm AES-256 (CBC)
1 (IKEv1) integrity (hash) algorithm SHA-256 (HMAC)
1 (IKEv1) DH (PFS) group MODP 4096 (group 16)
2 (ESP) key lifetime 6 hours (21600 seconds)
2 (ESP) encryption algorithm AES-256 (16-byte GCM) or AES-256 (CBC)
2 (ESP) authentication algorithm AES-256 (16-byte GCM) or SHA-256 (HMAC)
2 (ESP) DH (PFS) group NIST ECP-384 (group 20) or MODP 4096 (group 16)

Legacy-mode tunnels use the same settings, with the following cipher differences:

Phase Setting Value
1 (IKEv1) encryption algorithm 3DES (CBC)
1 (IKEv1) integrity (hash) algorithm MD5 (HMAC)
1 (IKEv1) DH (PFS) group MODP 1024 (group 2)
2 (ESP) encryption algorithm AES-128 (CBC) or 3DES (CBC)
2 (ESP) authentication algorithm SHA-1 (HMAC) or MD5 (HMAC)
2 (ESP) DH (PFS) group MODP 768 (group 1)

Additional notes:

  • Site-to-site tunnels are routed upon configuration, but they are not actually established until traffic is detected which needs to flow across the tunnel. It is normal for a tunnel to not appear in the list of active SAs if it has just been configured for the first time or has not been used within the last few hours.

  • Endpoints may only form tunnels with a filter via its primary IP address (which is displayed at the top of every page on the Web management interface) — the use of a DNS name or secondary IP address will cause an identification failure between the two endpoints.

  • Multiple tunnels may be formed between the same two endpoints if the local or remote subnet differs. Phase 1 (IKEv1) SAs will be shared when possible.

  • When a filter has multiple tunnels configured with the same peer, that peer must not reuse request IDs. Since older versions of Cipafilter firmware were designed to work this way, it is not possible to maintain multiple tunnels with a single filter running pre-9.2 firmware, even if legacy mode is enabled.

(0 vote(s))
Not helpful

Comments (0)
©Cipafilter 2017. All Rights Reserved.