VPN IKEv2 with Pre-Shared Key and Dynamic IP/FQDN

This method establishes a VPN tunnel to connect to the
Web Security Service
using IKEv2 with a fully qualified domain name (FQDN) and a pre-shared key (PSK) for site-to-site authentication. This method is appropriate if your network does not have a static IP address or if your VPN tunnel is initiated behind a device that performs Network Address Translation (NAT).
Symantec
uses industry-standard strong encryption algorithms, including AES-256, to ensure all traffic is kept private as it passes to
WSS
. During configuration, you specify an FQDN to identify your site and a pre-shared key for authentication. You can choose a pre-shared key that fits your company’s compliance requirement. The FQDN and pre-shared key can be changed from the
WSS
portal if needed; however, a change results in the tunnel re-establishing.
WSS
does
not
resolve the FQDN.

Technical Requirements

This section provides a high-level set of technical requirements for this configuration.
  • Your organization has been provisioned with a
    WSS
    account.
    To confirm this, browse to https://portal.threatpulse.com and log in. If you are unable to log in, verify your account details with
    Symantec
    support.
  • If you are not certain what type of connection is appropriate for your organization, see Connectivity—About Virtual Private Network (IPsec).
  • An understanding of how much user traffic routes to
    WSS
    .
    WSS
    is limited to 1 GBit/s of bandwidth per IPSec tunnel. This is global with the exception of the South Africa and China datacenters, which are limited to 500 MBit/s. If you expect traffic to exceed that, you must plan your architecture to use an additional tunnel from an additional public IP address for each 1 GBit/s block of bandwidth consumption. For example, if one of your sites consumes 1800 MBit/s of traffic, it must use at least two IPSec tunnels, each connecting to
    WSS
    from a unique public IP address. If you are not sure about how to configure your VPN device to split traffic in this way, contact support.
  • The following information is
    required
    to ensure a successful configuration:
    • Your network's fully qualified domain name (FQDN) for authentication.
    • The two closest data center IP addresses.
      All VPN configurations must include a primary and secondary tunnel to
      WSS
      . If one data center connection becomes unavailable, your site traffic can be routed to a secondary tunnel to another data center. See Reference:
      WSS
      Data Center Ingress IPs
      for geographical IP address information.
    • A list of intranet destinations to exclude from the IPsec VPN tunnel(s).
      For example, as a best practice do not send intranet resources, such as email and internal web services, through the tunnel. Additionally, exclude the server where the
      Auth Connector
      is installed from the tunnel as it makes a direct connection to
      WSS
      through port
      443
      . See Forward Specific User and Group Names to the Service.
    • Ensure that your IPsec VPN device supports
      Dead Peer Detection
      (DPD). This feature ensures that if a connection fails, that failure is detected and the secondary tunnel is used.
      • If your VPN device supports IPSLA (Internet Protocol Service Level Agreement) and DPD, the best practice is to configure both to ensure maximum uptime.
    • Your network edge firewall is configured to permit the necessary traffic outbound for IPsec connections: ports
      80/443
      ; UDP port
      500
      ; and UDP port
      4500
      .
      For additional ports and URLs used in connections between your network and
      WSS
      , see Reference: Required Locations, Ports, and Protocols.

Procedure—Establish a VPN Connection

Create a Location in the Portal
First, create a
Location
in the
WSS
portal. A Location instructs
WSS
to accept incoming connections from your VPN device's FQDN.
  1. In the
    WSS
    portal, navigate to
    Connectivity > Locations
    .
  2. Click
    Add Location
    .
  3. Enter the
    Location
    and security information.
    Add Firewall/VPN FQDN Location 1
    1. The
      Name
      of the location. For example, the geo-physical location or office name.
    2. Select
      FQDN IKEv2 Firewall
      as the
      Access Method
      .
    3. Enter the
      FQDN Address
      that you will use for authentication.
    4. Define the
      Pre-Shared Key
      used to authenticate the VPN tunnel from the router.
  4. Enter resource and location information.
    Firewall/VPN Location Information
    1. Select the
      Estimated User
      range that will be sending web requests through this gateway interface.
      Symantec
      uses this information to ensure proper resources.
    2. (Optional) Select a
      Time Zone
      , fill out location information, and enter comments (optional).
    3. (Optional) Complete Location information.
  5. Click
    Save
    .

