IPsec Server Setup

This is the setup for the AZTCO-FW side of the connection

Mobile Clients

  • Navigate to VPN > IPsec, Mobile Clients tab
  • Check Enable IPsec Mobile Client Support
  • Check Provide a virtual IP address to clients
  • Enter an unused subnet in the box, pick a subnet mask
  • Set any other desired options here
  • Click Save
  • Click Apply Changes
  • Click Create Phase1 (if it appears)

Phase 1 settings

  • Navigate to VPN > IPsec
  • Locate the Mobile Phase 1 in the list
  • Click   to edit the Mobile Phase 1
  • Enter the following settings:
    • Authentication method: Mutual PSK + Xauth
    • Negotiation mode: aggressive
    • My identifier:
    • My IP address
    • Peer identfier: User Distinguished Name, [email protected]
    • Pre-Shared Key: aaabbbccc (Use something much longer and more random!)
    • Policy Generation: Unique
    • Proposal Checking: Strict
    • Encryption Algorithm: AES 128
    • Hash Algorithm: SHA1
    • DH Key Group: 2
    • Lifetime: 86400
    • NAT Traversal: Force
    • Click Save

Phase 2 settings

  • Click  inside the Mobile Phase 1 to expand its Phase 2 list.
  • Click   to add a new Phase 2
    • Enter the following settings:
    • Mode: Tunnel
    • Local Network: (the local network, e.g. LAN, or 0.0.0.0/0 to send everything over VPN)
    • Protocol: ESP
    • Encryption Algorithms: AES 128 only
    • Hash Algorithms: SHA1 only
    • PFS key group: off
    • Lifetime: 28800
  • Add additional phase 2 entries for additional local networks if necessary
  • Click Save
  • Click Apply Changes

User Settings

  • Navigate to System > User Manager
  • Add a user, grant the user the User – VPN – IPsec xauth Dialin permission, or add them to a group with this permission.

Note that for xauth, the password used is the password for the user, not the “IPsec Pre-Shared Key” field. That is used for non-xauth IPsec.

Firewall Rules

Don’t forget to add firewall rules to pass traffic from clients

•    Firewall > Rules, IPsec tab
  • Add rules that match the traffic that should be allowed, or add a rule to pass any protocol/any source/any destination to allow everything.

IPsec SA Preference

  • System > Advanced, Miscellaneous tab.
  • Uncheck Prefer Old IPsec SA
© Copyright 2025 . All Rights Reserved. AZTCO-FW| Developed By AZTCO-FW. Powered by AZTCO.