Print this pagePrint this page

Email this topicEmail this topic

View PDFView PDF

Download EPUBDownload EPUB

Defining Profile VPN Settings

IPSec VPN provides a secure tunnel between two networked peer controllers or service platforms. Administrators can define which packets are sent within the tunnel, and how they‘re protected. When a tunnelled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination.

Tunnels are sets of security associations (SA) between two peers. SAs define the protocols and algorithms applied to sensitive packets and specify the keying mechanisms used by tunnelled peers. SAs are unidirectional and exist in both the inbound and outbound direction. SAs are established per the rules and conditions of defined security protocols (AH or ESP).

Use crypto maps to configure IPSec VPN SAs. Crypto maps combine the elements comprising IPSec SAs. Crypto maps also include transform sets. A transform set is a combination of security protocols, algorithms and other settings applied to IPSec protected traffic. One crypto map is utilized for each IPsec peer, however for remote VPN deployments one crypto map is used for all the remote IPsec peers.

Internet Key Exchange (IKE) protocol is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE automatically negotiates IPSec SAs, and enables secure communications without time consuming manual preconfiguration.

To define a profile‘s VPN settings:

  1. Select Configuration > Profiles > Manage Profiles from the web UI.
  2. Select Security > VPN Configuration.
    The Basic Settings tab displays by default. Refer to the Peer Settings table to add peer addresses and keys for VPN tunnel destinations. Use + Add Row as needed to add additional destinations and keys.
  3. Select either IKEv1 or IKEv2 to enforce VPN peer key exchanges using either IKEv1 or IKEv2.
    IKEv2 is recommended in most deployments. IKEv2 provides improvements from the original IKEv1 design – for example, improved cryptographic mechanisms, NAT and firewall traversal, and attack resistance.

    The appearance of the IKE Policy screens differs depending on whether IKEv1 or IKEv2 mode is selected.

