Cipafilter Documentation - VPN

Manual - VPN

End-User VPN

Any user with the VPN access option checked on the Management Users page can access the local network via the Cipafilter's end-user (client-to-server) VPN services, if enabled.  The following protocols are supported:

L2TP over IPsec

Secure, easy to use, and supported by all major desktop and mobile operating systems, L2TP is the recommended protocol for end-user VPN access.  Cipafilter's implementation uses a pre-shared key (PSK) instead of certificate-based authentication — this makes it much simpler to deploy and use, but it is essential to the security of the tunnel that the chosen PSK be long and complex, and that it not be made public.  A PSK that balances complexity with user-friendliness is auto-generated when the L2TP option is selected, but, generally speaking, the longer and more complex the PSK, the better.

PPTP

PPTP is an older, simpler protocol which has traditionally been very common, especially on Windows machines.  However, it is now considered insecure, and it is gradually being phased out — ChromeOS, iOS 10+, and macOS 10.12+ do not support it.  Cipafilter retains this protocol strictly for backwards compatibility; it is not recommended.

Site-to-Site VPN

IPsec tunnels are supported for site-to-site (router-to-router) VPNs.  Cipafilter's implementation uses IKEv1/ESP with "next generation" cryptographic suites for the greatest security and performance.


To create an IPsec tunnel, simply enter the IP address of the remote endpoint (e.g., a second filter) and the subnets on each side's network which should be able to talk to each other.  A secure PSK will be automatically generated, but this can be overridden if necessary.  After configuring the filter, set up the remote endpoint with the reverse options (point it to the filter's IP, etc.).


If you need to connect a filter running recent firmware to a filter running older firmware (or a legacy third-party device), the legacy mode feature can be used.  Enabling legacy mode causes all site-to-site tunnels to use the legacy cipher suites used by old versions of Cipafilter firmware.  This feature is not secure and should not be used unless absolutely necessary.  The option to enable it will likely be removed in a future version of firmware.  Refer to the section below for more details.

IPsec implementation and compatibility

Although these technologies are industry-standard and in wide deployment, the site-to-site VPN functionality is designed primarily to interconnect two Cipafilter units — it may or may not function with other devices.  If you would like to create a site-to-site VPN with a third-party device, Cipafilter support will try to assist you, but compatibility is not guaranteed.


The following settings are used for all site-to-site tunnels:

Phase
Setting
Value
1 (IKEv1)
exchange mode
main
1 (IKEv1)
NAT traversal
enabled
1 (IKEv1)
DPD (Dead Peer Detection)
enabled, 10 second interval
1 (IKEv1)
authentication method
PSK (shared secret)
1 (IKEv1)
encryption algorithm
AES-256 (CBC)
1 (IKEv1)
integrity (hash) algorithm
SHA-256 (HMAC)
1 (IKEv1)
DH (PFS) group
MODP 4096 (group 16)
2 (ESP)
key lifetime
6 hours (21600 seconds)
2 (ESP)
encryption algorithm
AES-256 (16-byte GCM) or AES-256 (CBC)
2 (ESP)
authentication algorithm
AES-256 (16-byte GCM) or SHA-256 (HMAC)
2 (ESP)
DH (PFS) group
NIST ECP-384 (group 20) or MODP 4096 (group 16)


Legacy-mode tunnels use the same settings, with the following cipher differences:

Phase
Setting
Value
1 (IKEv1)
encryption algorithm
3DES (CBC)
1 (IKEv1)
integrity (hash) algorithm
MD5 (HMAC)
1 (IKEv1)
DH (PFS) group
MODP 1024 (group 2)
2 (ESP)
encryption algorithm
AES-128 (CBC) or 3DES (CBC)
2 (ESP)
authentication algorithm
SHA-1 (HMAC) or MD5 (HMAC)
2 (ESP)
DH (PFS) group
MODP 768 (group 1)


Additional notes:
  • Site-to-site tunnels are routed upon configuration, but they are not actually established until traffic is detected which needs to flow across the tunnel.  It is normal for a tunnel to not appear in the list of active SAs if it has just been configured for the first time or has not been used within the last few hours.

  • Endpoints may only form tunnels with a filter via its primary IP address (which is displayed at the top of every page on the Web management interface) — the use of a DNS name or secondary IP address will cause an identification failure between the two endpoints.

  • Multiple tunnels may be formed between the same two endpoints if the local or remote subnet differs.  Phase 1 (IKEv1) SAs will be shared when possible.

  • When a filter has multiple tunnels configured with the same peer, that peer must not reuse request IDs.  Since older versions of Cipafilter firmware were designed to work this way, it is not possible to maintain multiple tunnels with a single filter running pre-9.2 firmware, even if legacy mode is enabled.

    • Related Articles

    • IPSec VPN Compatibility

      The CIPAFilter utilizes IPSec for VPN connections between other CIPAFilter units. Please note that we do not offer support for VPN tunnels between CIPAFilters and 3rd party products, owing to the complexity and variations in IPSec between products.   ...
    • Manual

      This article provides links to the individual sections of the Cipafilter product manual.  A PDF of the Cipafilter product manual is attached to this article. Introduction Interface Conventions Installation Status Management Users Hot Spare ...
    • How To - Setup L2TP/IPSec VPN on iOS

      On the iOS device, navigate to the Settings app, to General, and then to the VPN menu.    Change the Type to L2TP and tap Back.     Fill in the information from your Cipafilter. Server: DNS name or public IP of the Cipafilter Account: Username ...
    • How To - Set Up PPTP VPN from the Cipafilter Interface

      Please follow this link for a video how-to: https://www.youtube.com/watch?v=B0If3xJ2oUo     Step 1. Navigate to the VPN page under Networking.   Step 2. Check the 'Enable PPTP' checkbox.   Step 3. In the 'Client IP Range' enter an IP range. This is ...
    • How To - Set Up L2TP/IPSec VPN on the Cipafilter

      Step 1. Navigate to the VPN page under Networking Step 2. Under L2TP over IPsec, check the Enable L2TP over IPsec box. A Pre-Shared Key will generate in the second field.     Step 3. You will want to enter a Client IP Range. This is going to be an IP ...