Skip to main content
Versa Networks

Configure IPsec VPN Profiles

Versa-logo-release-icon.pngFor supported software information, click here.

For staging and post-staging servers, you configure IPsec VPN profiles to define the properties of the IPsec and IKE tunnels between tenants (organizations) and SD-WAN network devices. For IKE, these properties include how often to regenerate the IKE key (rekey timer), the encryption transformations, and authentication and certificate information. For IPsec, these properties include the anti-replay detection, how often to regenerate the IPsec key (rekey timer), and the encryption transformations.

For a provider tenant, you configure a staging IPsec VPN profile for the IPsec/IKE tunnel that the tenant uses to communicate with the staging server. In a multitenant topology, the staging server IPsec VPN profile is associated with the parent organization.

For a provider or customer tenant, you configure a post-staging IPsec VPN profile for the IPsec/IKE tunnel that the tenant branch uses to connect, through a Controller node, with a Director node. The Director node uses this connection to deploy templates to the branch.

This article describes how configure VPN profiles for IPsec to use for staging and post-staging, to enable communication with the staging and post-staging servers.

In the configuration of IKE tunnels, you can configure preshared key (PSK) authentication for the tunnel. The PSK can contain letters, numbers, and some special characters. The following table list the special characters that are and are not allowed in the PSK.

Special Character Description Allowed in PSK
" Quotation mark No
> Close angle bracket (greater-than sign) No
< Open angle bracket (less-than sign) No
# Hash (pound) sign (octothorpe) No
\ Backslash No
{ Open brace No
} Close brace No
~ Tilde Yes
! Exclamation point (bang) Yes
$ Dollar sign Yes
% Percent sign Yes
^ Circumflex (caret)

Yes

& Ampersand (and sign) Yes
* Asterisk (star) Yes
( Open parenthesis Yes
) Close parenthesis Yes
_ Underscore Yes
+ Plus sign Yes
[ Open bracket Yes
] Close bracket Yes
| Vertical bar (pipe) Yes
: Colon Yes
; Semicolon Yes
? Question mark Yes
` Accent grave (backward tick) Yes
' Apostrophe (single quotation mark) Yes
- Hyphen (dash) Yes
= Equal sign Yes
, Comma Yes
. Period Yes
/ Forward slash Yes
@ At sign Yes

When you change the IKE and IPsec configuration parameters or when you renew or change a certificate, the changes are effective immediately, and the result is that the affected IPsec/IKE tunnel is torn down (that is, the tunnel flaps). For Releases 22.1.3 and later, when you renew or change certificates or when you change a few of the IKE and IPsec parameters, the change is delayed. For the following parameters, the changes take effect only after the IPsec/IKE security association (SA) negotiation or rekeying completes:

  • IKE rekey time
  • IKE dead-peer detection (DPD) timeout
  • IKE fragmentation
  • IPsec anti-replay
  • IPsec fragmentation
  • IPsec rekey time
  • IPsec rekey volume
  • IPsec keepalive timeout

To configure an IPsec VPN profile:

  1. In Director view:
    1. Select the Configuration tab in the top menu bar.
    2. Select Appliances in the left menu bar.
    3. Select a device name in the main panel. The view changes to Appliance view.
    4. Select an organization (tenant).
  2. Select the Configuration tab in the top menu bar.
  3. Select Services services.png > IPsec > VPN Profiles in the left menu bar. The main pane displays the organizations associated with the Controller node.

    VPN-profiles-home-page.png
  4. Click the add-icon.png Add icon. The Add IPsec VPN popup window displays. Select the upper General tab, and then enter information for the following field.
     
    Ipsec_VPN_general.png
     
    Field Description
    VPN Profile Name Enter a name for the VPN profile.
  5. Select the General tab below the VPN Profile Name field, and enter information for the following fields.
     