  4. Refer to the following to determine whether an IKE Policy requires creation, modification, or removal:
    Name The 32-character maximum name assigned to the IKE policy.
    DPD Keep Alive Lists each policy‘s IKE keep alive message interval defined for IKE VPN tunnel dead peer detection.
    IKE LifeTime Displays each policy‘s lifetime for an IKE SA. The lifetime defines how long a connection (encryption/authentication keys) should last, from successful key negotiation to expiration. Two peers need not exactly agree on the lifetime, though if they do not, there is some clutter for a superseded connection on the peer defining the lifetime as longer.
    DPD Retries Lists each policy‘s number maximum number of keep alive messages sent before a VPN tunnel connection is defined as dead by the peer. This screen only appears when IKEv1 is selected.
  5. Click Add to define a new IKE Policy configuration, Edit to modify an existing configuration, or Delete to remove an existing configuration.
    Name If you are creating a new IKE policy, assign it a 32-character maximum name to help differentiate this IKE configuration from others with similar parameters.
    DPD Keep Alive Configure the IKE keep alive message interval used for dead peer detection on the remote end of the IPSec VPN tunnel. Set this value in either seconds (10 - 3,600), minutes (1 - 60), or hours (1). The default setting is 30 seconds. This setting is required for both IKEv1 and IKEV2.
    Mode If you are using IKEv1, define the IKE mode as either Main or Aggressive. IPSEC has two modes in IKEv1 for key exchanges. Aggressive mode requires 3 messages be exchanged between the IPSEC peers to set up the SA, Main requires 6 messages. The default setting is Main.
    DPD Retries Set the maximum number of keep alive messages sent before a VPN tunnel connection is defined as dead. The available range is from 1 - 100. The default setting is 5.
    IKE LifeTime Set the lifetime defining how long a connection (encryption/authentication keys) should last from successful key negotiation to expiration. Set this value in either seconds (600 - 86,400), minutes (10 - 1,440), hours (1 - 24), or days (1). This setting is required for both IKEv1 and IKEv2.
  6. Click +Add Row to define the network address of a target peer and its security settings.
    Name If you are creating a new IKE policy, assign the target peer (tunnel destination) a 32-character maximum name to distinguish it from others with a similar configuration.
    DH Group Define a Diffie-Hellman (DH) identifier used by the VPN peers to derive a shared secret password without having to transmit. DH groups determine the strength of the key used in key exchanges. The higher the group number, the stronger and more secure the key. Options include 2, 5 and 14. The default setting is 5.
    Encryption Select an encryption method used by the tunnelled peers to securely interoperate. Options include 3DES, AES, AES-192, and AES-256. The default setting is AES-256.
    Authentication Select an authentication hash algorithm used by the peers to exchange credential information. Options include SHA, SHA256, AES-XCBC-HMAC-128, and MD5. The default setting is SHA.
  7. Click OK to save the changes made in the IKE Policy screen.
    Click Reset to revert to the last saved configuration. Click the Delete Row icon as needed to remove a peer configuration.
  8. Select the Peer Configuration tab to assign additional network address and IKE settings to the intended VPN tunnel peer destination.
  9. Select either IKEv1 or IKEv2 to enforce VPN key exchanges using either IKEv1 or IKEv2.
  10. Refer to the following to determine whether a new VPN Peer Configuration requires creation, an existing configuration requires modification, or a configuration requires removal.
    Name Lists the 32-character maximum name assigned to each listed peer configuration at the time of its creation.
    IP/Hostname The IP address (or host address FQDN) of the IPSec VPN peer targeted for secure tunnel connection and data transfer.
    Authentication Type Whether the peer configuration has been defined to use pre-shared key (PSK) or RSA. Rivest, Shamir, and Adleman (RSA) is an algorithm for public key cryptography. It is the first algorithm known to be suitable for both signing and encryption. If you are using IKEv2, this screen displays both local and remote authentication, because both ends of the VPN connection require authentication.
    LocalID The local identifier used within this peer configuration for an IKE exchange with the target VPN IPSec peer.
    RemoteID The means by which the target remote peer is to be identified (for example, string or FQDN) within the VPN tunnel.
    IKE Policy Name The IKEv1 or IKE v2 policy used with each listed peer configuration. If you need to create a new policy, click Create.
  11. Click Add to define a new peer configuration, Edit to modify an existing configuration, or Delete to remove an existing peer configuration.
    The parameters that can de defined for the peer configuration vary depending on whether IKEv1 or IKEv2 was selected.
    Name If you are creating a new peer configuration (remote gateway) for VPN tunnel connection, assign it a 32-character maximum name to distinguish it from other with similar attributes
    IP Type or Select IP/Hostname Enter either the IP address or the FQDN hostname of the IPSec VPN peer used in the tunnel setup. If IKEv1 is used, this value is titled IP Type. If IKEv2 is used, this parameter is titled Select IP/Hostname. A hostname cannot exceed 64 characters.
    Authentication Type Select either pre-shared key (PSK) or RSA. Rivest, Shamir, and Adleman (RSA) is an algorithm for public key cryptography. It is the first algorithm known to be suitable for signing and encryption If using IKEv2, this screen displays both local and remote authentication options, because both ends of the VPN connection require authentication.

