IPsec Tunnel Types¶
TNSR supports multiple types of IPsec tunnels and multiple methods of authenticating peers.
Routed Site-To-Site¶
TNSR supports routed site-to-site IPsec VPNs using IKEv2 and IKEv1. These allow for full LAN-to-LAN style connectivity between routers and can even support dynamic routing protocols.
Note
Some third party equipment may only support policy-based IPsec VPNs and not route-based IPsec.
Certificate Authentication¶
The most secure method of IPsec authentication is to use certificates instead of Pre-Shared Keys. This is more complex than using PSKs, but offers much stronger security. Using this method, each side uses a CA certificate to validate a certificate offered by their peer. The certificate must not only be valid as checked against the CA, but the certificate must also match expected peer identifier strings as well as being checked against the peer address.
The certificate authorities must be exchanged between peers to validate each end, as well as the expected identifiers to match.
Remote Access / Mobile IPsec¶
TNSR also supports remote access IPsec, also known as “Mobile” IPsec. TNSR supports IKEv2 clients authenticated via EAP-TLS, EAP-RADIUS, or Pre-Shared Keys.
TNSR supports multiple remote access tunnels on different IPv4 and/or IPv6 endpoint addresses, such as for tunnels which accept outer traffic from different address families or tunnels which have different encryption or authentication requirements.
Warning
When using multiple remote access tunnels for the same address family, each tunnel must use a unique local endpoint address.
Each remote access tunnel configuration requires a unique and non-overlapping address pool configuration.
EAP-TLS¶
EAP-TLS authenticates clients using a set of certificates both on the server and client side. This is the most secure method of authenticating clients, but also the most complex.
This is supported by a wide variety of clients on Linux, Windows, macOS, iOS, Android, and more.
EAP-RADIUS¶
EAP-RADIUS authentication uses a certificate on the server side and clients authenticate using a username and password validated against a RADIUS server.
This is supported by a wide variety of clients on Linux, Windows, macOS, iOS, Android, and more.
Pre-Shared Key¶
TNSR can also authenticate IKEv2 clients using Pre-Shared Keys, but this is not as secure as EAP-based methods and it is not supported by most clients.