    Field Description
    VPN Type

    Select a VPN type:

    • Branch SD-WAN—Select for a post-staging IPsec VPN profile for a branch.
    • Branch Staging SD-WAN—Select for a staging IPsec VPN profile for a branch.
    • Controller SD-WAN—Select for a post-staging IPsec VPN profile for a Controller node.
    • Controller Staging SD-WAN—Select for a staging IPsec VPN profile for a Controller node.
    • Remote Access Client
    • Remote Access Server—Currently, this option is not supported.
    • Site to Site
    Tunnel Initiate

    Select how to initiate creation of the child SA:

    • Automatic—Initiate automatically.
    • Responder Only—(For Releases 21.2.1 and later.) Initiate for responder.
    • Traffic—Initiate when traffic is seen.
    Alarms (Group of Fields)  
    • IKE Authentication Failure
    Click to generate an alarm when IKE authentication fails.
    • IKE State Change
    Click to generate an alarm when the IKE state changes.
    • IPsec State Change
    Click to generate an alarm when the IPsec state changes.
    Hardware Accelerator

    Select the hardware accelerator to use:

    • Any
    • Nitrox
    • None
    • QAT
    Branch SD-WAN Profile For a Branch SD-WAN VPN type, select the branch SD-WAN profile to associate with the VPN. For more information, see Configure a Branch SD-WAN Profile.
    Route Based

    Click to select a VPN through which traffic is tunneled by performing a route lookup for a route that points to a tunnel interface.

    • LEF Profile
    Select a LEF profile to use for logging. Note that this field is not displayed if you select Remote Access Type in the VPN Type field.
    • Default Profile
    Click to use the default LEF profile for logging. Note that this field is disabled if you select a profile in the LEF Profile field.
    • RAS ID
    For the VPN type Remote Access Server, enter the name identifier of the remote access server to associate with the VPN profile. Currently, this option is not supported.
    • Tunnel Routing Instance
    Select the tunnel routing instance to use to reach the staging server.
    • Tunnel Interface
    Select the tunnel interface to use to reach the staging server.
    • Tunnel Payload Family

    (For Releases 22.1.1 and later.) Select the tunnel payload family:

    • IPv4 family
    • IPv6 family
    • IPv4 and IPv6 family
    Policy Based Click to select a VPN through which traffic is tunneled based on rules or policies negotiated with the peer.
  6. Select the Local and Peer tab, and enter information for the following fields.

    add-IPsec-vpn-local-an-peer-tab.png
     
    Field Description
    Routing Instance Select the routing instance routing instance through which IPsec peer is reachable.
    Peer (Group of Fields) Select one of the options to specify peer FQDN, IP address, or hostname.
    • Peer FQDN
    Click to enter the peer FQDN by clicking theadd-icon.png Add icon.
    • Peer IP
    Click to enter the peer IP address by clicking theadd-icon.png Add icon.
    • Peer Hostname
    Click to enter the peer hostname.
    Local (Group of Fields) Select one of the options to specify local IP address, interface, or hostname.
    • Local IP
    Click to enter the local IP address.
    • Local Interface
    Click to select a local interface from the drop-down list.
    • Hostname
    Click to enter the local hostname.
    • Interface List
    Currently, this option is not supported.
  7. Select the Address Pool tab, and enter information for the following fields.

    add-IPsec-vpn-address-pool-tab.png
     
    Field Description
    Address From Enter the lowest IPv4 or IPv6 address in the address pool.
    Address To Enter the highest IPv4 or IPv6 address in the address pool.
    Mask Enter the subnet mask for the tunnel IP address range, for example, 255.255.255.0.
    IPAM Address (For Releases 22.1.3 and later.) Select the IP address of an IP address management (IPAM) service.
    Accessible Subnets Click the add-icon.png Add icon, and enter the IPv4 or IPv6 addresses and subnets masks for the accessible subnets. Authenticated remote users can access the subnets specified in this address range.
    DNS (Group of Fields) (For Releases 22.1.3 and later.)
    • Server Name
    Enter the name of the DNS server.
    • Name Server IPv4/IPv6 Addresses
    Click the add-icon.png Add icon, and then enter the IPv4 or IPv6 addresses of the DNS name servers. You can configure up to two DNS server IP addresses. These addresses are sent to remote access clients (RACs) during IKE negotiation for address resolution of the domain names.
    • Domain Names
    Click theadd-icon.png Add icon and enter the domain name of the DNS name server.
  8. Select the IKE tab, and enter information for the following fields.

    add-IPsec-vpn.png
     
    Field Description
    Version Select v2.
    Fragment Size

    (For Releases 22.1.1 and later.) Enter the maximum frame size for an IKE packet. Packets larger than this size are fragmented, and as a result they might be dropped.
    Range: 576 through 1280 bytes
    Default: 576 bytes

    DPD Timeout

    Enter how long to wait for traffic from the destination peer on the tunnel before sending a dead-peer-detection (DPD) request packet.

