9.2. Site-to-Site VPN

To establish a Site-to-Site VPN, set up one UserGate as a VPN client and another UserGate as the VPN server. Though setting up UserGate as a VPN server is similar to that for a remote access server, we recommend that you set up all parameters individually since some of them may be different.

To set up your server as a shared VPN server for multiple offices, perform the following steps:

Name

Description

Step 1. Create a local user to authorize the server that will be operating as a VPN client.

Go to Users and devices --> Users and create new users for each of the remote UserGate servers that will be operating as VPN clients and then set up the user passwords. It is recommended that you add all the created users to a group with the access allowed to VPN connections. By default, UserGate provides a group called VPN servers for this purpose.

Step 2. Allow the VPN service in the zone to which VPN clients will be connecting.

Go to Network-->Zones, edit the access control parameters for the zone to which VPN clients will be connecting and allow the VPN service in this zone. In most cases, it is the Untrusted zone.

Step 3. Create a zone where your VPN servers will be placed.

Go to Network-->Zones and create a zone where you are going to place VPN servers. You will be able to use this zone in the security policies.

It is recommended that you use the existing default zone VPN for Site-to-Site.

Step 4. Create a firewall rule to allow the traffic flow from the created zone.

Go to Network policies-->Firewall and create a firewall rule to allow the traffic flow from the created zone to other zones.

By default, UserGate provides a firewall rule called VPN for Site-to-Site to Trusted and Untrusted that allows all the traffic from the VPN for Site-to-Site to Trusted and Untrusted zones. Rule is disabled by default.

Step 5. Create an authentication profile.

Go to Users and devices-->Auth profiles and create an authentication profile for VPN users. You can use the same authentication profile that is set up for user authentication and Internet access. For more details on authentication profile, please refer to section Auth profiles.

Step 6. Create a VPN security profile.

A security profile defines the preshared key, encryption and authentication algorithms, and other settings. You can create multiple security profiles and use them for establishing connections with various client types.

To create a server profile, go to VPN-->Security profiles, click Add and fill out the following fields:

  • Name - name of the profile.

  • Description - description of the profile.

  • Preshared key --- the string that must be the same on the server and on the client for successful connection.

  • Security-->Encryption methods - pairs of the authentication and encryption methods. These algorithms are applied in the same order as the appear here (from top to bottom). When establishing a new connection, the system will apply the first pair that is supported both by the server and the client. For compatibility with the standard VPN clients, it is recommended that you leave the default values.

By default, UserGate provides a security profile called Site-to-Site VPN profile that defines all the necessary settings. If you are going to use this profile, make sure to change the preshared key.

Step 7. Create a VPN device

VPN device is a virtual network interface for connecting VPN clients. This type of interface is clustered interface, which means it virtually exists on all cluster's nodes, and if high availability cluster is configured, VPN clients will be automatically switched to a backup node without VPN connection interruption. To create a new VPN interface, click on Add in Network-->Interfaces and select Add VPN. Set the following fields:

  • Name -- name of the interface as tunnelN, where N is the number of virtual device.

  • Description -- description of the interface.

  • Zone -- zone of the interface. VPN clients will be belonged to this zone when connected. Assign zone created on step 3.

  • Netflow profile -- optional netflow profile which will be used for this interface.

  • Mode -- IP address assignment mode -- Dynamic (via DHCP), Static, No address. Static mode should be used for serving VPN clients.

  • MTU -- MTU for the interface.

VPN interface tunnel2 is preconfigured for use for server side of Sit---Site VPN.

Step 8. Create a VPN network.

A VPN network defines network settings that will be applied when a client connects to the server. These settings include assignment of IP addresses to a client within a tunnel, DNS settings, and optional routes that will be submitted to the client (providing that the client supports such routes). You can create multiple tunnels with different settings for different clients.

To create a VPN network, go to VPN-->VPN networks, click Add and fill out the following fields:

  • Name - name of the network.

  • Description - description of the network.

