Cipafilter Documentation - VPN
Posted by Jim Giseburt, Last modified by Jim Giseburt on 11 April 2017 03:35 PM
Any user with the VPN access option checked on the Management Users page can access the local network via the Cipafilter's end-user (client-to-server) VPN services, if enabled. The following protocols are supported:
L2TP over IPsec
Secure, easy to use, and supported by all major desktop and mobile operating systems, L2TP is the recommended protocol for end-user VPN access. Cipafilter's implementation uses a pre-shared key (PSK) instead of certificate-based authentication — this makes it much simpler to deploy and use, but it is essential to the security of the tunnel that the chosen PSK be long and complex, and that it not be made public. A PSK that balances complexity with user-friendliness is auto-generated when the L2TP option is selected, but, generally speaking, the longer and more complex the PSK, the better.
PPTP is an older, simpler protocol which has traditionally been very common, especially on Windows machines. However, it is now considered insecure, and it is gradually being phased out — ChromeOS, iOS 10+, and macOS 10.12+ do not support it. Cipafilter retains this protocol strictly for backwards compatibility; it is not recommended.
IPsec tunnels are supported for site-to-site (router-to-router) VPNs. Cipafilter's implementation uses IKEv1/ESP with "next generation" cryptographic suites for the greatest security and performance.
To create an IPsec tunnel, simply enter the IP address of the remote endpoint (e.g., a second filter) and the subnets on each side's network which should be able to talk to each other. A secure PSK will be automatically generated, but this can be overridden if necessary. After configuring the filter, set up the remote endpoint with the reverse options (point it to the filter's IP, etc.).
If you need to connect a filter running recent firmware to a filter running older firmware (or a legacy third-party device), the legacy mode feature can be used. Enabling legacy mode causes all site-to-site tunnels to use the legacy cipher suites used by old versions of Cipafilter firmware. This feature is not secure and should not be used unless absolutely necessary. The option to enable it will likely be removed in a future version of firmware. Refer to the section below for more details.
IPsec implementation and compatiblity
Although these technologies are industry-standard and in wide deployment, the site-to-site VPN functionality is designed primarily to interconnect two Cipafilter units — it may or may not function with other devices. If you would like to create a site-to-site VPN with a third-party device, Cipafilter support will try to assist you, but compatibility is not guaranteed.
The following settings are used for all site-to-site tunnels:
Legacy-mode tunnels use the same settings, with the following cipher differences: