NG-UTM can utilize VPNs to establish secure network connections, consolidating various remote network connections for enterprises and remote computers for field personnel worldwide, providing enterprises and remote users with a secure and convenient way to encrypt their networks for optimal performance and confidentiality when transferring data over the Internet.
NG-UTM supports 4 types of VPN protocols, namely IPSec, PPTP, L2TP and SSL VPN, each with different attributes and positioning.
IPSec emphasizes the portion of Tunnel, while PPTP, L2TP and SSL VPNs primarily allow external users to securely connect to the internal network using the Internet.
Broadly speaking, IP Tunnel is also a VPN connection mode in network configurations, as well as the encrypted mode of IPSec, but it is categorized as a virtual interface based on the Tunnel.
Description of types of VPN:
1. IPSec VPN Tunnel : System administrators can utilize the IPSec protocol to establish a Site to Site VPN tunnel, and the communication data on both sides of the channel will be encrypted with DES, 3DES, AES, so that even if others intercept the packets of the channel, they will not be able to decrypt the transmission.
2. PPTP Server、L2TP : The administrator can make PPTP or L2TP dial-in accounts here, so that external users can use the resources within NG-UTM.
3. SSL VPN Server : Administrators can set up SSL VPN dial-in accounts here so that the external users can use NG-UTM internal resources.
To establish a Virtual Private Network (VPN), it is necessary to establish a Tunnel in the IPSec VAN or an account in the PPTP/L2TP/SSLVPN server.
Otherwise, to manage these outlets, the rules of IPSec VPN are referred to 4-2. IPSec Policy to build management regulation.
【Local Interface】: the current substantial interface of IPSec VPN
【Status】: : disconnected, : connected
【Enable】: the button to control the activate and pause, : VPN is activated, : VPN is paused
【Switch】: Indicated that this entrance of VPN is the master or the backup
: Click this to revise the setup of this tunnel.
【Log】: Click , a new window will be open, showing the connection history for this VPN, sorted by time, with the most recent data at the end
Picture12-2 The connection history of IPSec Tunnel¶
•Build on an IPSec VPN tunnel
To establish an IPSec VPN tunnel, the same settings are required on both ends for a successful connection. The information required for each connection is described below:
【Enable】: Shall we proceed with the activation of this IPSec VPN tunnel.
【Tunnel name】: it could be any Chinese or English word, easily to be recognized by manager.
【Local IP】: which IP Address or domain would accept the packet of IPSec VPN Tunnel, usually referring to the IP Address from extranet.
【Remote IP】: The IP Address or domain name of remote IPSec VPN Tunnel.
If the remote endpoints’ information is unknown, use dynamic IP addresses. Additionally, when multiple IPSec VPN tunnels have dynamic external IP addresses, ensure that their Preshare keys are the same
【Enable Redundant】: Shall it enable the service of back-up, when this IPSec VPN Tunnel disconnected, the system will automatically enable the back-up one.
【How long disconnect, switch to the redundant】: After how long the primary IPSec VPN Tunnel should be disconnected before switching to the backup route. The default value is 5 minutes.
【Redundant Local IP】: Which WAN IP Address or domain would be the back-up route, accepting the packet of IPSec VPN Tunnel.
【Redundant Remote IP】: The IP address or domain name of the remote IPSec VPN Tunnel for the backup route. If this information is not known, use a dynamic IP address.
【Define Redundant Preshare Key】: The encryption of Preshare Key for the backup route.
Since the backup route establishes a new IPSec tunnel to replace the original one, this key must match the setting on the remote device as well.
【Enable Routing】: Check this box to enable
【Multiple Tunnel Mode】: Diverting data among 2 or more IPSec VPN channels to achieve a mechanism similar to load balancing. Below are the settings for both enabling and disabling this feature.
·【Multiple Tunnels Mode】: If Disabled, Indicate the interconnect for IPSec VPN interconnection.
In general, the two ends of an IPsec VPN tunnel are in different internal network segments, for example: 192.168.1.0/24 to 192.168.2.0/24
If either end has non-contiguous segments to interconnect, press to add the interconnected segments.
For example: Point A is 192.168.1.0/24 and 172.16.1.0/24 to connect to Point B 192.168.2.0 and 172.16.2.0/24. Both need to utilize the same IPSec VPN tunnel to reach each other’s segments.
【Local Network】: Which local network segment needs to interconnect with the remote network segment via the IPSec VPN tunnel, pressing to add another segment.
【Remote Network】: Which local network segment needs to interconnect with the remote network segment via the IPSec VPN tunnel, pressing to add another segment.