Blueprint—Configure a VPN Connection to the
WSS

If the example configurations in the previous section do not closely match your VPN device, refer to the following required configurations.
  1. Decide the version of IKE (IKEv1 or IKEv2) to use.
    Not all VPN devices support IKEv2. Verify that your device version supports IKEv2.
  2. IPSec VPN tunnel establishment has two phases as the configuration is usually made up of two sets of configurations.
    The terminology used to define the two phases differs from vendor to vendor and also differs based on the IKE version. Phase1, ISAKMP, IKEv1, IKEv2 or IKE are some of the common terms used to refer to the class of configuration for the IKE tunnel (connection). The IKE tunnel is then used to setup the IPSec tunnel through which the actual data is transferred. Phase 2 and IPSec are some of the common terms used to refer to this class of configuration.
  3. Define interesting traffic.
    The focus is to specify the traffic on your internal network to be encrypted and sent through the tunnel. In most cases, this is done with an access control list (ACL) that includes the data ports (typically, TCP ports
    80
    and
    443
    ) and your user subnets, and excludes intranet servers and services.
  4. Configure the IKE Phase 1 details.
    The first phase of IKE is to establish a secure connection over which further IKE exchanges happen. This phase authenticates each of the endpoint devices in the tunnel to each other. Phase 1 is also used to negotiate phase 2 tunnel parameters. IKEv1 supports two different modes for Phase 1—Main Mode and Aggressive Mode.
    WSS
    supports Main Mode only. Aggressive Mode is supported in certain circumstances, but only as directed by
    Symantec
    support personnel. IKEv2 has only one mode.
    IKE Phase 1 configuration includes the following parameters:
    • If using IKEv1, select Main Mode for configuration. IKEv2 has only one mode.
    • When asked to select Tunnel or Transport type/mode of connection, select Tunnel Mode.
    • Destination address.
      Set the VPN destination address as the closest
      WSS
      Data Center to your location. The following article provides a list of data center addresses:
    • Internet Key Exchange (IKE) ID.
      IKE IDs are used by each VPN tunnel peer to identify itself to the other side. There is a Local Identifier, which is the identifier for your device. There is a Remote Identifier, which is the identifier for the other side of the connection (the Data Center in this case). The names might vary depending on your device vendor.
      In Local Identifier, enter the public IP address of your device. This is the IP address that is used to create the Location in the
      WSS
      portal.
      Set the Remote Identifier as the IP address of the connecting Data Center.
    • IKE Lifetime.
      This lifetime determines the time when the Phase 1 tunnel is renegotiated. The best practice is to use hours. Commonly used values are 12 and 24 hours
    • Many VPN devices expect the IKE lifetime value to be detailed in minutes. Consult your documentation to confirm.
    • Pre-Shared Key (PSK).
      Define this as you did in the portal. If these values fail to match, the connection fails.
    • Encryption Algorithm Proposals
      This proposal is used to specify the encryption algorithm, the data integrity algorithms, and the strength of the Diffie-Hellman (DH) exchange (defined by the DH group). The Phase 1 initiator (your VPN device) sends a list of one or more such proposals during the IKE handshake and
      WSS
      selects one that it supports from this list. The two sides negotiate an encryption algorithm, a data integrity algorithm, and a DH group that both sides support.
      After the handshake is completed successfully, a Security Association (SA) is setup between the two sides that uses this agreed upon proposal.
      The following table lists the different encryption algorithms, the data authentication mechanism, and the DH groups supported by
      WSS
      .
    • Encryption Algorithm—This encryption secures the data exchanged between your VPN device and
      WSS
      . The following values are supported.
    • Integrity Algorithms
      These algorithms are used to enforce the integrity of the exchanged data.
    • Diffie-Hellman (DH) Exchange.
      This value is used by both ends to exchange matching shared secret keys that are used to secure the tunnel between your VPN device and
      WSS
      .
      The following table provides the DH groups supported by
      WSS
      :
    • Dead Peer Detection (DPD)—Ensure this option is enabled. Set it to check every
      ten seconds
      with
      three retries
      . The following is a list of common vendor instructions to set DPD:
      Each VPN device vendor provides details specific to site-to-site VPN connections pertinent only to their own devices. In some cases, the values provided here may not provide the best experience. If you experience issues with DPD on your tunnel connections with
      WSS
      , contact
      Symantec
      support.
    • IPsec Anti-Replay
      This option prevents a man-in-the-middle attack by detecting if any packets have been sent or received. If this occurs, the connection is broken and re-established. Some amount of re-transmitted traffic is expected. It is important to set this as a value that provides the best security and flexibility. The best practice is set the window to 32.
  5. Configure the IKE Phase 2 Details
    • Phase 2 or IPSec Encryption Algorithm Proposals
      Similar to Phase 1 proposals, a Phase 2 proposal is used to specify the encryption algorithm, the data integrity algorithms and the strength of the Diffie-Hellman (DH) exchange (defined by the DH group) for the IPSec tunnel through which the actual data requiring protection by
      WSS
      is exchanged.
      For Phase 2, the protocol to be used for the IPSec encoding might need to be configured. The standard defines two protocols—Encapsulating Security Payload (ESP) and Authentication Header (AH).
      WSS
      uses only ESP.
      The initiator of the Phase 2 handshake (your VPN device) sends a list of one or more such proposals during the handshake.
      WSS
      selects one that it supports from this list. The two sides thus negotiate an encryption algorithm, a data integrity algorithm, and a DH group that both sides support.
      After the handshake is completed successfully, an IPSec Security Association that uses this proposal is set up.
      The following table lists the different encryption algorithms, the data authentication mechanism, and the DH groups supported by
      WSS
      .
      Selecting DH Groups also enables Perfect Forward Secrecy (PFS) in many VPN devices.
    • Perfect Forward Secrecy
      Use of PFS increases security by protecting against compromises of encryption keys. The best practice is use PFS.
    • IPSec Lifetime
      The IPSec lifetime determines when the Phase 2 tunnel expires. The lifetime can be specified both in terms of time and in terms of bytes or packets transferred. The best practice is using time only. Configure the VPN devices to re-establish a new tunnel with new encryption keys before an existing Phase 2 tunnel expires. This process is called
      re-keying
      .
      The time configured should be more than 1 hour (3600 seconds) and less than the Phase 1 lifetime. The best practice value is 4 hours.
      IKEv1 allows the negotiating of a lifetime between the two sides.
      WSS
      will not expire a tunnel before the other side (your VPN device).
      IKEv2 does not allow negotiation of a lifetime and each side is free to select its own time to expire a tunnel. Currently,
      WSS
      uses 1 hour for its Phase 2 (IPSec) IKEv2 tunnel. The best practice is to configure your VPN device to use a value of 55 minutes. This ensures that the tunnel re-keys before it expires.
    • IPsec Anti-Replay
      This option prevents a man-in-the-middle attack by detecting if any packets have been sent or received. If this occurs, the connection is broken and re-established. Some amount of retransmitted traffic is expected. Set this to a value that provides the best security and flexibility. The best practice is to set the window to 32.
    • Network Address Translation
      Disabling this option ensures that all traffic from your users reaches
      WSS
      with its original source IP address. Failing to disable NAT can lead to users not authenticated or to policy rules not applying to traffic as expected .
    • NAT Traversal (NAT-T)
      If your VPN device is behind a NAT (the public IP address is not on the device, but on a upstream router), then one of the following configuration changes are required to make the tunnel work:
      • Enable NAT-T on the device, but configure the device to send the upstream public IP address as its Local Identifier.
      • Disable NAT-T on the device (if this is supported).
      There can be only one VPN device behind this public IP connecting to
      WSS
      . This restriction applies only to this type of VPN connectivity (VPN PSK Static IP address).
  6. Save the VPN configuration, and repeat this process to configure a secondary tunnel to the data center that is the next closest to your site.

