2.5. VPNs Administrative Web Page

2.5.1. Control

IPCop can easily establish VPNs between other IPCop servers. However, IPCop can also inter-operate with just about any VPN product that supports IPSec and standard encryption technologies such as 3DES.

2.5.1.1. Global Settings

By adding the following information you can start your VPN configuration:

Local VPN IP. This is the IP address to be used to establish the IPCop end of the VPN. You can leave this blank to use the IP address on the Red Interface.

Enabled.  Place a “Check” in this box and click the Save button to update your VPN settings.

IPSec pass-through.  Check this box if you want another computer on your GREEN network to be the end point of a VPN not controled by IPCop. For example, if you have a laptop that has VPN software on it and you want it to be able to connect only it to your work. If this check box is not checked, IPCop will filter out the VPN packets. However, if IPSec packets are allowed to be passed through, your laptop can establish a VPN between itself and your work.

2.5.1.2. Manual Control and Status

This section will show the actual status of your VPNs. If you have a VPN enabled for your red interface and have no active connection to the Internet then the VPN for that the Red Interface will not start, as there is no need.

Stop.  You can stop all active VPNs by clicking this button at any time.

Restart.  If for some reason your VPNs become unstable or fails all together, simply click this button to get a fresh start.

2.5.2. Connections

To create a VPN connection between an IPCop server and another IPSec VPN, such as another IPCop server, certain important information must be provided. The information provided must match exactly on both ends (both IPCop servers) before a valid VPN connection can be established.

By using the Import button near the bottom of this section it is easier to make sure the information needed is entered correctly. The Export button will generate a file with the needed VPN Connection information that the VPN Connection Import function uses on the second IPCop server.

A full and in-depth explanation of the use and administration of IPCop VPNs and VPNs in general are outside the scope and intent of this manual. The information provided below is designed to simply explain what each field is for. For a more in-depth and complete look at the IPCop VPN implementation you should direct your attention to the IPCop VPN Howto. For more general VPN information simply go to the FreeS/WAN web site. If you have needs that are not met by the current IPCop VPNs web page, be sure to check the IPSec Practical Configurations for FreeS/WAN 1.x web site at Tripod. Unfortunately, Tripod has limits on access to web pages. A mirror copy of this data can also be found at Rob Campbell's web site.

The web sites and configurations discussed in the last three web sites will require you to change your ipsec.conf file by hand.

The first thing to keep in mind is that the Right and Left sides of a connection have no intrinsic meaning. IPSec determines which side it is running on by checking the IP address of the machine it is on and uses this information to compare to the IP address of the current machine.

The information needed to create a new VPN connection is as follows:

Name.  A simple name (lowercase only) to identify this connection.

Left.  The IP address or fully qualified domain name of the Left hand VPN connection. This must be different than the Right parameter.

Left next hop.  The next hop from the Left side to the Internet. This can be %defaultroute, which means that IPCop should use the default route specified by your ISP to reach the other side of the connection.

Left subnet.  The network of the Left hand side (ex. 192.168.10.0/24) This must be different than the Right subnet, below.

Right.  The IP address or fully qualified domain name of the Right hand VPN connection. This must be different than the Left parameter.

Right next hop.  The next hop from the Right side to the Internet. This can be %defaultroute, which means that IPCop should use the default route specified by your ISP to reach the other side of the connection.

Right subnet.  The network of the Right hand side (ex. 192.168.1.0/24) This must be different than the Left subnet, below.

Secret.  The Password needed to validate the VPN connection.

Compression.  If checked, packets sent on this VPN connection will be compressed, otherwise they will not.

Enabled.  Check this box and click the Add button to save your VPN configuration.

To Edit an existing rule simply “Check” the box next to the entry you wish to edit in the Mark column and click on the Edit button. You will then be able to edit the properties of the selected entry. Be advised that by editing an entry you are actually deleting that entry from the access control table and you will lose the information if you leave the page before clicking on the Add button.

To remove (delete) an entry, simply “Check” the box next to the entry you wish to delete in the Mark column and click the Remove button.

To disable an entry, simply “Check” the box next to the entry you wish to disable in the Mark column and click the Edit button. Once you enter the edit screen then un-“Check” the Enabled option and click the Add button.