IPSec VPN Compatibility

Info - IPSec VPN Compatibility

Although these technologies are industry-standard and in wide deployment, the site-to-site VPN functionality is designed primarily to interconnect two Cipafilter units — it may or may not function with other devices.  If you would like to create a site-to-site VPN with a third-party device, Cipafilter support will try to assist you, but compatibility is not guaranteed.

The following settings are used for all site-to-site tunnels:

Phase
Setting
Value
1 (IKEv1)
exchange mode
main
1 (IKEv1)
NAT traversal
enabled
1 (IKEv1)
DPD (Dead Peer Detection)
enabled, 10 second interval
1 (IKEv1)
authentication method
PSK (shared secret)
1 (IKEv1)
encryption algorithm
AES-256 (CBC)
1 (IKEv1)
integrity (hash) algorithm
SHA-256 (HMAC)
1 (IKEv1)
DH (PFS) group
MODP 4096 (group 16)
2 (ESP)
key lifetime
6 hours (21600 seconds)
2 (ESP)
encryption algorithm
AES-256 (16-byte GCM) or AES-256 (CBC)
2 (ESP)
authentication algorithm
AES-256 (16-byte GCM) or SHA-256 (HMAC)
2 (ESP)
DH (PFS) group
NIST ECP-384 (group 20) or MODP 4096 (group 16)

Legacy-mode tunnels use the same settings, with the following cipher differences:

Phase
Setting
Value
1 (IKEv1)
encryption algorithm
3DES (CBC)
1 (IKEv1)
integrity (hash) algorithm
MD5 (HMAC)
1 (IKEv1)
DH (PFS) group
MODP 1024 (group 2)
2 (ESP)
encryption algorithm
AES-128 (CBC) or 3DES (CBC)
2 (ESP)
authentication algorithm
SHA-1 (HMAC) or MD5 (HMAC)
2 (ESP)
DH (PFS) group
MODP 768 (group 1)

Additional notes:
  • Site-to-site tunnels are routed upon configuration, but they are not actually established until traffic is detected which needs to flow across the tunnel.  It is normal for a tunnel to not appear in the list of active SAs if it has just been configured for the first time or has not been used within the last few hours.

  • Endpoints may only form tunnels with a filter via its primary IP address (which is displayed at the top of every page on the Web management interface) — the use of a DNS name or secondary IP address will cause an identification failure between the two endpoints.

  • Multiple tunnels may be formed between the same two endpoints if the local or remote subnet differs.  Phase 1 (IKEv1) SAs will be shared when possible.

  • When a filter has multiple tunnels configured with the same peer, that peer must not reuse request IDs.  Since older versions of Cipafilter firmware were designed to work this way, it is not possible to maintain multiple tunnels with a single filter running pre-9.2 firmware, even if legacy mode is enabled.

For more information about establishing a VPN connection with your Cipafilter: VPN Manual Page


    • Related Articles

    • How To - Setup L2TP/IPSec VPN on Chrome OS

      1. First, navigate to the Settings page of the Chrome OS device by clicking on the Chrome Menu in the top-right corner of the Chrome Browser.  2. Or, you can click on the User Profile Menu at the bottom right corner of the screen and select Settings. ...
    • How To - Set up L2TP/IPSec VPN on iOS

      1. On the iOS device, navigate to the Settings app, to General, and then to the VPN menu. 2. Change the Type to L2TP and tap Back. 3. Fill in the information from your Cipafilter. After all of your information is filled out, tap Done.       Server: ...
    • Manual - VPN

      End-User VPN Any user with the VPN access option checked on the Management Users page can access the local network via the Cipafilter's end-user (client-to-server) VPN services, if enabled.  The following protocols are supported: L2TP over IPsec ...
    • How To - Set Up L2TP/IPSec VPN From The Cipafilter Interface

      1. Navigate to the VPN page under Networking 2. Check the Enable L2TP over IPsec box. A Pre-Shared Key will generate in the second field. This can be changed if desired. 3. In the Client IP Range box, enter an IP range that is not in use by your ...
    • How To - Set up L2TP/IPSec VPN on Windows

      1. In the Start Menu, click Settings. 2. In the Settings menu, click Network & Internet. 3. Navigate to the VPN tab on the left, and then click Add a VPN connection. 4. Change the VPN provider to Windows (built-in), give it a connection name, ...