A tunnel is a mechanism that allows you to combine two remote and physically unconnected networks into a single logical structure. Static tunnels are used to combine multiple LANs into one. For example, when combining several remote offices into one local network so that users of one network can access the resources of others. The tunnels are configured on the border routers of these networks and all intermediate traffic is transmitted over the Internet encapsulated in IP or GRE packets.
In ICS CUBE you can configure the connection between servers with a static tunnel via IPIP or GRE protocol.
Typically, the choice of tunnel type depends on the intermediate providers, which for some reason they can block GRE or IPIP traffic, which makes it impossible to use any one type of tunnel. There is no fundamental difference between these types of tunnels.
Tunnel settings are also no different. You need to specify on which interface this tunnel will be configured and specify the routing parameters: the external address of the remote server, the address of the local network and the address of the remote network. Similar settings must be made at the other end of the tunnel.
Important: in order for the tunnel to work correctly, it is necessary that GRE traffic is allowed on the ICS CUBE firewall, as well as incoming connections from the ip address of the remote server are allowed.
IPsec (IP Security) - a set of protocols for protecting data transmitted over the Internet Protocol IP, allows authentication and / or encryption of IP packets.
Protection of data transmission through tunnels avoids many problems associated with information leakage and receiving false data. You can protect tunnel traffic by going to the “Encryption settings” tab and selecting the “Use encryption” checkbox. After that you can make the necessary settings.
Attention! This procedure must be performed at both ends of the tunnel, otherwise the data transfer will not work.
Attention! When using IPsec encryption in IPIP and GRE tunnels, traffic will pass through the enc0 interface. Statistics on this interface are not collected!
OpenVPN is a free open source VPN technology for creating point-to-point encrypted channels or server-clients between computers. It allows you to establish connections between computers located behind a NAT-firewall, without the need to change their settings.
The OpenVPN tunnel system is built in such a way that one of the machines is selected by the server, and all the rest by clients. The server registers the addressing of the space inside the OpenVPN network (it is recommended to leave the default value) and SSL-certificates are placed, and the server’s external IP-address is indicated on the clients. Also, a data exchange port is indicated, which allows you to connect to a server located behind a firewall or NAT using port forwarding.
To register the necessary certificates from the server to clients, do the following:
1. Create an OpenVPN network on the server.
2. Create a user to connect to and open access to him in the OpenVPN module.
3. Upload certificates in an individual user module.
4. Unzip the downloaded archive with certificates for connection and import the root and final certificates on the client side.
5. After that, the imported certificates can be selected on the “Encryption settings” tab when creating the OpenVPN tunnel.