    Range: 10 through 180 seconds
    Default: 30 seconds

    Authentication Domain Enter the name of the authentication domain.
    Revocation Check

    Select the method to use to check for revoked certificates:

    • None—Do not check for revoked certificates.
    • OSCP—Use the Online Certificate Status Protocol.
    Rekey Time

    Enter how often to regenerate the IKE key.

    Range: 3600 through 28800 seconds (1 through 8 hours)
    Default: 28800 seconds

    Transform & DH Group (Group of Fields)

     
    • Multiple Transforms
    Click to specify hash algorithms, encryption algorithms, and Diffie-Hellman groups.
    • Hash Algorithm

    Click theadd-icon.png Add icon, and select the hash algorithms to use:

    • MD5—MD5 Message Digest Algorithm
    • SHA-1—Secure Hash Algorithm 1 with 160-bit digest. This is the default.
    • SHA-256—Secure Hash Algorithm 2 with 256-bit digest
    • SHA-384—Secure Hash Algorithm 2 with 384-bit digest
    • SHA-512—Secure Hash Algorithm 2 with 512-bit digest

    Default: SHA-1

    • Encryption Algorithm
    Click theadd-icon.png Add icon, and select the encryption algorithms to use:
    • 3DES—Triple DES encryption algorithm
    • AES 128—AES CBC Encryption Algorithm This is the default.
    • AES 128-GCM—(For Releases 22.1.1 and later.) AES Encryption Algorithm with 128-bit key. This algorithm is supported for IKEv2 only.
    • AES 256—AES CBC Encryption Algorithm with 256-bit key
    • AES 256-GCM—(For Releases 22.1.1 and later.) AES Encryption Algorithm with 256-bit key. This algorithm is supported for IKEv2 only.

    Default: AES 128

    • DH Group

    Click theadd-icon.png Add icon, and select the Diffie-Hellman groups to use. Select the Diffie-Hellman group to use:

    • Diffie-Hellman Group 1—768-bit modulus
    • Diffie-Hellman Group 2—1024-bit modulus. This is the default.
    • Diffie-Hellman Group 5—1536-bit modulus
    • Diffie-Hellman Group 14—2048-bit modulus
    • Diffie-Hellman Group 15—3072-bit modulus
    • Diffie-Hellman Group 16—4096-bit modulus
    • Diffie-Hellman Group 19—256-bit elliptic curve
    • Diffie-Hellman Group 20—384-bit elliptic curve
    • Diffie-Hellman Group 21—521-bit elliptic curve
    • Diffie-Hellman Group 25—192-bit elliptic curve
    • Diffie-Hellman Group 26—224-bit elliptic curve No PFS

    Default: Diffie-Hellman Group 2—1024-bit modulus

    • Single Transform
    Click to specify the transform and Diffie-Hellman group.
    • Transform

    Select the transform type to use:

    • 3DES encryption and MD5 hashing
    • 3DES encryption and SHA-1 hashing
    • AES 128-bit encryption and MD5 hashing
    • AES 128-bit encryption and SHA-1 hashing
    • AES 128-bit encryption and SHA-256 hashing
    • AES 128-bit encryption and SHA-384 hashing
    • AES 128-bit encryption and SHA-512 hashing
    • AES 256-bit encryption and MD5 hashing
    • AES 256-bit encryption and SHA-1 hashing
    • AES 256-bit encryption and SHA-256 hashing
    • AES 256-bit encryption and SHA-384 hashing
    • AES 256-bit encryption and SHA-512 hashing
    • DH Group