· 【Multiple Tunnels Mode】: Enabled
Entering the tunnel ID of both sides to enable Multiple Tunnel Mode, the general tunnel ID format involves prefixing the external network IP address with “@”, for instance: “@1.1.1.1” or “@vpn.dyndns.org”.
Therefore, its operational scenario mostly involves both ends having fixed IPv4 addresses or utilizing dynamic domain names. This setup enables the identification of the remote IP address or domain name.
In multi-channel mode, adding two non-adjacent IP segments is available. Press to add another segment.
【IKE】: Choosing V1 or V2, IKE V2 is the new protocol. It’s necessary to pay attention before setting that both sides of IKE should be the same.
【Connection Type】: Choosing main mode or aggressive mode, usually choosing main mode.
In the aggressive mode, all of the VPN Tunnel use one Preshare Key commonly.
【Preshare Key】: The key used for IPSec encryption while establishing connections between both sides of the IPSec VPN tunnel
【ISAKMP】: 「IP Security Association Key Management Protocol (ISAKMP)」provides an encryption logically for two equipments to establish SA.
Security Association (SA) is used to encrypt connections between two computers, specifying which algorithms and key lengths or actual encryption keys to use.
There is not just one SA connection way: starting from the ISAKMP SA for two computers, it is essential to specify which encryption algorithm to use (DES, triple DES, AES), and which packet authentication method (MD5 or SHA1)
· DES/3DES:
provides a more secure Triple Data Encryption Standard (3DES) encryption key method compared to DES (a 56-bit encryption key). The encryption key used in 3DES is 168 bits.
· AES:
Advanced Encryption Standard (AES) is a more rigorous encryption standard compared to DES. DES encryption key length is 56 bits, while AES encryption key lengths range from 128 bits, 192 bits, to 256 bits.
Most current INTEL CPUs support AES hardware encryption and decryption, so under equivalent CPU conditions, AES is faster than 3DES.
· MD5:
One-way string hashing algorithm, which takes any length string and computes a 128-bit hash using the MD5 hashing algorithm.
· SHA:
It’s an algorithm used for generating message digests or hashes. The original SHA algorithm has been replaced by the improved SHA1 algorithm, which can compute a 160-bit hash.
【DH Group】: Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process.
【Local ID】: The input field for this ID won’t be displayed, if enabling the “multiple tunnels mode”. By default, the local IP address will be automatically used as the ID, but administrators can also input a domain name as the local ID.
The system will automatically prepend “@” to the front before sending it to the remote end, for example: “@1.1.1.1” or “@ghi.com”.
When configuring, it’s essential to ensure that the data on both sides are symmetrically matched.
【Remote ID】: The input field for this ID won’t be displayed, if enabling the “multiple tunnels mode”. By default, the remote IP address will be automatically used as the ID
but admin can also input a domain name as the remote ID. The system will automatically remove “@” to the front before sending it to the remote end, considering as the IP from remote to local, for example: @2.2.2.2 or @def.com
When configuring, it’s essential to ensure that the data on both sides are symmetrically matched.
【IKE SA Lifetime】: According to ISAKMP to calculate the expiration date of SA, the system will automatically produce another SA to replace the previous one while proceeding the setting timing.
The default time is 3 hours, with the setting range between 1 to 24 hours.
2、IPSec Setting (Phase 2)
【IPSec Algorithm】: Specify which encryption algorithm to use (DES, Triple DES, AES) and which packet authentication method (MD5 or SHA1).
【Perfect Forward Secrecy (PFS)】: ensuring that even if the private key is compromised, historical communications remain secure. This feature provides forward secrecy, guaranteeing security even in the event of a proactive attack on the system.
【Lifetime of IPSec SA】: According to IPSec Algorithm to calculate the expiration date of SA, the system will automatically produce another SA to replace the previous one while proceeding the setting timing.
The default time is 3 hours, with the setting range between 1 to 24 hours.
【Dead Peer Detection】: DPD is a standard protocol of automatically detecting VPN disconnecting system, it could automatically determine whether the IPSec tunnel on the other tunnel of the VPN is operating normally.
When an issue is detected with the IPSec tunnel, actions such as Hold/Clear/Restart can be executed for that VPN tunnel.
Hold means to continue waiting for the tunnel to resume normal operation, Clear represent to clear relevant information and wait for reconnection., Restart means to nitiate a direct reconnection of the VPN tunnel.
