IPsec VPN FAQs: Difference between revisions
(7 intermediate revisions by the same user not shown) | |||
Line 4: | Line 4: | ||
When using '''tunnel''' mode, you can think of the payload packet as being completely encased in another packet. In addition, IPsec can allow or deny packets access to the tunnel depending on policies. When using '''transport''' mode, communication is limited between two hosts. Only one IP header is present, with the rest of the packet being encrypted. Unless you have very specific needs, you'll most likely want to use '''tunnel''' mode. | When using '''tunnel''' mode, you can think of the payload packet as being completely encased in another packet. In addition, IPsec can allow or deny packets access to the tunnel depending on policies. When using '''transport''' mode, communication is limited between two hosts. Only one IP header is present, with the rest of the packet being encrypted. Unless you have very specific needs, you'll most likely want to use '''tunnel''' mode. | ||
=== How do I configure MacOS IKEv2 VPN === | === How do I configure MacOS IKEv2 VPN === | ||
Line 19: | Line 15: | ||
=== Can I use IPsec on a server that uses DHCP to get its external address? === | === Can I use IPsec on a server that uses DHCP to get its external address? === | ||
It is generally recommended to use IPsec VPN only on | It is generally recommended to use IPsec VPN only on NG Firewall servers configured with static IPs. However, technically it can work with DHCP, but you will need to reconfigure the tunnel whenever the IP address actually changes. On some ISPs this is rare and servers will often have the same IP for months. On other ISPs IPs change daily. | ||
=== Does IPsec traffic go through other | === Does IPsec traffic go through other NG Firewall applications? === | ||
'''Yes and Maybe'''. IPsec tunnel traffic and traffic from L2TP and Xauth clients will pass through all the other apps just like any other LAN traffic. However, if you want IPsec tunnel traffic to bypass scanning by other applications you can add a [[Bypass Rules|bypass rule]]. | '''Yes and Maybe'''. IPsec tunnel traffic and traffic from L2TP and Xauth clients will pass through all the other apps just like any other LAN traffic. However, if you want IPsec tunnel traffic to bypass scanning by other applications you can add a [[Bypass Rules|bypass rule]]. | ||
Note: In versions prior to | Note: In versions prior to 16.2, the default was to bypass all IPsec tunnel traffic (but not L2TP or Xauth). You may still have a bypass rule in place to ''Bypass all IPsec traffic'' which will cause the traffic to not be scanned by other apps. | ||
Latest revision as of 21:53, 14 September 2023
What's the difference between tunnel and transport mode?
When using tunnel mode, you can think of the payload packet as being completely encased in another packet. In addition, IPsec can allow or deny packets access to the tunnel depending on policies. When using transport mode, communication is limited between two hosts. Only one IP header is present, with the rest of the packet being encrypted. Unless you have very specific needs, you'll most likely want to use tunnel mode.
How do I configure MacOS IKEv2 VPN
See Configuring An IKEv2 IPsec Connection From macOS To NG Firewall.
If I install NG Firewall behind a NAT device, what do I need to forward to NG Firewall for IPsec VPN to connect?
You will need to forward ESP, AH, and UDP port 500 from the public IP to the NG Firewall server. You may also need to enable NAT traversal. It is recommended to give NG Firewall a public IP if you want to set up IPsec tunnels.
Can I use IPsec on a server that uses DHCP to get its external address?
It is generally recommended to use IPsec VPN only on NG Firewall servers configured with static IPs. However, technically it can work with DHCP, but you will need to reconfigure the tunnel whenever the IP address actually changes. On some ISPs this is rare and servers will often have the same IP for months. On other ISPs IPs change daily.
Does IPsec traffic go through other NG Firewall applications?
Yes and Maybe. IPsec tunnel traffic and traffic from L2TP and Xauth clients will pass through all the other apps just like any other LAN traffic. However, if you want IPsec tunnel traffic to bypass scanning by other applications you can add a bypass rule.
Note: In versions prior to 16.2, the default was to bypass all IPsec tunnel traffic (but not L2TP or Xauth). You may still have a bypass rule in place to Bypass all IPsec traffic which will cause the traffic to not be scanned by other apps.