VPN - Cipafilter Documentation

Manual - VPN

End-User VPN

Any user with the VPN access option checked on the Management Users page can access the local network via the Cipafilter's end-user (client-to-server) VPN services, if enabled.  The following protocols are supported:

L2TP over IPsec

Secure, easy to use, and supported by all major desktop and mobile operating systems, L2TP is the recommended protocol for end-user VPN access.  Cipafilter's implementation uses a pre-shared key (PSK) instead of certificate-based authentication — this makes it much simpler to deploy and use, but it is essential to the security of the tunnel that the chosen PSK be long and complex, and that it not be made public.  A PSK that balances complexity with user-friendliness is auto-generated when the L2TP option is selected, but, generally speaking, the longer and more complex the PSK, the better.

PPTP

PPTP is an older, simpler protocol which has traditionally been very common, especially on Windows machines.  However, it is now considered insecure, and it is gradually being phased out — ChromeOS, iOS 10+, and macOS 10.12+ do not support it.  Cipafilter retains this protocol strictly for backwards compatibility; it is not recommended.

Site-to-Site VPN

IPsec tunnels are supported for site-to-site (router-to-router) VPNs.  Cipafilter's implementation uses IKEv1/ESP with "next generation" cryptographic suites for the greatest security and performance.

To create an IPsec tunnel, simply enter the IP address of the remote endpoint (e.g., a second filter) and the subnets on each side's network which should be able to talk to each other.  A secure PSK will be automatically generated, but this can be overridden if necessary.  After configuring the filter, set up the remote endpoint with the reverse options (point it to the filter's IP, etc.).

If you need to connect a filter running recent firmware to a filter running older firmware (or a legacy third-party device), the legacy mode feature can be used.  Enabling legacy mode causes all site-to-site tunnels to use the legacy cipher suites used by old versions of Cipafilter firmware.  This feature is not secure and should not be used unless absolutely necessary.  The option to enable it will likely be removed in a future version of firmware.  Refer to the section below for more details.

IPsec implementation and compatibility

Although these technologies are industry-standard and in wide deployment, the site-to-site VPN functionality is designed primarily to interconnect two Cipafilter units — it may or may not function with other devices.  If you would like to create a site-to-site VPN with a third-party device, Cipafilter support will try to assist you, but compatibility is not guaranteed.

The following settings are used for all site-to-site tunnels:

Phase
Setting
Value
1 (IKEv1)
exchange mode
main
1 (IKEv1)
NAT traversal
enabled
1 (IKEv1)
DPD (Dead Peer Detection)
enabled, 10 second interval
1 (IKEv1)
authentication method
PSK (shared secret)
1 (IKEv1)
encryption algorithm
AES-256 (CBC)
1 (IKEv1)
integrity (hash) algorithm
SHA-256 (HMAC)
1 (IKEv1)
DH (PFS) group
MODP 4096 (group 16)
2 (ESP)
key lifetime
6 hours (21600 seconds)
2 (ESP)
encryption algorithm
AES-256 (16-byte GCM) or AES-256 (CBC)
2 (ESP)
authentication algorithm
AES-256 (16-byte GCM) or SHA-256 (HMAC)
2 (ESP)
DH (PFS) group
NIST ECP-384 (group 20) or MODP 4096 (group 16)

Legacy-mode tunnels use the same settings, with the following cipher differences:

Phase
Setting
Value
1 (IKEv1)
encryption algorithm
3DES (CBC)
1 (IKEv1)
integrity (hash) algorithm
MD5 (HMAC)
1 (IKEv1)
DH (PFS) group
MODP 1024 (group 2)
2 (ESP)
encryption algorithm
AES-128 (CBC) or 3DES (CBC)
2 (ESP)
authentication algorithm
SHA-1 (HMAC) or MD5 (HMAC)
2 (ESP)
DH (PFS) group
MODP 768 (group 1)

Additional notes:
  • Site-to-site tunnels are routed upon configuration, but they are not actually established until traffic is detected which needs to flow across the tunnel.  It is normal for a tunnel to not appear in the list of active SAs if it has just been configured for the first time or has not been used within the last few hours.

  • Endpoints may only form tunnels with a filter via its primary IP address (which is displayed at the top of every page on the Web management interface) — the use of a DNS name or secondary IP address will cause an identification failure between the two endpoints.

  • Multiple tunnels may be formed between the same two endpoints if the local or remote subnet differs.  Phase 1 (IKEv1) SAs will be shared when possible.

  • When a filter has multiple tunnels configured with the same peer, that peer must not reuse request IDs.  Since older versions of Cipafilter firmware were designed to work this way, it is not possible to maintain multiple tunnels with a single filter running pre-9.2 firmware, even if legacy mode is enabled.



    • Related Articles

    • Info - IPSec VPN Compatibility

      Although these technologies are industry-standard and in wide deployment, the site-to-site VPN functionality is designed primarily to interconnect two Cipafilter units — it may or may not function with other devices.  If you would like to create a ...
    • Manual

      This article provides links to the individual sections of the Cipafilter product manual.  A PDF of the Cipafilter product manual is attached to this article. Introduction Interface Conventions Installation Status Management Users Hot Spare ...
    • Manual - Introduction

      Cipafilter is a powerful routing platform capable of delivering an evolving tool set to protect your enterprise. Cipafilter's philosophy is to provide a cuing edge, well rounded, and aggressive network control solution to meet your current and future ...
    • Manual - Group Permissions

      Permissions for groups of users are managed here. Each group has individual settings for the different filtering technologies available, as well as a separate whitelist and blacklist. On this page, you can also edit the global whitelist and blacklist ...
    • How To - Setup L2TP/IPSec VPN on Chrome OS

      1. First, navigate to the Settings page of the Chrome OS device by clicking on the Chrome Menu in the top-right corner of the Chrome Browser.  2. Or, you can click on the User Profile Menu at the bottom right corner of the screen and select Settings. ...