Defining Profile VPN Settings

IPSec VPN provides a secure tunnel between two networked peer controllers or service platforms. Administrators can define which packets are sent within the tunnel, and how they‘re protected. When a tunnelled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination.

Tunnels are sets of SA (security associations) between two peers. SAs define the protocols and algorithms applied to sensitive packets and specify the keying mechanisms used by tunnelled peers. SAs are unidirectional and exist in both the inbound and outbound direction. SAs are established per the rules and conditions of defined security protocols (AH or ESP).

Use crypto maps to configure IPSec VPN SAs. Crypto maps combine the elements comprising IPSec SAs. Crypto maps also include transform sets. A transform set is a combination of security protocols, algorithms and other settings applied to IPSec protected traffic. One crypto map is utilized for each IPsec peer, however for remote VPN deployments one crypto map is used for all the remote IPsec peers.

IKE (Internet Key Exchange) protocol is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE automatically negotiates IPSec SAs, and enables secure communications without time consuming manual preconfiguration.

To define a profile‘s VPN settings:

  1. Select Configuration → Devices → System Profile.

    A list of profiles displays in the right-hand UI.

  2. Select a profile from the list.
    The profile configuration menu displays.
  3. Expand the Security menu and select VPN.
    The VPN configuration's IKE Policy screen displays by default.
    Click to expand in new window
    Profile Security - VPN IKE Policy Screen
  4. Select either IKEv1 or IKEv2 to enforce VPN peer key exchanges using either IKEv1 or IKEv2.
    IKEv2 is recommended in most deployments. IKEv2 provides improvements from the original IKEv1 design – for example, improved cryptographic mechanisms, NAT and firewall traversal, and attack resistance.

    The appearance of the IKE Policy screens differs depending on whether IKEv1 or IKEv2 mode is selected.

  5. Refer to the following to determine whether an IKE Policy requires creation, modification, or removal:

    Name

    The 32-character maximum name assigned to the IKE policy.

    DPD Keep Alive

    Lists each policy‘s IKE keep alive message interval defined for IKE VPN tunnel dead peer detection.

    IKE LifeTime

    Displays each policy‘s lifetime for an IKE SA. The lifetime defines how long a connection (encryption/authentication keys) should last, from successful key negotiation to expiration. Two peers need not exactly agree on the lifetime, though if they do not, there is some clutter for a superseded connection on the peer defining the lifetime as longer.

    DPD Retries

    Lists each policy‘s number maximum number of keep alive messages sent before a VPN tunnel connection is defined as dead by the peer.

    Note:

    This option only appears when IKEv1 is selected.