Helpful Tips

The following knowledge base articles cover information that can be useful in troubleshooting issues once the VPN is established.

VPN Device Reference Configurations

The following links provide example vendor device configuration examples. Use these as guidelines only.
Symantec
cannot guarantee the validity of third-party products and procedures. If you encounter configuration discrepancies, you must default to the best practices and configuration parameters provided by
Symantec
(in this topic). Per the SLA, Technical Support might not be able to provide guidance if you perform configurations outside of these recommendations.
VPN device vendors routinely change user interfaces. However, the required VPN-to-VPN settings rarely change.

Known Issue

  • IKEv2 tunnels.
    ISSUE:
    Child SAs (Phase 2 tunnels) from IKEv2 FQDN sites expire one hour after the time of creation.
    WORKAROUND:
    To ensure no loss of connectivity, configure firewalls to have child SA (or Phase 2) lifetime of less than an hour. This ensures that a new SA is in place before the old SA expires.
    (DP-310)
Vendor VPN Setup Instructions
Symantec cannot maintain testing of all vendor devices and versions. In the next section,
Symantec
provides a configuration blueprint that is not specific to any specific device. If you require additional assistance, refer to the vendor's documentation for steps to configure and enable a VPN connection. The following links refer to the most prominent VPN vendor help pages.

Next Selection