    RSA is the default value for both local and remote authentication, regardless of whether IKEv1 or IKEv2 is used.
    Authentication Value Define the authentication string (shared secret) shared by both ends of the VPN tunnel connection. The string must be between 8 - 21 characters long. If using IKEv2, both a local and remote string must be specified for handshake validation at both ends (local and remote) of the VPN connection.
    Local Identity Select the local identifier used with this peer configuration for an IKE exchange with the target VPN IPSec peer. Options include IP Address, Distinguished Name, FQDN, email, and string. The default setting is string.
    Remote Identity Select the remote identifier used with this peer configuration for an IKE exchange with the target VPN IPSec peer. Options include IP Address, Distinguished Name, FQDN, email, and string. The default setting is string.
    IKE Policy Name Select the IKEv1 or IKE v2 policy name (and settings) to apply to this peer configuration. If you need to create a new policy, click the Create icon.
  12. Click OK to save the changes made in the peer configuration screen.
    Click Reset to revert to the last saved configuration.
  13. Select the Transform Set tab.
    Create or modify transform set configurations to specify how traffic is protected.
  14. Review the following attributes of existing Transform Set configurations:
    Name The 32-character maximum name assigned to each listed transform set upon creation. A transform set is a combination of security protocols, algorithms, and other settings applied to IPSec protected traffic.
    Authentication Algorithm Lists each transform sets‘s authentication scheme used to validate identity credentials. The authentication scheme is either HMAC-SHA or HMAC-MD5.
    Encryption Algorithm Displays each transform set‘s encryption method for protecting transmitted traffic.
    Mode Displays either Tunnel or Transport as the IPSec tunnel type used with the transform set. Tunnel is used for site-to-site VPN and Transport should be used for remote VPN deployments.
  15. Click Add to define a new transform set configuration, Edit to modify an existing configuration, or Delete to remove an existing transform set.
  16. Define the following settings for the new or modified transform set configuration:
    Name If you are creating a new transform set, define a 32-character maximum name to differentiate this configuration from others with similar attributes
    Authentication Algorithm Set the transform sets‘s authentication scheme used to validate identity credentials. Use the drop-down menu to select either HMAC-SHA or HMAC-MD5. The default setting is HMAC-SHA.
    Encryption Algorithm Set the transform set encryption method for protecting transmitted traffic. Options include DES, 3DES, AES, AES-192, and AES-256. The default setting is AES-256.
    Mode Select either Tunnel or Transport as the IPSec tunnel type used with the transform set. Tunnel is used for site-to-site VPN and Transport should be used for remote VPN deployments.
  17. Click OK to save the changes made in the Transform Set screen.
    Click Reset to revert to the last saved configuration.
  18. Select the Crypto Map tab.
    Use crypto maps (as applied to IPSec VPN) to combine the elements used to create IPSec SAs (including transform sets).
  19. Review the following Crypto Map configuration parameters to assess their relevance:
    Name Lists the 32 character maximum name assigned for each crypto map upon creation. This name cannot be modified as part of the edit process.
    IP Firewall Rules Lists the IP firewall rules defined for each displayed crypto map configuration. Each firewall policy contains a unique set of access/deny permissions applied to the VPN tunnel and its peer connection.
    IPSec Transform Set Displays the transform set (encryption and has algorithms) applied to each listed crypto map configuration. Thus, each crypto map can be customized with its own data protection and peer authentication schemes.
  20. If requiring a new crypto map configuration, select the Add button. If updating the configuration of an existing crypto map, select it from amongst those available and select the Edit button.
  21. If adding a new crypto map, assign it a name up to 32 characters as a unique identifier. Select the Continue button to proceed to the VPN Crypto Map screen.
  22. Review the following before determining whether to add or modify a crypto map configuration:
    Sequence Each crypto map configuration uses a list of entries based on a sequence number. Specifying multiple sequence numbers within the same crypto map, provides the flexibility to connect to multiple peers from the same interface, based on the sequence number (from 1 - 1,000).
    IP Firewall Rules Lists the IP firewall rules defined for each displayed crypto map configuration. Each firewall policy contains a unique set of access/deny permissions applied to the VPN tunnel and its peer connection.
    IPSec Transform Set Displays the transform set (encryption and hash algorithms) applied to each listed crypto map configuration. Thus, each crypto map can be customized with its own data protection and peer authentication schemes.
  23. If requiring a new crypto map configuration, select the Add button. If updating the configuration of an existing crypto map, select it from amongst those available and select the Edit button.
