Configure IPsec VPN Profiles
For supported software information, click here.
For staging and post-staging servers, you configure IPsec VPN profiles to define the properties of the IPsec and IKE tunnels between tenants (organizations) and SD-WAN network devices. For IKE, these properties include how often to regenerate the IKE key (rekey timer), the encryption transformations, and authentication and certificate information. For IPsec, these properties include the anti-replay detection, how often to regenerate the IPsec key (rekey timer), and the encryption transformations.
For a provider tenant, you configure a staging IPsec VPN profile for the IPsec/IKE tunnel that the tenant uses to communicate with the staging server. In a multitenant topology, the staging server IPsec VPN profile is associated with the parent organization.
For a provider or customer tenant, you configure a post-staging IPsec VPN profile for the IPsec/IKE tunnel that the tenant branch uses to connect, through a Controller node, with a Director node. The Director node uses this connection to deploy templates to the branch.
This article describes how configure VPN profiles for IPsec to use for staging and post-staging, to enable communication with the staging and post-staging servers.
In the configuration of IKE tunnels, you can configure preshared key (PSK) authentication for the tunnel. The PSK can contain letters, numbers, and some special characters. The following table list the special characters that are and are not allowed in the PSK.
Special Character | Description | Allowed in PSK |
---|---|---|
" | Quotation mark | No |
> | Close angle bracket (greater-than sign) | No |
< | Open angle bracket (less-than sign) | No |
# | Hash (pound) sign (octothorpe) | No |
\ | Backslash | No |
{ | Open brace | No |
} | Close brace | No |
~ | Tilde | Yes |
! | Exclamation point (bang) | Yes |
$ | Dollar sign | Yes |
% | Percent sign | Yes |
^ | Circumflex (caret) |
Yes |
& | Ampersand (and sign) | Yes |
* | Asterisk (star) | Yes |
( | Open parenthesis | Yes |
) | Close parenthesis | Yes |
_ | Underscore | Yes |
+ | Plus sign | Yes |
[ | Open bracket | Yes |
] | Close bracket | Yes |
| | Vertical bar (pipe) | Yes |
: | Colon | Yes |
; | Semicolon | Yes |
? | Question mark | Yes |
` | Accent grave (backward tick) | Yes |
' | Apostrophe (single quotation mark) | Yes |
- | Hyphen (dash) | Yes |
= | Equal sign | Yes |
, | Comma | Yes |
. | Period | Yes |
/ | Forward slash | Yes |
@ | At sign | Yes |
When you change the IKE and IPsec configuration parameters or when you renew or change a certificate, the changes are effective immediately, and the result is that the affected IPsec/IKE tunnel is torn down (that is, the tunnel flaps). For Releases 22.1.3 and later, when you renew or change certificates or when you change a few of the IKE and IPsec parameters, the change is delayed. For the following parameters, the changes take effect only after the IPsec/IKE security association (SA) negotiation or rekeying completes:
- IKE rekey time
- IKE dead-peer detection (DPD) timeout
- IKE fragmentation
- IPsec anti-replay
- IPsec fragmentation
- IPsec rekey time
- IPsec rekey volume
- IPsec keepalive timeout
To configure an IPsec VPN profile:
- In Director view:
- Select the Configuration tab in the top menu bar.
- Select Appliances in the left menu bar.
- Select a device name in the main panel. The view changes to Appliance view.
- Select an organization (tenant).
- Select the Configuration tab in the top menu bar.
- Select Services > IPsec > VPN Profiles in the left menu bar. The main pane displays the organizations associated with the Controller node.
- Click the Add icon. The Add IPsec VPN popup window displays. Select the upper General tab, and then enter information for the following field.
Field Description VPN Profile Name Enter a name for the VPN profile. - Select the General tab below the VPN Profile Name field, and enter information for the following fields.
Field Description VPN Type Select a VPN type:
- Branch SD-WAN—Select for a post-staging IPsec VPN profile for a branch.
- Branch Staging SD-WAN—Select for a staging IPsec VPN profile for a branch.
- Controller SD-WAN—Select for a post-staging IPsec VPN profile for a Controller node.
- Controller Staging SD-WAN—Select for a staging IPsec VPN profile for a Controller node.
- Remote Access Client
- Remote Access Server—Currently, this option is not supported.
- Site to Site
Tunnel Initiate Select how to initiate creation of the child SA:
- Automatic—Initiate automatically.
- Responder Only—(For Releases 21.2.1 and later.) Initiate for responder.
- Traffic—Initiate when traffic is seen.
