VPN client settings in the Management Client
Several settings for Stonesoft VPN Client are available in the Management Client.
Location | Setting | Explanation |
---|---|---|
TCP Tunneling Port | This option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.9.0 or later. | |
Translate IP Addresses Using NAT Pool |
|
|
VPN Type | Defines the type of tunnels the mobile VPN supports.
|
|
SSL Port (SSL VPN types only) | The port for SSL VPN tunnels. | |
TLS Cryptography Suite Set (SSL VPN types only) | The cryptographic suite for SSL VPN tunnels. | |
Authentication Timeout (SSL VPN types only) | The timeout for Stonesoft VPN Client user authentication. | |
Local Security Checks | Defines whether Stonesoft VPN Client checks for the presence of basic security software to stop connections from risky computers. | |
Virtual IP address (Using Virtual Adapter) |
|
|
Secondary IPsec VPN Gateways | IPsec VPN gateways to contact in case there is a disruption at the IPsec VPN gateway end (in the order of contact). | |
tab | Versions | IKE versions used in IKE SA negotiations |
Cipher Algorithms Message Digest Algorithms |
The supported algorithms for the current version of Stonesoft VPN Client. | |
Diffie-Hellman Groups | Diffie-Hellman groups used in IKE SA negotiations. | |
Authentication Method SA Lifetime in Minutes IKEv1 Negotiation Mode |
These settings have no effect on Stonesoft VPN Client connections. See IPsec Client tab instead. | |
tab | IPsec Type | Only ESP is supported. |
Cipher Algorithms Message Digest Algorithms |
The supported algorithms for the current version of Stonesoft VPN Client. | |
Compression Algorithm
Deflate |
||
Use PFS with Diffie-Hellman Group | Diffie-Hellman group used in IKE SA negotiations when PFS can be used. | |
tab | Authentication Method | The selected authentication method used with Stonesoft VPN Client. |
Allow Hybrid/EAP Authentication | Stonesoft VPN Client users authenticate by user name and password (or other type of passcode), and the gateway authenticates itself to the client with a certificate. | |
Allow CN authentication | Allows authentication using the common name in the certificate as the user name. The CN is checked against a value entered in the User elements. | |
Allow Pre-Shared Key Authentication with IKEv1 | This setting has no effect on Stonesoft VPN Client connections, as pre-shared key authentication is not supported. | |
IPsec Security Association Granularity | Defines whether SAs are negotiated per network or per each connecting IP address. Stonesoft VPN Client only supports the SA Per Net setting. |
|
tab | Pre-shared Key fields | This setting has no effect on Stonesoft VPN Client connections. Pre-shared keys for Stonesoft VPN Client connections are defined per-user account in the User elements. |
VPN Client - Properties dialog box
Use this dialog box to view the VPN Client settings that are configured in the Engine Editor.
Option | Definition |
---|---|
General tab | |
Name | Specifies the unique name of the element. |
Gateway Profile | Shows the selected gateway profile. |
Select | Opens the Select Element dialog box. |
Comment | An optional comment for your own reference. |
Option | Definition |
---|---|
Endpoints tab | |
Search | Opens a search field for the selected element list. |
New | This option is not available in this dialog box. |
Tools |
|
Option | Definition |
---|---|
Sites tab | |
Search | Opens a search field for the selected element list. |
Up | Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy. |
New | This option is not available in this dialog box. |
Tools |
|
Option | Definition |
---|---|
Trusted CAs tab | |
Trust All | Shows the value of the Trust All option. |
Trust only selected | Shows the value of the Trust only selected option. |
Engine Editor – VPN – VPN Client
Use this branch to change settings that are used when the engine acts as a VPN Gateway in a mobile VPN.
Option | Definition |
---|---|
Gateway Display Name | If you want to display a different name for the Gateway to Mobile VPN users, enter the name for the VPN Gateway element. |
VPN Type | Defines the type of tunnels the mobile VPN supports.
|
SSL Port (SSL VPN only) |
The port for SSL VPN tunnels. |
TLS Cryptography Suite Set (SSL VPN only) |
The cryptographic suite for SSL VPN tunnels. Click Select to select an element. Note: Do not change the default setting unless you have a specific reason to do
so.
|
Authentication Timeout (SSL VPN only) |
The timeout for Stonesoft VPN Client user authentication. |
Option | Definition |
---|---|
Local Security Checks section | Defines whether the Stonesoft VPN Client checks for the presence of basic security software to
stop connections from risky computers.
|
Option | Definition |
---|---|
Virtual Address section | Options for configuring the Stonesoft VPN Client with virtual IP addresses assigned by a DHCP server for connections inside the VPN. |
DHCP Mode | Specifies how DHCP requests from VPN clients are sent.
Note: If
SSL VPN or
Both IPsec & SSL VPN is selected from the
VPN Type drop-down list, only the
Direct and
DHCP Relay are shown.
|
Interface
(Direct DHCP mode only) |
The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server). |
Interface for DHCP Relay
(Relay DHCP mode only) |
The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server). |
DHCP Server (NGFW < 5.9)
(Direct DHCP mode only) |
The DHCP server that assigns IP addresses for the VPN clients.
Note: This option is intended for backward compatibility with
Forcepoint NGFW versions earlier than version 5.9.
|
DHCP Servers
(Relay DHCP mode only) |
The DHCP server that assigns IP addresses for the VPN clients. Click Add to add an element to the table, or Remove to remove the selected element. |
Add Information (Optional) | Specifies what VPN Client user information is added to the Remote ID option field in the DHCP Request packets.
|
Restrict Virtual Address Ranges | When selected, the VPN gateway restricts the VPN clients’ addresses to the specified range, even if the DHCP server tries to assign some other IP address. Enter the IP address range in the field on the right. |
Proxy ARP | When selected, the engine acts as a proxy for the VPN clients’ ARP requests. Enter the IP address range for proxy ARP in the field on the right. |
Option | Definition |
---|---|
Secondary IPsec VPN Gateways section (Optional) (IPsec VPN type only) |
Other IPsec VPN gateways to contact in case there is a disruption at the IPsec VPN gateway end (in the order of contact). Click Add to add a row to the table, or Remove to remove the selected row. Click Up or Down to move the selected element up or down. |
Engine Editor – VPN – Advanced
Use this branch to change advanced VPN settings.
Option | Definition |
---|---|
Gateway Settings | The Gateway Settings element that defines performance-related VPN options. |
TCP Tunneling Port | Port used for tunneling Stonesoft VPN Client connections inside TCP connections to bypass intermediary traffic filters and NAT devices. |
Translate IP Addresses Using NAT Pool | When selected, the specified IP address range and port range are used for translating IP addresses of incoming Stonesoft VPN Client connections to internal networks. |
IP Address Range | IP address range for translating IP addresses of incoming Stonesoft VPN Client connections to internal networks. |
Port Range | Port range for translating IP addresses of incoming Stonesoft VPN Client connections to internal networks. |