  • IP range that will be used by clients. Do not provide the network and broadcast address here.

  • Specify the DNS servers that will be provided to clients or enable the Use system DNS checkbox if you want to assign the DNS servers used by UserGate to clients.

  • Specify the routes that will be submitted to a client as classless inter-domain routing (CIDR).

UserGate already provides a VPN network called Site-to-Site VPN network with the recommended settings. To use this network, make sure to provide it with the routes that are sent to the client server.

Step 9. Create a VPN server rule.

Create a VPN server rule based on the previously created VPN tunnel and VPN profile. To create a rule, go to VPN-->Server rules, click Add and fill out the following fields:

  • Name - name of the rule.

  • Description - description of the rule.

  • Server profile - server profile that you have previously created.

  • VPN tunnel - VPN tunnel that you have previously created.

  • Authentication profile - authentication profile that you have previously created.

  • Source - zones and addresses for which incoming VPN connections are accepted. Since most clients come from the Internet, it is recommended that you select the Untrusted zone.

  • Interface - the previously created VPN device.

  • Users - a group of server accounts or individual server accounts that are allowed to connect via VPN.

By default, UserGate provides a server rule called Site-to-Site VPN rule that uses all the necessary settings for the Site-to-Site VPN and allows the VPN access for all participants of the local group called VPN servers.

To set up your server as a VPN client, perform the following steps:

Name

Description

Step 1. Create a zone where you are going to place the interfaces for VPN connections.

Go to Network-->Zones and create a zone where you are going to place the interfaces for VPN connections. You will be able to use this zone in the security policies.

It is recommended that you use the existing default zone VPN for Site-to-Site.

Step 2. Create a firewall rule to allow the traffic flow to the created zone.

Create an Allow firewall rule in Network policies-->Firewall.

By default, UserGate provides a firewall rule called VPN for Site-to-Site to Trusted and Untrusted that allows all the traffic among the VPN for Site-to-Site, Trusted and Untrusted zones.

Step 3. Create a VPN device

VPN device is a virtual network interface for connecting VPN clients. This type of interface is clustered interface, which means it virtually exists on all cluster's nodes, and if high availability cluster is configured, VPN clients will be automatically switched to a backup node without VPN connection interruption. To create a new VPN interface, click on Add in Network-->Interfaces and select Add VPN. Set the following fields:

  • Name -- name of the interface as tunnelN, where N is the number of virtual device.

  • Description -- description of the interface.

  • Zone -- zone of the interface. VPN clients will be belonged to this zone when connected. Assign zone created on step 3.

  • Netflow profile -- optional netflow profile which will be used for this interface.

  • Mode -- IP address assignment mode -- Dynamic (via DHCP), Static, No address. Use Dynamic mode for the client side of Site-to-Site VPN.

  • MTU -- MTU for the interface.

VPN interface tunnel3 is preconfigured for use for client side of Site-to-Site VPN.

Step 4. Create a VPN client rule.

Create a VPN client rule that will be initiating connections to your VPN server. To create a rule, go to VPN-->Client rules, click Add and fill out the following fields:

  • Name - name of the rule.

  • Description - description of the rule.

  • Preshared key - a string that must be the same as the preshared key string on the server.

  • Security-->Encryption methods - pairs of the authentication and encryption methods. These algorithms are applied in the same order as the appear here (from top to bottom). When establishing a new connection, the system will apply the first pair that is supported both by the server and the client.

  • Server address - IP-address of the VPN server to which a given VPN client will connect. In most cases, it is the IP address of the interface in the Untrusted zone on your UserGate server that operates as the VPN server.

  • Interface - the previously created VPN interface.

  • Username and password are the user name and password of the user created in step 1 during the VPN server preparation.

Once the VPN server and VPN client are up and running, the VPN client will initiate a connection to the server and establish a VPN tunnel upon success. To disable a tunnel, disable the VPN client rule (on the client side) or the VPN server rule (on the server side).