Alarms (Group of Fields) - IKE Authentication Failure
Click to generate an alarm when IKE authentication fails. - IKE State Change
Click to generate an alarm when the IKE state changes. - IPsec State Change
Click to generate an alarm when the IPsec state changes. Hardware Accelerator Select the hardware accelerator to use:
- Any
- Nitrox
- None
- QAT
Branch SD-WAN Profile For a Branch SD-WAN VPN type, select the branch SD-WAN profile to associate with the VPN. For more information, see Configure a Branch SD-WAN Profile. Route Based Click to select a VPN through which traffic is tunneled by performing a route lookup for a route that points to a tunnel interface.
- LEF Profile
Select a LEF profile to use for logging. Note that this field is not displayed if you select Remote Access Type in the VPN Type field. - Default Profile
Click to use the default LEF profile for logging. Note that this field is disabled if you select a profile in the LEF Profile field. - RAS ID
For the VPN type Remote Access Server, enter the name identifier of the remote access server to associate with the VPN profile. Currently, this option is not supported. - Tunnel Routing Instance
Select the tunnel routing instance to use to reach the staging server. - Tunnel Interface
Select the tunnel interface to use to reach the staging server. - Tunnel Payload Family
(For Releases 22.1.1 and later.) Select the tunnel payload family:
- IPv4 family
- IPv6 family
- IPv4 and IPv6 family
Policy Based Click to select a VPN through which traffic is tunneled based on rules or policies negotiated with the peer. - Select the Local and Peer tab, and enter information for the following fields.
Field Description Routing Instance Select the routing instance routing instance through which IPsec peer is reachable. Peer (Group of Fields) Select one of the options to specify peer FQDN, IP address, or hostname. - Peer FQDN
Click to enter the peer FQDN by clicking the Add icon. - Peer IP
Click to enter the peer IP address by clicking the Add icon. - Peer Hostname
Click to enter the peer hostname. Local (Group of Fields) Select one of the options to specify local IP address, interface, or hostname. - Local IP
Click to enter the local IP address. - Local Interface
Click to select a local interface from the drop-down list. - Hostname
Click to enter the local hostname. - Interface List
Currently, this option is not supported. - Select the Address Pool tab, and enter information for the following fields.
Field Description Address From Enter the lowest IPv4 or IPv6 address in the address pool. Address To Enter the highest IPv4 or IPv6 address in the address pool. Mask Enter the subnet mask for the tunnel IP address range, for example, 255.255.255.0. IPAM Address (For Releases 22.1.3 and later.) Select the IP address of an IP address management (IPAM) service. Accessible Subnets Click the Add icon, and enter the IPv4 or IPv6 addresses and subnets masks for the accessible subnets. Authenticated remote users can access the subnets specified in this address range. DNS (Group of Fields) (For Releases 22.1.3 and later.) - Server Name
Enter the name of the DNS server. - Name Server IPv4/IPv6 Addresses
Click the Add icon, and then enter the IPv4 or IPv6 addresses of the DNS name servers. You can configure up to two DNS server IP addresses. These addresses are sent to remote access clients (RACs) during IKE negotiation for address resolution of the domain names. - Domain Names
Click the Add icon and enter the domain name of the DNS name server. - Select the IKE tab, and enter information for the following fields.
Field Description Version Select v2. Fragment Size (For Releases 22.1.1 and later.) Enter the maximum frame size for an IKE packet. Packets larger than this size are fragmented, and as a result they might be dropped.
Range: 576 through 1280 bytes
Default: 576 bytesDPD Timeout Enter how long to wait for traffic from the destination peer on the tunnel before sending a dead-peer-detection (DPD) request packet.
Range: 10 through 180 seconds
Default: 30 secondsAuthentication Domain Enter the name of the authentication domain. Revocation Check Select the method to use to check for revoked certificates:
- None—Do not check for revoked certificates.
- OSCP—Use the Online Certificate Status Protocol.
Rekey Time Enter how often to regenerate the IKE key.
Range: 3600 through 28800 seconds (1 through 8 hours)
Default: 28800 secondsTransform & DH Group (Group of Fields)
- Multiple Transforms
Click to specify hash algorithms, encryption algorithms, and Diffie-Hellman groups. - Hash Algorithm
Click the Add icon, and select the hash algorithms to use:
- MD5—MD5 Message Digest Algorithm
- SHA-1—Secure Hash Algorithm 1 with 160-bit digest. This is the default.
- SHA-256—Secure Hash Algorithm 2 with 256-bit digest
- SHA-384—Secure Hash Algorithm 2 with 384-bit digest
- SHA-512—Secure Hash Algorithm 2 with 512-bit digest
Default: SHA-1
- Encryption Algorithm
Click the Add icon, and select the encryption algorithms to use: - 3DES—Triple DES encryption algorithm
- AES 128—AES CBC Encryption Algorithm This is the default.