    Select the Diffie-Hellman group to use:

    • Diffie-Hellman Group 1—768-bit modulus
    • Diffie-Hellman Group 2—1024-bit modulus
    • Diffie-Hellman Group 5—1536-bit modulus
    • Diffie-Hellman Group 14—2048-bit modulus
    • Diffie-Hellman Group 15—3072-bit modulus
    • Diffie-Hellman Group 16—4096-bit modulus
    • Diffie-Hellman Group 19—256-bit elliptic curve
    • Diffie-Hellman Group 20—384-bit elliptic curve
    • Diffie-Hellman Group 21—521-bit elliptic curve
    • Diffie-Hellman Group 25—192-bit elliptic curve
    • Diffie-Hellman Group 26—224-bit elliptic curve
    • No PFS

    Local Authentication (Group of Fields)

    Select the local authentication type.
    • Certificate

    local-auth-type-certificate.PNG

    Use certificate authentication. This is the default authentication type. Enter information for the following fields:

    • Certificate Domain—Select the domain to which the certificate applies:
      • System
      • Tenant
    • Certificate Name (Required)—Select the certificate name.
    • CA Chain (Required)—Select the CA chain.
    • Provider Organization—Select the name of the provider organization.
    • Identity Type—Select the type of identity to use for authentication:
      • Email
      • FQDN (default)
      • IP
    • Identity—If you select a value in the Identity Type field, enter the email address, FQDN, or IP address.
    • PSK

    local-auth-type-psk.PNG

    Use a preshared key for authentication. Enter information for the following fields:

    • Shared Key—Enter the preshared key (PSK) to use to create a tunnel. The PSK cannot include any of the following five special characters: " < > # /.
    • Identity Type—Select the type of identity to use for authentication:
      • Email
      • FQDN (default)
      • IP
    • Identity—Enter the email address, FQDN, or IP address.

    Peer Authentication (Group of Fields)

    Select the authentication type for the peer.
    • Certificate

    peer-auth-type-certificate.png

    Use certificate authentication. This is the default authentication type. Enter information for the following fields: 

    • Identity Type (Required)—Select the type of identity to use for authentication:
      • Email
      • FQDN (default)
      • IP
    • Identity (Required)—Enter the email address, FQDN, or IP address.
    • EAP

    peer-auth-type-eap.png

    Use the Extensible Authentication Protocol for authentication. Note that this option is available only when you select Remote Access Server in the VPN Type field in the General tab. Enter information for the following fields:

    • EAP Type (Required)—Select the EAP type:
      • MD5
      • MSCHAPv2
      • (For Releases 22.1.1 and later.) TLS
    • Authentication Profile—Select an authentication profile to associate with EAP.
    • PSK

    peer-auth-type-psk.png

    Use a preshared key for authentication. Enter information for the following fields:

    • Identity Type (Required)—Select the type of identity to use for authentication:
      • Email
      • FQDN (default)
      • IP
    • Identity (Required)—Enter the email address, FQDN, or IP address.
    • Key (Required)—Enter the preshared key (PSK) to use to create a tunnel. The PSK cannot include any of the following five special characters: " < > # /.
  9. Select the IPsec tab and enter information for the following fields.

    add-IPsec-vpn-IPsec-tab.png
     
    Field Description
    Mode Select Tunnel.
    Anti-replay

    Select Enable to use anti-replay detection.

    Select Disable to not use anti-replay detection.

    Fragmentation

    Select the fragmentation type:

    • Prefragmentation
    • Post-fragmentation
    Force-NAT-T Configuration

    Select Enable to force the tunnel to use NAT traversal. use the force-NAT-T configuration.

    Select Disable to not use NAT traversal.

    Hello Interval

    (For Releases 22.1.1 and later.) Enter the hello interval timeout. Note that in previous releases, this field was called Keepalive Timeout.

    Range: 3 through 30 seconds

    IPsec Rekey Time

    Select the time units for how often to regenerate the IPsec key, and then enter the time interval:

    • Hours
    • Minutes
    • Seconds
    IPsec Rekey Volume

    Select the IPsec rekey volume units, in MB, GB, or TB, and then enter a value for how much data can be transmitted using a given IPsec key.

