IPsec Tunnel Types

TNSR is capable of using multiple IPsec tunnel types and multiple peer authentication methods.

Routed Site-To-Site

TNSR is capable of using routed site-to-site IPsec VPNs with either IKEv2 or IKEv1. These allow for full LAN-to-LAN style connectivity between routers and are compatible with dynamic routing protocols.

Note

Some third party equipment may only implement policy-based IPsec VPNs and not route-based IPsec.

Pre-Shared Key

TNSR can authenticate IPsec peers using Pre-Shared Keys (PSKs), which are similar to passwords. These are static keys and their values must be coordinated between both peers and set appropriately to match on both ends. PSKs are widely implemented, but are not considered a strong method of authentication.

See also

IPsec Example

Certificate Authentication

The most secure method of IPsec authentication is to use certificates instead of Pre-Shared Keys. This is more complex than using PSKs, but offers much stronger security. Using this method, each side uses a CA certificate to validate a certificate offered by their peer. The certificate must not only be valid as checked against the CA, but the certificate must also match expected peer identifier strings as well as being checked against the peer address.

The certificate authorities must be exchanged between peers to validate each end, as well as the expected identifiers to match.

Remote Access / Mobile IPsec

TNSR can also offer remote access IPsec, also known as “Mobile” IPsec. TNSR is compatible with IKEv2 clients authenticated via EAP-TLS, EAP-RADIUS, or Pre-Shared Keys.

TNSR can use multiple remote access tunnels on different IPv4 and/or IPv6 endpoint addresses, such as for tunnels which accept outer traffic from different address families or tunnels which have different encryption or authentication requirements.

Warning

When using multiple remote access tunnels for the same address family, each tunnel must use a unique local endpoint address.

Each remote access tunnel configuration requires a unique and non-overlapping address pool configuration.

EAP-TLS

EAP-TLS authenticates clients using a set of certificates both on the server and client side. This is the most secure method of authenticating clients, but also the most complex.

This is compatible with a wide variety of clients on Linux, Windows, macOS, iOS, Android, and more.

See also

• IPsec Remote Access VPN using IKEv2 with EAP-TLS

• Public Key Infrastructure

EAP-RADIUS

EAP-RADIUS authentication uses a certificate on the server side and clients authenticate using a username and password validated against a RADIUS server.

This is compatible with a wide variety of clients on Linux, Windows, macOS, iOS, Android, and more.

See also

• IPsec Remote Access VPN using IKEv2 with EAP-RADIUS

• Public Key Infrastructure

Pre-Shared Key

TNSR can also authenticate IKEv2 clients using Pre-Shared Keys, but this is not as secure as EAP-based methods, and it is not implemented by most clients.