- AES 128-GCM—(For Releases 22.1.1 and later.) AES Encryption Algorithm with 128-bit key. This algorithm is supported for IKEv2 only.
- AES 256—AES CBC Encryption Algorithm with 256-bit key
- AES 256-GCM—(For Releases 22.1.1 and later.) AES Encryption Algorithm with 256-bit key. This algorithm is supported for IKEv2 only.
Default: AES 128
- DH Group
Click the Add icon, and select the Diffie-Hellman groups to use. Select the Diffie-Hellman group to use:
- Diffie-Hellman Group 1—768-bit modulus
- Diffie-Hellman Group 2—1024-bit modulus. This is the default.
- Diffie-Hellman Group 5—1536-bit modulus
- Diffie-Hellman Group 14—2048-bit modulus
- Diffie-Hellman Group 15—3072-bit modulus
- Diffie-Hellman Group 16—4096-bit modulus
- Diffie-Hellman Group 19—256-bit elliptic curve
- Diffie-Hellman Group 20—384-bit elliptic curve
- Diffie-Hellman Group 21—521-bit elliptic curve
- Diffie-Hellman Group 25—192-bit elliptic curve
- Diffie-Hellman Group 26—224-bit elliptic curve No PFS
Default: Diffie-Hellman Group 2—1024-bit modulus
- Single Transform
Click to specify the transform and Diffie-Hellman group. - Transform
Select the transform type to use:
- 3DES encryption and MD5 hashing
- 3DES encryption and SHA-1 hashing
- AES 128-bit encryption and MD5 hashing
- AES 128-bit encryption and SHA-1 hashing
- AES 128-bit encryption and SHA-256 hashing
- AES 128-bit encryption and SHA-384 hashing
- AES 128-bit encryption and SHA-512 hashing
- AES 256-bit encryption and MD5 hashing
- AES 256-bit encryption and SHA-1 hashing
- AES 256-bit encryption and SHA-256 hashing
- AES 256-bit encryption and SHA-384 hashing
- AES 256-bit encryption and SHA-512 hashing
- DH Group
Select the Diffie-Hellman group to use:
- Diffie-Hellman Group 1—768-bit modulus
- Diffie-Hellman Group 2—1024-bit modulus
- Diffie-Hellman Group 5—1536-bit modulus
- Diffie-Hellman Group 14—2048-bit modulus
- Diffie-Hellman Group 15—3072-bit modulus
- Diffie-Hellman Group 16—4096-bit modulus
- Diffie-Hellman Group 19—256-bit elliptic curve
- Diffie-Hellman Group 20—384-bit elliptic curve
- Diffie-Hellman Group 21—521-bit elliptic curve
- Diffie-Hellman Group 25—192-bit elliptic curve
- Diffie-Hellman Group 26—224-bit elliptic curve
- No PFS
Local Authentication (Group of Fields)
Select the local authentication type. - Certificate
Use certificate authentication. This is the default authentication type. Enter information for the following fields:
- Certificate Domain—Select the domain to which the certificate applies:
- System
- Tenant
- Certificate Name (Required)—Select the certificate name.
- CA Chain (Required)—Select the CA chain.
- Provider Organization—Select the name of the provider organization.
- Identity Type—Select the type of identity to use for authentication:
- FQDN (default)
- IP
- Identity—If you select a value in the Identity Type field, enter the email address, FQDN, or IP address.
- PSK
Use a preshared key for authentication. Enter information for the following fields:
- Shared Key—Enter the preshared key (PSK) to use to create a tunnel. The PSK cannot include any of the following five special characters: " < > # /.
- Identity Type—Select the type of identity to use for authentication:
- FQDN (default)
- IP
- Identity—Enter the email address, FQDN, or IP address.
Peer Authentication (Group of Fields)
Select the authentication type for the peer. - Certificate
Use certificate authentication. This is the default authentication type. Enter information for the following fields:
- Identity Type (Required)—Select the type of identity to use for authentication:
- FQDN (default)
- IP
- Identity (Required)—Enter the email address, FQDN, or IP address.
- EAP
Use the Extensible Authentication Protocol for authentication. Note that this option is available only when you select Remote Access Server in the VPN Type field in the General tab. Enter information for the following fields:
- EAP Type (Required)—Select the EAP type:
- MD5
- MSCHAPv2
- (For Releases 22.1.1 and later.) TLS
- Authentication Profile—Select an authentication profile to associate with EAP.
- PSK
Use a preshared key for authentication. Enter information for the following fields:
- Identity Type (Required)—Select the type of identity to use for authentication:
- FQDN (default)
- IP
- Identity (Required)—Enter the email address, FQDN, or IP address.
- Key (Required)—Enter the preshared key (PSK) to use to create a tunnel. The PSK cannot include any of the following five special characters: " < > # /.