【Closing the Network Neighborhood】: Establishing IPSec VPN tunnel leads both sides to use network neighborhood protocol to research computer’s name. The default is enabled, referring permitting the packet of network neighborhood pass from the VPN tunnel to another one.
For example: two NG-UTM establish IPSec VPN connection to access specific internet resources.
Company A: WAN IP is 61.11.11.11, LAN IP is 192.168.188.0/24
Company B: WAN IP is 211.22.22.22, LAN IP is 192.168.200.0/24
Under this situation, the connection environment structure of IPSec VPN Tunnel shows below:
Picture12-8 The establishment environment of IPSec VPN connection¶
1、Setting of Company A : entering company A’s NG-UTM IPSec VPN tunnel setting, default system will not be listed.
【Enabled】: Choosing to enable
【Name of VPN Tunnel】: connecting to Company B
【Local IP Address】: 61.11.11.11
【Remote IP Address】: 211.22.22.22
【Local Internet】: 192.168.188.0/24
【Remote Internet】: 192.168.200.0/24
【Enabling back-up】: Do not enable back-up service
IPSec Phase 1 Setting
【Connection Mode】: Main mode
【Preshare Key】: 123456789
【ISAKMP Algorithm】: AES / SHA-1, DH Group2
IPSec Phase 2 Setting
【IPSec Algorithm】: AES / SHA-1, DH Group2
IPSec Other Setting
【Dead Peer Detection】: Restart
2、Setting of Company B : entering company B’s NG-UTM IPSec VPN tunnel setting, default system will not be listed.
【Enabled】: Choosing to enable
【Name of VPN Tunnel】: connecting to Company A
【Local IP Address】: 211.22.22.22
【Remote IP Address】: 61.11.11.11
【Local Internet】: 192.168.200.0/24
【Remote Internet】: 192.168.188.0/24
【Enabling back-up】: Do not enable back-up service
IPSec Phase 1 Setting
【Connection Mode】: Main mode
【Preshare Key】: 123456789
【ISAKMP Algorithm】: AES / SHA-1, DH Group2
IPSec Phase 2 Setting
【IPSec Algorithm】: AES / SHA-1, DH Group2
IPSec Other Setting
【Dead Peer Detection】: Restart
➤ The difference between two-sides of the network is marked in red, and it must be confirmed and entered correctly. If the network segment or external IP address is set incorrectly, the VPN connection will be unsuccessful.
The process of setting a new IPSec VPN Tunnel is quite completed, corresponding two-sides’ ID, using network, etc.
When the number of IPSec VPN Tunnel increases, it is not easy to identify which may increase the chance of confusion, especially for most of remote IP are dynamitic IP addresses, the stability of IPSec VPN is a challenge.
ShareTech mentioned the structure of Auto VPN which is built on the fundament of IPSec VPN. The setup logic with 2 basic components is simplified to make VPN deployment convenient and fast.
Auto VPN Server: Condition of setting IPSec VPN, producing an identification code for Client to use.
Auto VPN Client: Receiving the identifier from Auto VPN Server, entering the IP address of Auto VPN, then finished the Client setting.
Once getting the 【Identifier】of Auto VPN Server, you can process to the Auto VPN Client of remote setting, it is not as fussy as IPSec VPN for Client setting.
The first step to establish PPTP server is to enable PPTP server,
letting remote users can use dial-ulnternet software of PPTP and the server of NG-UTM and PPTP to establish encrypt VPN connection, proceed as follows:
【Account】: Account that for PPTP client dials in to use.
【Password】: Password that for PPTP client dials in to use.
【Account Expiration Date】: Limit the period for creating new accounts.
【Client IP Address】: How to get the IP address of the client after dialing into PPTP, except for setting【Assigned by PPTP Server】, which will be assigned by the PPTP server according to the set range, the admin can select 【Use Defined IP Address】to assign a specific IP address or range for a specific account.
The completed PPTP accounts will be displayed in the【PPTP Account list】tab, where the administrator can control the activation and deactivation of each PPTP account
【Account Expiration Date】: The period of time that a PPTP account itself can be used.
【Enable】: Control the button of PPTP accounts to enable and pause, : Enabled, : Pause, implying that users can not use PPTP to dial-in
【Edit/Delete】: This allows editing, such as changing passwords, adjusting the account expiration period, customizing IP assignments, or deleting accounts.
【IP resource】: Original IP address of the PPTP client.
【Local allocation IP】: The PPTP server assigns an IP address to the client for this connection, or a fixed IP address is you use【Enter IP address】
【Event】: PPTP client dial-in start or end the event,
ended event will be automatically calculate total use time by system, the end event system automatically calculates the total usage time in hour: minutes, any time below 1 minute is recorded as 00:00.