  24. Define the following parameters to set the crypto map configuration:
    Sequence Each crypto map configuration uses a list of entries based on a sequence number. Specifying multiple sequence numbers within the same crypto map extends connection flexibility to multiple peers on the same interface, based on this selected sequence number (from 1 - 1,000).
    Type Define the site-to-site-manual, site-to-site-auto or remote VPN configuration defined for each listed crypto map configuration.
    IP Firewall Rules Use the drop-down menu to select the access list (ACL) used to protect IPSec VPN traffic. New access/deny rules can be defined for the crypto map by selecting the Create icon, or an existing set of firewall rules can be modified by selecting the Edit icon.
    IPSec Transform Set Select the transform set (encryption and hash algorithms) to apply to this crypto map configuration.
    Mode Use the drop-down menu to define which mode (pull or push) is used to assign a virtual IP. This setting is relevant for IKEv1 only, since IKEv2 always uses the configuration payload in pull mode. The default setting is push.
    Local End Point Select this option to define an IP address as a local tunnel end-point address. This setting represents an alternative to an interface IP address.
    Perfect Forward Secrecy (PFS) PFS is key-establishment protocol, used to secure VPN communications. If one encryption key is compromised, only data encrypted by that specific key is compromised. For PFS to exist, the key used to protect data transmissions must not be used to derive any additional keys. Options include None, 2, 5 and 14. The default setting is None.
    Lifetime (KB) Select this option to define a connection volume lifetime (in kilobytes) for the duration of an IPSec VPN security association. Once the set volume is exceeded, the association is timed out. Use the spinner control to set the volume from 500 - 2,147,483,646 kilobytes.
    Lifetime (seconds) Select this option to define a lifetime (in seconds) for the duration of an IPSec VPN security association. Once the set value is exceeded, the association is timed out. The available range is from 120 - 86,400 seconds. The default setting is 120 seconds.
    Protocol Select the security protocol used with the VPN IPSec tunnel connection. SAs are unidirectional, existing in each direction and established per security protocol. Options include ESP and AH. The default setting is ESP.
    Remote VPN Type Define the remote VPN type as either None or XAuth. XAuth (extended authentication) provides additional authentication validation by permitting an edge device to request extended authentication information from an IPSec host. This forces the host to respond with additional authentication credentials. The edge device respond with a failed or passed message. The default setting is XAuth.
    Manual Peer IP Select this option to define the IP address of an additional encryption/ decryption peer.
    Time Out Select this option to set the IPSec SA time out value. Use the textbox and the drop-down list to configure the time out duration.
    Enable NAT after IPSec Select this option to enable NAT after IPSec. Enable this if there are NATted networks behind VPN tunnels.
  25. Select OK to save the updates made to the Crypto Map Entry screen. Selecting Reset reverts the screen to its last saved setting.
  26. Select Remote VPN Server.
    Use this screen to define the server resources used to secure (authenticate) a remote VPN connection with a target peer.
  27. Select either the IKEv1 or IKEv2 radio button to enforce peer key exchanges over the remote VPN server using either IKEv1 or IKEv2.
    IKEv2 provides improvements from the original IKEv1 design (improved cryptographic mechanisms, NAT and firewall traversal, attack resistance etc.) and is recommended in most deployments. The appearance of the screen differs depending on the selected IKE mode.
  28. Set the following IKEv1 or IKe v2 Settings:
    Authentication Method Use the drop-down menu to specify the authentication method used to validate the credentials of the remote VPN client. Options include Local (on board RADIUS resource if supported) and RADIUS (designated external RADIUS resource). If selecting Local, select the + Add Row button and specify a User Name and Password for authenticating remote VPN client connections with the local RADIUS resource. The default setting is Local. AP6511 and AP6521 model access points do not have a local RADIUS resource and must use an external RADIUS server resource.
    AAA Policy Select the AAA policy used with the remote VPN client. AAA policies define RADIUS authentication and accounting parameters. The access point can optionally use AAA server resources (when using RADIUS as the authentication method) to provide user database information and user authentication data.
  29. Refer to the Username Password Settings field and specify the username and password for validating RADIUS authentication.
  30. Refer to the Wins Server Settings field and specify primary and secondary server resources for validating RADIUS authentication requests on behalf of a remote VPN client. These external WINS server resources are available to validate RADIUS resource requests.