- Select the IPsec tab and enter information for the following fields.
Field Description Mode Select Tunnel. Anti-replay Select Enable to use anti-replay detection.
Select Disable to not use anti-replay detection.
Fragmentation Select the fragmentation type:
- Prefragmentation
- Post-fragmentation
Force-NAT-T Configuration Select Enable to force the tunnel to use NAT traversal. use the force-NAT-T configuration.
Select Disable to not use NAT traversal.
Hello Interval (For Releases 22.1.1 and later.) Enter the hello interval timeout. Note that in previous releases, this field was called Keepalive Timeout.
Range: 3 through 30 seconds
IPsec Rekey Time Select the time units for how often to regenerate the IPsec key, and then enter the time interval:
- Hours
- Minutes
- Seconds
IPsec Rekey Volume Select the IPsec rekey volume units, in MB, GB, or TB, and then enter a value for how much data can be transmitted using a given IPsec key.
Transform (Group of Fields) - Multiple Transforms
Click to configure multiple transforms. - Hash Algorithm
Click the Add icon, and select the hash algorithms to use:
- MD5—MD5 Message Digest Algorithm
-
SHA-1—Secure Hash Algorithm 1 with 160-bit digest. This is the default.
-
SHA-256—Secure Hash Algorithm 2 with 256-bit digest
-
SHA-384—Secure Hash Algorithm 2 with 384-bit digest
-
SHA-512—Secure Hash Algorithm 2 with 512-bit digest
-
XCBC—Extended Cypher Block Chaining
Default: SHA-1
- Encryption Algorithm
Click the Add icon, and select the encryption algorithm to use:
- 3DES—Triple DES encryption algorithm
- AES128—AES CBC encryption algorithm with 128-bit key
- AES128-CTR—AES counter mode encryption algorithm with 128-bit key
- AES128-GCM—AES GCM encryption algorithm with 128-bit key
- AES256—AES CBC encryption algorithm with 256-bit key
- AES256-GCM—AES GCM encryption algorithm with 128-bit key
- Null
- Perfect Forward Secrecy Group
Click the Add icon, and select the Diffie-Hellman groups to use for PFS:
- Diffie-Hellman Group 1—768-bit modulus
- Diffie-Hellman Group 2—1024-bit modulus
- Diffie-Hellman Group 5—1536-bit modulus
- Diffie-Hellman Group 14—2048-bit modulus
- Diffie-Hellman Group 15—3072-bit modulus
- Diffie-Hellman Group 16—4096-bit modulus
- Diffie-Hellman Group 19—256-bit elliptic curve
- Diffie-Hellman Group 20—384-bit elliptic curve
- Diffie-Hellman Group 21—521-bit elliptic curve
- No PFS. This is the default.
Default: No PFS
- Single Transform
Click to configure a singe transform. - Transform
Select the transform type to use:
- ESP-3DES-MD5
- ESP-3DES-SHA1
- ESP-AES128-CTR-SHA1
- ESP-AES128-CTR-XCBC
- ESP-AES128-GCM
- ESP-AES128-MD5
- ESP-AES128-SHA1
- ESP-AES128-SHA256
- ESP-AES128-SHA384
- ESP-AES128-SHA512
- ESP-AES256-GCM
- ESP-AES256-MD5
- ESP-AES256-SHA256
- ESP-AES256-SHA384
- ESP-AES256-SHA512
- ESP-NULL-MD5
Default: ESP-AES128-SHA1
- Perfect Forward Secrecy Group
Select the Diffie-Hellman group to use for PFS:
- Diffie-Hellman Group 1—768-bit modulus
- Diffie-Hellman Group 2—1024-bit modulus
- Diffie-Hellman Group 5—1536-bit modulus
- Diffie-Hellman Group 14—2048-bit modulus
- Diffie-Hellman Group 15—3072-bit modulus
- Diffie-Hellman Group 16—4096-bit modulus
- Diffie-Hellman Group 19—256-bit elliptic curve
- Diffie-Hellman Group 20—384-bit elliptic curve
- Diffie-Hellman Group 21—521-bit elliptic curve
- Diffie-Hellman Group 25—192-bit elliptic curve
- Diffie-Hellman Group 26—224-bit elliptic curve
- No PFS. This is the default.
Default: No PFS
- Click OK.
Supported Software Information
Releases 20.2 and later support all content described in this article, except:
- Release 22.1.1 adds support for the Fragment Size field for IKE; allows you to configure AES 128-GCM and AES 256-GCM encryption for IKE.
- In Release 22.1.3, when you change IPsec and IKE configuration parameters or when a certificate is renewed, the affected IPsec/IKE tunnel is not torn down; add IPAM address and DNS fields when configuring address pools.