LAN and Intranet IPSec tunnel Configuration

IPsec is a common encryption protocol for IP communications. It has the capability to use multiple types of encryption for data confidentiality as well as multiple hash algorithms to ensure data integrity. However, generally speaking, IPsec is a statically configured protocol and relies on other systems to negotiate security parameters. The most common protocol used is Internet Key Exchange (IKE). IKE negotiates one set of security parameters to secure its own information exchange, then negotiates an independent set of security parameters for the IPsec tunnel.

Access the IPSec configuration elements by selecting Advanced and then Connections. Use the plus symbol to add a new element and use the pencil marker symbol to edit an existing record.

The default value is Intranet.

IKE Settings

Version

The IKE version used to initiate the ISAKMP. Values:

• IKEv1 (default)
• IKEv2

Mode

Phase 1 parameter exchange in Main mode or Aggressive mode. Values:

• Main (default)
• Aggressive

Identity

Identity of the IKE interface. Values:

• Auto (default)—IP address for PSK authentication, Certificate DN for certificate authentication
• IP Address— IP address of the appliance from which IKE interacts.

Authentication

The mode in which peer can authenticate the appliance. Values:

• pre-shared key (default)
• certificate

Pre-shared Key

This field appears only if the authentication method is pre-shared key, this field is for secret key of the peer.

Certificate

This field appears only if the authentication method is certificate, an entry should be selected from any of the the pre-configured certificate name which appears in the drop down list. Values: select an entry from the drop down list menu.

Validate Peer Identity

Validate the identity of the peer, which can come in the form of IP or FQDN. Values: Check box not ticked (default).

DH Group

Supported DH groups in the appliance MUST select one from the drop down list. Values:

• Group 1 – (Modp768)
• Group 2 – (Modp1024) (default)
• Group 5 – (Modp1536)

Hash Algorithms

Supported hashing algorithms in the appliance MUST select one from the drop down list. Values:

• SHA1 (default)
• MD5
• SHA256

Encryption Mode

Encryption algorithms used for encryption in phase2 of ISAMKP. Values:

• AES 128-bit (default)
• AES 192-bit
• AES 256-bit

Integrity Algorithm

This field is specific to IKEv2 version. Values:

• SHA1 (default)
• MD5
• SHA256

Lifetime

Proposed IKE SA lifetime value in seconds for the IKE SA established during IKE phase 1 negotiation. Values:

• Min: 0
• Max: 86400
• Default: 3600

Lifetime Max

Maximum IKE SA lifetime accepted for IKE SA lifetime during IKE phase 1 negotiation. Values:

• Min: 0
• Max: 86400
• Default: 3600

DPD Timeout

Timer value in seconds when to send DPD message to peer. Values:

• Min: 0
• Max: 86400
• Default: 300

IPSec Settings

Tunnel Type

Type of IPsec child SAs that can be established in phase 2. Values:

• ESP (Encapsulating Security Payload) (default)
• ESP + Auth
• AH (Authentication Header)
• ESP - NULL

PFS Group

DH group exchange used for Perfect Forward Secrecy. Values:

• <None> (default)
• Group 1 (MODP768)
• Group 2 (MODP1024)
• Group 5 (MODP1536)

Encryption Mode

Encryption algorithms used in IPSec SAs. Values:

• AES 128-bit (default)
• AES 192-bit
• AES 256-bit

Lifetime

Proposed IPSec SA lifetime value in seconds for the IPSec SA established during IKE phase 2 negotiation. Values:

• Min: 0
• Max: 86400
• Default: 28800

Lifetime Max

Maximum IPSec SA lifetime accepted for IPSec SA lifetime during IKE phase 2 negotiation. Values:

• Min: 0
• Max: 86400
• Default: 3600

Lifetime (KB)

Amount of data , in kilo bytes for an IPSec SA to exist. Values:

• Min: 0
• Max: 4194303
• Default: 0

Network Mismatch Behavior

Choose an action to take if a packet does not match the IP Sec tunnel’s protected network. Values:

• Drop (default)
• Send unencrypted
• Use Non-IPSec Route

IPsec Protected Networks

The allowable set of IP addresses to use IPSec tunnels.

Source IP/Prefix

The source IP address which is allowed to use IPSec tunnels

Destination IP/Prefix

The destination IP address which is allowed to use IPSec tunnels

Certificate Configuration

In order to support IKE certificate authentication, an ability to define Identity and Trusted certificates will be created in the configuration editor. To add certificates, click Advanced, and then Sites, and then Certificates. Use the plus symbol to add a new element and use the pencil marker symbol to edit the existing records.

To create a new entry click on the plus symbol, enter a certificate name, and paste the public and private keys.

Add trusted certificates who signed the certificates of the appliance.

The trusted certificate name and public key should be entered here.

IPSec protected Conduits

For conduit scenario the IPSec SAs can be statically configured between two appliances, again for the establishment of IPSec tunnels IKE protocol is used. This section will allow users to configure the following information required for tunnel creation.

On selecting the check box for secure conduit user data with IPSec, there will be an option to select encapsulation type, encryption mode and the IPSec SA lifetime.

Tunnel Mode

Type of IPSec child SAs that can be established in phase 2. Values:

• ESP (default)
• ESP + Auth
• AH

Encryption Mode

Encryption algorithms used in IPSec SAs. Values:

• AES 128-bit
• AES 256-bit

Lifetime

Proposed IPSec SA life time in seconds for and IPSec SA during IKE phase 2 negotiation. Values:

• Min: 0
• Max: 86400
• Default: 28800

Dynamic Conduit IPSec

If there is no conduit configured between two sites CL1-E50 and CL2-E50 as shown in the below diagram, the data can be transferred between these two sites via WAN-to-WAN forwarding. The intermediate site (NCN-E100) must have WAN-to-WAN forwarding enabled. Traffic has to go through two hops to get to the destination site. This puts lots of burden on the intermediate site and there might be delay if the sites are in different geographical locations. The dynamic conduit feature can solve these problems as the dynamic conduits can be created on the fly when it is needed, and removed when it's no longer needed. There is a limitation on the maximum conduits can be configured per site based on the hardware type.

On NCN side, the check box enable WAN-to-WAN Forwarding should be enabled and also the Enable Site as Intermediate Node should be enabled.

The Dynamic IPSec has to be configured, it is under Global->Default Sets->Dynamic Conduit Default Sets.

The field Enable Dynamic Conduits under connections table should be enabled for each of the client nodes (APNAs) between whom dynamic conduits needs to be setup.

There shouldn’t be any static conduits configured between the client nodes for which dynamic conduits

Set the “Autopath Group” to “default_group"

Firewall

The Firewall is a way of applying a set of security policies during the route lookup processing phase. The Talari Firewall does connection tracking so that policies can block inbound traffic that is not a result of an outbound session initiation. The Firewall application is integrated so that it knows about the different services (Conduit, Intranet, Internet, Local vs WAN, Zones) that SDWAN provides. This allows the Firewall policies to reference services, which an external firewall device would not be able to do. An external firewall has no ability to look inside SDWAN’s encapsulated conduit traffic to apply policies, which the integrated inbuilt SDWAN Firewall can do.