SSL VPN is a secure, encrypted virtual private network technology that allows users to use their computers in the field as if they were on a LAN.
Which allows users to utilize any resources that are only available within the LAN, such as ERP, inventory, or library query systems with restricted source IP addresses.
Because the data is encrypted, it cannot be parsed over the Internet, ensuring the security of the data transmitted between the two parties.
With the function of control, there are two ways for remote client, one is entering the intranet, another is going through the VPN Server to connect the Internet.
These two controlling ways can control the bandwidth, telecommunications and timing used by remote clients.
While using SSL VPN, it is necessary to download software and voucher through VPN Server. It is not necessary for any installation for those clients of SSL VPN, it is available to execute directly, then it can work.
So users can put the software and certificate on any mobile storage device, such as USB, and then execute on any computer device.
Clients can log in to the SSL VPN server to get the SSL VPN client software and certificate, because the NG-UTM client software and certificate are bundled together, and users can execute them directly after downloading and unzipping them.
The default URL is https:// (network interface IP address or domain): (system settings > basic settings > management interface access settings > HTTPS Port)/sslvpn.php
SSL VPN is disabled by default, click【Modify Server Settings】to open the setting interface.
After the setting is completed, the system will generate an SSL VPN certificate, which users can use to log into the SSL VPN server.
If there is any change of server settings in the future, all the certificates are necessary to be redownload, thus, it should be pay attention for the first operation, otherwise, users need to change the certificate frequently.
【Local Interface】: selecting the interface and IP address that provides SSL VPN service, click to look the available interface and IP addresses.
The interface and IP addresses here can be selected multiple times, for example, IP address 11.12.13.14 for zone 1 and IP address 23.24.25.26 for zone 2, both provide SSL VPN dial-in services.
【Client Linking Setting】: (to be completed)
【Local Port】: the administrator could set up a PORT or a series of PORT for SSL VPN clients to dial into.
For example: 387-387, represents that only 387 can accept SSL-VPN, if the setting is 387-400, which means PORT of this range accept SSL VPN dial-in.
The port number used by the client to communicate with the server must be different from the port number used by the WAN management interface.
【Max concurrent connections】: allows multiple people to use SSL VPN at the same time, the default number is 20.
【VPN IP Range】: The range of IP address obtained by the SSL VPN client, VPN IP this range can not be the same as the internal network segment
【DNS Server】: The DNS Server assigned to the SSL VPN user after a successful connection
【WINS Server】: The WINS Server assigned to the SSL VPN user after a successful connection
【Two-step verification validity extension】: After successfully logging in with two-step verification, within the set period and from the same source IP, the same verification code can be reused for login
• Client Route setup
When SSL VPN clients dial into, NG-UTM will allocate which intranets could be used by users, which means that it is not available to get into any of the internal network segments while SSL VPN dial in successfully.
【Push Route】: click【switch】will open a new tab for administrator to choose.
• Certificate Setting
The certificates used by SSL VPN clients are issued by SSL Server, requiring some information to be filled in when issuing certificates, which is used by the certificate mechanism to create certificates for users.
Each field must have at least one word and cannot be empty, if there are any character in this field have been changed, each user’s certificate will need to be re
Before increasing a client of SSL VPN it is necessary to add an authentication group and select the group members for online authentication , referring to 5-9-4. User Groups.
Select under the Client SSL VPN to add an authentication group:
Picture12-18 Adding a SSL VPN authentication group¶
【Annotation】: Any words for describing SSL VPN client, like SSLVPN-TEST
【Authentication Group】: Revealing those group that had been added and verified but has not been applied yet
【URL on Successful Connection】: After connection of SSL VPN succeed, the web page will be automatically turned over, if this button does not be set, it will depend on the default URL of the user’s browser.
Whenever the administrator changes any words in the certificate server, all certificates need to be regenerated for the established SSL VPN users.
As long as you click the button of【Retrieve All Certificates】, NG-UTM will update all the certificates once, and users can use it after re-downloading.
Choosing the icon of user’s management to check this group:
Picture12-20 Revise the information of SSL VPN User¶
【User’s Account】: Members’s accounts of this group
【Unsubscribe certificate】: User cannot dial in while cancelling the user’s certificate, if user would like to use again, it is necessary to retrieve the certificate.
【Retrieve Certificates】: User should retrieve a certificate if their certificate are cancelled or the content of certificate been reset.
【Download Software】: The user can choose to download the client software in either 32-bit or 64-bit version.
