Secure Sockets Layer (SSL) VPN is an emerging technology that provides Site-to-Site VPN capability. SSL VPN has some unique features when compared with other existing VPN technologies. Most noticeably, SSL VPN uses SSL protocol and its successor, Transport Layer Security (TLS), to provide a secure connection between remote users and internal network resources.
We will have to create four VPN rules for establishing VPN in either interzone or custom rule.
1. LAN -VPN
Select services as per your requirement or you can select any services and click on OK
Configuring SSL VPN Server Settings
Before establishing SSL VPN connections you need to configure the SSL VPN server on Seqrite UTM. The client will send request to this server and the server will authenticate the client as per the authentication settings. After a successful authentication the connection for communication will be established.
1. Navigate to VPN > SSL > Server Settings. The following screen appears.
2. Select a Certificate Authority for SSL VPN and set it as default using the Set Default button. If there is no Certificate Authority, you can also create a certificate using the ADD(+) button.
- Enter Nickname and Common name
- Select the created certificate
- Select the Country and enter State
- Enter validity of certificate.
3. By default the SSL VPN Server is disabled. Select the Enable option to enable the server.
4. The following points explains the fields on page, configure as required:
- Interface:- Select the Interface from the drop-down list. This is the WAN interface on which the SSL VPN will accept connections.
- Port:- Select only one of the port from the following:
- SSLVPN-TCP:- Select this protocol if remote SSL VPN server is running on TCP.Default port for TCP is 1194. Customer can add customized port for SSL VPN, and configure firewall rules accordingly.
- SSLVPN-UDP:- Select this protocol if remote SSL VPN server is running on UDP.
- Virtual IP Pool:- Enter the Network address of the Virtual IP Pool, these addresses will be assigned to the SSL VPN clients. Select its Subnet.
- Advanced Options (Click on + to expand option)
- Cipher:- A cipher (or cypher) is an algorithm for performing encryption or decryption. Select the type of Cipher you want to use for your network.(cypher algorithms are 3DES,AES128,AES192,AES256 and BLOWFISH)
- Hash Algorithm:-Select the data hash algorithm for your network.(Hash algorithms are MD5,SHA1)
- Diffie–Hellman Key size:-The Diffie–Hellman key exchange parameter allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. You can select the length of the DH parameter.
- Maximum Clients:-The maximum number of clients that can connect to the VPN network.(By default 75)
- VPN Compression:- Select this parameter if you want to compress the data on your SSL VPN.
- Duplicate CN:-Select this option if you want concurrent connections for each user.
- Client to Client:- Select this option to allow connectivity between any pair of remote systems.
- Dead Peer Detection:- Select this option if you want Seqrite UTM to detect offline remote systems.(By default HELLO=30 sec and HOLD=120 sec)
- Type of Service (ToS):-Select this option to preserve the ToS bit for SSL VPN traffic.
5. After entering all the required information, click Apply.
6. Go to Site-to-site option to configure the SSL Server and Client.
7. Click on Add(+) option to add the SSL server.
- Enter the Type.
- Enter Connection Name.
8. Select Local Network and Click on Add(+) to add the Remote network.
9. Enter Additional Commands if any and then Click on Apply.
10. Enable the current status of the server and download the package. We will require this package to upload it while configuring SSL Client.
11. To configure SSL client on another site (Site B), Go to Site-to-site option.
12. Click on Add(+) option to add the SSL Client.
Upload the SSL server package we have downloaded.
- Enter the Type.
- Browse the package downloaded from SSL Server in step 10.
- Apply the changes.
13. Now after successful configuration of both SSL server and client, status will be enabled automatically and SSL site-to-site VPN got connected and you are able to access all the local services of remote network.
We have done verification by following two ways.
1. Remote Desktop : Open the remote desktop application and take the RDP of remote side network. If you are able to take remote access then it’s indicates that RDP service is working properly via VPN.
2. CMD Prompt : Once VPN is successfully established, open the command prompt and ping the remote side local network. You will successful ping response from remote network.