  31. Refer to the Name Server Settings field and specify primary and secondary server resources for validating RADIUS authentication requests on behalf of a remote VPN client. These external name server resources are available to validate RADIUS resource requests.
  32. Select the IP Local Pool option to define an IP address and mask for a virtual IP pool used to IP addresses to remote VPN clients.
  33. If using IKEv2 specify following additional settings (required for IKEv2 only):
    DHCP Server Type Specify whether the Dynamic Host Configuration Protocol (DHCP) server is specified as an IP address, Hostname (FQDN) or None (a different classification will be defined). DHCP allows hosts on an IP network to request and be assigned IP addresses as well as discover information about the network where they reside.
    DHCP Server Depending on the DHCP server type selected, enter either the numerical IP address, hostname or other (if None is selected as the server type).
    IP Local Pool Select this option to define an IP address and mask for a virtual IP pool used to IP addresses to remote VPN clients.
    Relay Agent IP Address Select this option to define DHCP relay agent IP address.
  34. Select OK to save the updates made to the Remote VPN Server screen. Selecting Reset reverts the screen to its last saved configuration.
  35. Select the Remote VPN Client tab.
    The Remote VPN Client screen provides options for configuring the remote VPN client.
  36. Refer to the following fields to define Remote VPN Client Configuration settings:
    Shutdown Select this option to disable the remote VPN client. The default is disabled.
    Transform Set Configure the transform set used to specify how traffic is protected within the crypto ACL defining the traffic that needs to be protected. Select the appropriate traffic set from the drop-down menu or click the icon next to the drop-down menu to create a new transform set.
  37. Refer to the following fields to define the Remote VPN Client Peer list:
    IKEV2 Peer Use the drop-down menu to select the remote IKE v2 peer. Use the icon next to the drop-down to create a new peer.
    Priority Use the spinner to set the priority in which a remote peer is connected. The lower the number the higher the priority.
  38. Set the following DHCP Peer Authentication settings:
    Auth Type Use the drop-down menu to specify the DHCP peer authentication type. Options include PSK and rsa. The default setting is rsa.
    Key Provide a 8 - 21 character shared key password for DHCP peer authentication.
  39. Set the following DHCP Peer Localid settings:
    Type Select the DHCP peer local ID type. Options include string and autogenuniqueid. The default setting is string.
    Value Set the DHCP peer local ID. The ID cannot exceed 128 characters.
  40. Select OK to save the updates made to the Remote VPN Client screen. Selecting Reset reverts the screen to its last saved configuration.
  41. Select the Global Settings tab.
    The Global Settings screen provides options for Dead Peer Detection (DPD). DPD represents the actions taken upon the detection of a dead peer within the IPSec VPN tunnel connection.
  42. Refer to the following fields to define IPSec security, lifetime and authentication settings:
    df bit Select the DF bit handling technique used for the ESP encapsulating header. Options include clear, set and copy. The default setting is copy.
    IPsec Lifetime (kb) Set a connection volume lifetime (in kilobytes) for the duration of an IPSec VPN security association. Once the set volume is exceeded, the association is timed out. Use the spinner control to set the volume from 500 - 2,147,483,646 kilobytes. The default settings is 4,608,000 kilobytes.
    IPsec Lifetime (seconds) Set a lifetime (in seconds) for the duration of an IPSec VPN security association. Once the set value is exceeded, the association is timed out. Options include Seconds (120 - 86,400), Minutes (2 - 1,440), Hours (1 - 24) or Days (1). The default setting is 3,600 seconds.
    Plain Text Deny Select global or interface to set the scope of the ACL. The default setting is global, expanding the rules of the ACL beyond just the interface.
    Enable IKE UniqueIds Select this option to initiate a unique ID check. This is disabled by default.
  43. Define the following IKE Dead Peer Detection settings:
    DPD Keep Alive Define the interval (or frequency) of IKE keep alive messages for dead peer detection. Options include Seconds (10 - 3,600), Minutes (1 - 60) and Hours (1). The default setting is 30 seconds.
    DPD Retries Use the spinner control to define the number of keep alive messages sent to an IPSec VPN client before the tunnel connection is defined as dead. The available range is from 1 - 100. The default number of messages is 5.
    NAT Keep Alive Define the interval (or frequency) of NAT keep alive messages for dead peer detection. Options include Seconds (10 - 3,600), Minutes (1 - 60) and Hours (1). The default setting is 20 seconds.
    Cookie Challenge Threshold Use the spinner control to define the threshold (1 - 100) that, when exceeded, enables the cookie challenge mechanism.
    Crypto NAT Pool Use the drop-down menu to select the NAT pool for internal source NAT for IPSec tunnels.
  44. Select OK to save the updates made to the Global Settings screen. Selecting Reset reverts the screen to its last saved configuration.
Published May 2018prev | next

Email this topicEmail this topic

Print this pagePrint this page