【Download Certificate】: Download the user certificate ovpn configuration file.
【Set User’s Fixed IP Address】: For the SSL VPN client, the server will assign a fixed IP address to them after each time they dial-in successfully.
Clickto the page for choosing an IP address which has not been assigned yet.
【Out of Use】: If the user’s certificate is suspended temporarily, it is still valid but without the privilege of dialing in. There is no need to obtain the certificate again when re-use it.
【Setting the user’s Fixed MAC Address】: Administrator could fill in the user’s MAC address of SSL VPN in this field to avoid the account, password or certificate are stolen.
To ensure user’s computer is approved by the administrator, blank means that it wouldn’t check MAC address while dialing in.
Clickto enter the page for filling MAC address, if the client has multiple Network Interface Card (NICs), the SSL VPN client will automatically grab the MAC address of the first NIC as the comparison object.
User can log into the SSL VPN user’s software of the NG-UTN to download the SSL VPN software.
The download is https://(network interface IP address or domain):(System Settings > Basic Settings > Management Interface Access Settings > HTTPS Port)/sslvpn.php
1. Use https://SSL SERVER /sslvpn.php to download files.
Picture12-21 Download SSL VPN User’s software and certificate.¶
2. Download the SSL VPN client and certificate files and save them as a new file. After downloading, you can unzip the files and compress them anywhere
3. Executing the SSL VPN client software in the extracted location openvpn-gui-1.0.3-en.exe
4. The software would execute automatically, revealing the on lower right place, then click the right button on the mouse.
5. Choosing EDIT Config user can select language, change SSL VPN Server, Port number, and choose whether connect to Internet through remote way,
if Internet from Remote is unchecked, all IPs will pass through the local tunnel except for the remote LAN, and DMZ IPs which will pass through the SSL VPN tunnel.
6. SSL VPN connection, using the account and password the administrator gave to enter, this account and password is as the same as those for download software and certificate just now.
The list shows the established L2TP accounts, the administrator can check the status of each account and control the activation and deactivation, as well as editing/deleting/viewing usage logs.
L2TP is built on the basic of IPSec encrypted technology, thus, configuring the Preshare key and allocate the range of IP addresses in advance is necessary.
【Client IP Address】: IP addresses and ranges assigned to dial-in clients
【The First DNS Server】: The DNS server address assigned to the remote clients
【The Second DNS Server】: The DNS server address assigned to the remote clients
【Interface IP】: Which external interface IP would be the IP address as L2TP dial-in.
Click the system will list all the external interface that could be provided, it is available to check multiples checks to provide users of L2TP VPN to dial-in.
【Resouce IP】: The original IP address of the L2TP client.
【Local Assigned IP】: The IP address assigned by the L2TP server to the client during this connection. If “Enter IP address manually” is used, a fixed IP will be assigned.
【Event】: For L2TP client dial-in start or end events,
the system automatically calculates the total usage time in 「hours: minutes」. Any duration less than 1 minute will be recorded as 00:00
NG-UTM supports SD-WAN. SD-WAN can bind any combination of egress lines or VPN tunnels to the channel control mechanism,
as long as it is confirmed that any channel can be individually exported to the remote, then any combination can be combined, then prorated according to gateway features.
If you use 3 lines as load lines and set them to A:1, B:2, and C:3,
then the first packet will be sent to A, the 2nd and 3rd packets will be sent to B, the 4th, 5th, and 6th packets will be sent to C, the 7th packet will be sent to A, and so on.
【VPN Tunnel】: Tunnel built using IPSec VPN.
【Gateway】: Physical lines connected to the NG-UTM.
After building the SD-WAN, the SD-WAN will show up in the list, but only the lines are defined currently. To configure which protocols can run on these lines, you need to 4-3. SD-WAN Policy to figure out
: disconnected, 
: connected
: VPN is activated, 
: VPN is paused
: Click this to revise the setup of this tunnel.
, a new window will be open, showing the connection history for this VPN, sorted by time, with the most recent data at the end
:
to add the interconnected segments.
For example: Point A is 192.168.1.0/24 and 172.16.1.0/24 to connect to Point B 192.168.2.0 and 172.16.2.0/24. Both need to utilize the same IPSec VPN tunnel to reach each other’s segments.
: representing the connection of Client is normal, 
: representing the Client is disconnected.
to look the available interface and IP addresses.
to check this group:
to the page for choosing an IP address which has not been assigned yet.
on lower right place, then click the right button on the mouse.
to check out the refuse connection log.
