IPsec Tunnel Types

TNSR supports multiple types of IPsec tunnels and multiple methods of authenticating peers.

Routed Site-To-Site

TNSR supports routed site-to-site IPsec VPNs using IKEv2 and IKEv1. These allow for full LAN-to-LAN style connectivity between routers and can even support dynamic routing protocols.

Note

Some third party equipment may only support policy-based IPsec VPNs and not route-based IPsec.

Pre-Shared Key

TNSR can authenticate IPsec peers using Pre-Shared Keys (PSKs), which are similar to passwords. These are static keys and their values must be coordinated between both peers and set appropriately to match on both ends. PSKs are widely supported but are not considered a strong method of authentication.

See also

IPsec Example

Certificate Authentication

The most secure method of IPsec authentication is to use certificates instead of Pre-Shared Keys. This is more complex than using PSKs, but offers much stronger security. Using this method, each side uses a CA certificate to validate a certificate offered by their peer. The certificate must not only be valid as checked against the CA, but the certificate must also match expected peer identifier strings as well as being checked against the peer address.

The certificate authorities must be exchanged between peers to validate each end, as well as the expected identifiers to match.

Remote Access / Mobile IPsec

TNSR also supports remote access IPsec, also known as “Mobile” IPsec. TNSR supports IKEv2 clients authenticated via EAP-TLS, EAP-RADIUS, or Pre-Shared Keys.

TNSR supports multiple remote access tunnels on different IPv4 and/or IPv6 endpoint addresses, such as for tunnels which accept outer traffic from different address families or tunnels which have different encryption or authentication requirements.

Warning

When using multiple remote access tunnels for the same address family, each tunnel must use a unique local endpoint address.

Each remote access tunnel configuration requires a unique and non-overlapping address pool configuration.

EAP-TLS

EAP-TLS authenticates clients using a set of certificates both on the server and client side. This is the most secure method of authenticating clients, but also the most complex.

This is supported by a wide variety of clients on Linux, Windows, macOS, iOS, Android, and more.

EAP-RADIUS

EAP-RADIUS authentication uses a certificate on the server side and clients authenticate using a username and password validated against a RADIUS server.

This is supported by a wide variety of clients on Linux, Windows, macOS, iOS, Android, and more.

Pre-Shared Key

TNSR can also authenticate IKEv2 clients using Pre-Shared Keys, but this is not as secure as EAP-based methods and it is not supported by most clients.