    Transform (Group of Fields)  
    • Multiple Transforms
    Click to configure multiple transforms.
    • Hash Algorithm

    Click theadd-icon.png Add icon, and select the hash algorithms to use:

    • MD5—MD5 Message Digest Algorithm
    • SHA-1—Secure Hash Algorithm 1 with 160-bit digest. This is the default.

    • SHA-256—Secure Hash Algorithm 2 with 256-bit digest

    • SHA-384—Secure Hash Algorithm 2 with 384-bit digest

    • SHA-512—Secure Hash Algorithm 2 with 512-bit digest

    • XCBC—Extended Cypher Block Chaining

    Default: SHA-1

    • Encryption Algorithm

    Click theadd-icon.png Add icon, and select the encryption algorithm to use:

    • 3DES—Triple DES encryption algorithm
    • AES128—AES CBC encryption algorithm with 128-bit key
    • AES128-CTR—AES counter mode encryption algorithm with 128-bit key
    • AES128-GCM—AES GCM encryption algorithm with 128-bit key
    • AES256—AES CBC encryption algorithm with 256-bit key
    • AES256-GCM—AES GCM encryption algorithm with 128-bit key
    • Null
    • Perfect Forward Secrecy Group

    Click the add-icon.png Add icon, and select the Diffie-Hellman groups to use for PFS:

    • Diffie-Hellman Group 1—768-bit modulus
    • Diffie-Hellman Group 2—1024-bit modulus
    • Diffie-Hellman Group 5—1536-bit modulus
    • Diffie-Hellman Group 14—2048-bit modulus
    • Diffie-Hellman Group 15—3072-bit modulus
    • Diffie-Hellman Group 16—4096-bit modulus
    • Diffie-Hellman Group 19—256-bit elliptic curve
    • Diffie-Hellman Group 20—384-bit elliptic curve
    • Diffie-Hellman Group 21—521-bit elliptic curve
    • No PFS. This is the default.

    Default: No PFS

    • Single Transform
    Click to configure a singe transform.
    • Transform

    Select the transform type to use:

    • ESP-3DES-MD5
    • ESP-3DES-SHA1
    • ESP-AES128-CTR-SHA1
    • ESP-AES128-CTR-XCBC
    • ESP-AES128-GCM
    • ESP-AES128-MD5
    • ESP-AES128-SHA1
    • ESP-AES128-SHA256
    • ESP-AES128-SHA384
    • ESP-AES128-SHA512
    • ESP-AES256-GCM
    • ESP-AES256-MD5
    • ESP-AES256-SHA256
    • ESP-AES256-SHA384
    • ESP-AES256-SHA512
    • ESP-NULL-MD5

    Default: ESP-AES128-SHA1

    • Perfect Forward Secrecy Group

    Select the Diffie-Hellman group to use for PFS:

    • Diffie-Hellman Group 1—768-bit modulus
    • Diffie-Hellman Group 2—1024-bit modulus
    • Diffie-Hellman Group 5—1536-bit modulus
    • Diffie-Hellman Group 14—2048-bit modulus
    • Diffie-Hellman Group 15—3072-bit modulus
    • Diffie-Hellman Group 16—4096-bit modulus
    • Diffie-Hellman Group 19—256-bit elliptic curve
    • Diffie-Hellman Group 20—384-bit elliptic curve
    • Diffie-Hellman Group 21—521-bit elliptic curve
    • Diffie-Hellman Group 25—192-bit elliptic curve
    • Diffie-Hellman Group 26—224-bit elliptic curve
    • No PFS. This is the default.

    Default: No PFS

  10. Click OK.

Supported Software Information

Releases 20.2 and later support all content described in this article, except:

  • Release 22.1.1 adds support for the Fragment Size field for IKE; allows you to configure AES 128-GCM and AES 256-GCM encryption for IKE.
  • In Release 22.1.3, when you change IPsec and IKE configuration parameters or when a certificate is renewed, the affected IPsec/IKE tunnel is not torn down; add IPAM address and DNS fields when configuring address pools.