Verkada

Cellular gateways can act as site-to-site IPSec IKEv2 VPN clients. This allows the gateway to connect to an IPsec VPN server and route encrypted traffic. The gateway can only route traffic from devices connected to it through the VPN. Appropriate egress and NAT rules must be set up on the VPN server to allow connected device traffic to be routed through the internet and within the VPN tunnel. 

Configure IPsec VPN on a cellular gateway

In Verkada Command, go to All Products &gt; Gateways <img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXflz5lmFigQjDUhtWlJNdtKgMXGpPSzW8DUe4fG4UALqiiJKVNzlwe_53ZN4Axnin7CkXS3IleYnq8oAb9QF7pSKHZMfjzESVo2LEc0fFXoMNBMCt0rDPONs-qgmKsnBLDnxni1yqFGGHMMX9U5OS4C8H-_?key=ikm-tSwC6M3blCbJ3JmYzA" width="28" alt=""> .

Select the gateway you want to configure.

In the top right, click Settings <img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcN1vz8IFvKWQLWyS5-b8RW_Pvwd7KfcNRjxrc3Rv9BQ75EKe5I9YPFqAU_Ydr_A1sIUt5Tz0WAq7i_zUM9Dj35Hn9dfW9gdoW6L36rNh4FSPAVsSbBhRzRP7AkO2R_FAammtZuxXoovlCjkROgO41gyEvJ?key=ikm-tSwC6M3blCbJ3JmYzA" width="" alt="">.

Under Network &gt; IPsec VPN toggle on Enable IPSec VPN.

In the Server field, enter the VPN server IP or domain name.

The gateway supports two authentication types:

1. (See step 7) Certificate: Requires Certificate Authority cert, client cert, and key.
2. (See step 8) Pre-Shared Key: Requires a shared key.

On the Authentication drop-down, select Certificate.

1. On Remote ID, enter the remote certificate subjectAltName or subject DN.
2. On Local ID, enter local certificate subjectAltName or subject DN.

3. Upload the Client Key, Client Certificate, and Certificate Authority certificate in the .pem format.
 Note: Instructions to generate client key and certificate and to setup a certificate authority are found <a href="https://docs.strongswan.org/docs/5.9/pki/pkiQuickstart.html" rel="nofollow noopener noreferrer" target="_blank">here</a>.
4. Skip to step 9.

On the Authentication drop-down, select Pre-Shared Key.

1. On Remote ID, enter the remote ID of the pre-shared key.
2. On Local ID, enter the local ID of the pre-shared key.
3. On Password, enter the password of the pre-shared key.

Hit Apply, then Confirm to save. Your gateway should now have a VPN badge next to the name, indicating that the connection was successful.

1. In Verkada Command, go to All Products &gt; Gateways <img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXflz5lmFigQjDUhtWlJNdtKgMXGpPSzW8DUe4fG4UALqiiJKVNzlwe_53ZN4Axnin7CkXS3IleYnq8oAb9QF7pSKHZMfjzESVo2LEc0fFXoMNBMCt0rDPONs-qgmKsnBLDnxni1yqFGGHMMX9U5OS4C8H-_?key=ikm-tSwC6M3blCbJ3JmYzA" width="28" alt=""> .
2. Select the gateway you want to configure.
3. In the top right, click Settings <img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcN1vz8IFvKWQLWyS5-b8RW_Pvwd7KfcNRjxrc3Rv9BQ75EKe5I9YPFqAU_Ydr_A1sIUt5Tz0WAq7i_zUM9Dj35Hn9dfW9gdoW6L36rNh4FSPAVsSbBhRzRP7AkO2R_FAammtZuxXoovlCjkROgO41gyEvJ?key=ikm-tSwC6M3blCbJ3JmYzA" width="" alt="">.
4. Under Network &gt; IPsec VPN toggle on Enable IPSec VPN.
 
 
5. In the Server field, enter the VPN server IP or domain name.
6. The gateway supports two authentication types:
 1. (See step 7) Certificate: Requires Certificate Authority cert, client cert, and key.
 2. (See step 8) Pre-Shared Key: Requires a shared key.
7. On the Authentication drop-down, select Certificate.
 1. On Remote ID, enter the remote certificate subjectAltName or subject DN.
 2. On Local ID, enter local certificate subjectAltName or subject DN.
 
 3. Upload the Client Key, Client Certificate, and Certificate Authority certificate in the .pem format.
 Note: Instructions to generate client key and certificate and to setup a certificate authority are found <a href="https://docs.strongswan.org/docs/5.9/pki/pkiQuickstart.html" rel="nofollow noopener noreferrer" target="_blank">here</a>.
 4. Skip to step 9.
8. On the Authentication drop-down, select Pre-Shared Key.
 1. On Remote ID, enter the remote ID of the pre-shared key.
 2. On Local ID, enter the local ID of the pre-shared key.
 3. On Password, enter the password of the pre-shared key.

9. Hit Apply, then Confirm to save. Your gateway should now have a VPN badge next to the name, indicating that the connection was successful.

When configuring your VPN server, you must set specific details to establish the VPN tunnel and enable data transfer between the server and client.

Note: Perfect Forward Secrecy (PFS) is not supported on gateways as a VPN client.

Supported cipher suites for IKE Phase 1 and Phase 2 

- Encryption
  - AES 128 
  - AES 256
- Hash 
  - SHA 256 
  - SHA 384 
  - SHA 512
- DH Group 
  - Group 14

Note: <a href="https://help.verkada.com/en/articles/9707986-setup-dynamic-dns-for-gateways">Set up DDNS</a> using a supported free DDNS provider to ensure your VPN is always connected to the client using its Dynamic Public IP address. This way, the provided ‘hostname’ always resolves to the active public IP address on the VPN client.

___________________________________________________________

Need more help? Contact <a href="https://help.verkada.com/en/articles/3430714-contact-verkada-support">Verkada Support</a>.

Configure IPsec VPN on a cellular gateway

Configure your VPN server

Supported VPN routing type

Supported Key Exchange Version

Supported cipher suites for IKE Phase 1 and Phase 2