VPN IKEv2 with Pre-Shared Key and Dynamic IP/FQDN
This method establishes a VPN tunnel to connect to the
Web Security Serviceusing IKEv2 with a fully qualified domain name (FQDN) and a pre-shared key (PSK) for site-to-site authentication. This method is appropriate if your network does not have a static IP address or if your VPN tunnel is initiated behind a device that performs Network Address Translation (NAT).
Symantecuses industry-standard strong encryption algorithms, including AES-256, to ensure all traffic is kept private as it passes to
WSS. During configuration, you specify an FQDN to identify your site and a pre-shared key for authentication. You can choose a pre-shared key that fits your company’s compliance requirement. The FQDN and pre-shared key can be changed from the
WSSportal if needed; however, a change results in the tunnel re-establishing.
notresolve the FQDN.
This section provides a high-level set of technical requirements for this configuration.
- Your organization has been provisioned with aWSSaccount.To confirm this, browse to https://portal.threatpulse.com and log in. If you are unable to log in, verify your account details withSymantecsupport.
- If you are not certain what type of connection is appropriate for your organization, see Connectivity—About Virtual Private Network (IPsec).
- An understanding of how much user traffic routes toWSS.WSSis limited to 1 GBit/s of bandwidth per IPSec tunnel. This is global with the exception of the South Africa and China datacenters, which are limited to 500 MBit/s. If you expect traffic to exceed that, you must plan your architecture to use an additional tunnel from an additional public IP address for each 1 GBit/s block of bandwidth consumption. For example, if one of your sites consumes 1800 MBit/s of traffic, it must use at least two IPSec tunnels, each connecting toWSSfrom a unique public IP address. If you are not sure about how to configure your VPN device to split traffic in this way, contact support.
- The following information isrequiredto ensure a successful configuration:
- Your network's fully qualified domain name (FQDN) for authentication.
- The two closest data center IP addresses.All VPN configurations must include a primary and secondary tunnel toWSS. If one data center connection becomes unavailable, your site traffic can be routed to a secondary tunnel to another data center. See Reference:WSSData Center Ingress IPs for geographical IP address information.
- A list of intranet destinations to exclude from the IPsec VPN tunnel(s).For example, as a best practice do not send intranet resources, such as email and internal web services, through the tunnel. Additionally, exclude the server where theAuth Connectoris installed from the tunnel as it makes a direct connection toWSSthrough port443. See Forward Specific User and Group Names to the Service.
- Ensure that your IPsec VPN device supportsDead Peer Detection(DPD). This feature ensures that if a connection fails, that failure is detected and the secondary tunnel is used.
- If your VPN device supports IPSLA (Internet Protocol Service Level Agreement) and DPD, the best practice is to configure both to ensure maximum uptime.
- Your network edge firewall is configured to permit the necessary traffic outbound for IPsec connections: ports80/443; UDP port500; and UDP port4500.For additional ports and URLs used in connections between your network andWSS, see Reference: Required Locations, Ports, and Protocols.
Procedure—Establish a VPN Connection
Create a Location in the Portal
First, create a
WSSportal. A Location instructs
WSSto accept incoming connections from your VPN device's FQDN.
- In theWSSportal, navigate toConnectivity > Locations.
- ClickAdd Location.
- Enter theLocationand security information.
- TheNameof the location. For example, the geo-physical location or office name.
- SelectFQDN IKEv2 Firewallas theAccess Method.
- Enter theFQDN Addressthat you will use for authentication.
- Define thePre-Shared Keyused to authenticate the VPN tunnel from the router.
- Enter resource and location information.
- Select theEstimated Userrange that will be sending web requests through this gateway interface.Symantecuses this information to ensure proper resources.
- (Optional) Select aTime Zone, fill out location information, and enter comments (optional).
- (Optional) Complete Location information.
Blueprint—Configure a VPN Connection to the WSS
Blueprint—Configure a VPN Connection to the
If the example configurations in the previous section do not closely match your VPN device, refer to the following required configurations.
- Decide the version of IKE (IKEv1 or IKEv2) to use.Not all VPN devices support IKEv2. Verify that your device version supports IKEv2.
- IPSec VPN tunnel establishment has two phases as the configuration is usually made up of two sets of configurations.The terminology used to define the two phases differs from vendor to vendor and also differs based on the IKE version. Phase1, ISAKMP, IKEv1, IKEv2 or IKE are some of the common terms used to refer to the class of configuration for the IKE tunnel (connection). The IKE tunnel is then used to setup the IPSec tunnel through which the actual data is transferred. Phase 2 and IPSec are some of the common terms used to refer to this class of configuration.
- Define interesting traffic.The focus is to specify the traffic on your internal network to be encrypted and sent through the tunnel. In most cases, this is done with an access control list (ACL) that includes the data ports (typically, TCP ports80and443) and your user subnets, and excludes intranet servers and services.
- Configure the IKE Phase 1 details.The first phase of IKE is to establish a secure connection over which further IKE exchanges happen. This phase authenticates each of the endpoint devices in the tunnel to each other. Phase 1 is also used to negotiate phase 2 tunnel parameters. IKEv1 supports two different modes for Phase 1—Main Mode and Aggressive Mode.WSSsupports Main Mode only. Aggressive Mode is supported in certain circumstances, but only as directed bySymantecsupport personnel. IKEv2 has only one mode.IKE Phase 1 configuration includes the following parameters:
- If using IKEv1, select Main Mode for configuration. IKEv2 has only one mode.
- When asked to select Tunnel or Transport type/mode of connection, select Tunnel Mode.
- Destination address.Set the VPN destination address as the closestWSSData Center to your location. The following article provides a list of data center addresses:
- Internet Key Exchange (IKE) ID.IKE IDs are used by each VPN tunnel peer to identify itself to the other side. There is a Local Identifier, which is the identifier for your device. There is a Remote Identifier, which is the identifier for the other side of the connection (the Data Center in this case). The names might vary depending on your device vendor.In Local Identifier, enter the public IP address of your device. This is the IP address that is used to create the Location in theWSSportal.Set the Remote Identifier as the IP address of the connecting Data Center.
- IKE Lifetime.This lifetime determines the time when the Phase 1 tunnel is renegotiated. The best practice is to use hours. Commonly used values are 12 and 24 hours
- Many VPN devices expect the IKE lifetime value to be detailed in minutes. Consult your documentation to confirm.
- Pre-Shared Key (PSK).Define this as you did in the portal. If these values fail to match, the connection fails.
- Encryption Algorithm ProposalsThis proposal is used to specify the encryption algorithm, the data integrity algorithms, and the strength of the Diffie-Hellman (DH) exchange (defined by the DH group). The Phase 1 initiator (your VPN device) sends a list of one or more such proposals during the IKE handshake andWSSselects one that it supports from this list. The two sides negotiate an encryption algorithm, a data integrity algorithm, and a DH group that both sides support.After the handshake is completed successfully, a Security Association (SA) is setup between the two sides that uses this agreed upon proposal.The following table lists the different encryption algorithms, the data authentication mechanism, and the DH groups supported byWSS.
- Encryption Algorithm—This encryption secures the data exchanged between your VPN device andWSS. The following values are supported.
- Integrity AlgorithmsThese algorithms are used to enforce the integrity of the exchanged data.
- Diffie-Hellman (DH) Exchange.This value is used by both ends to exchange matching shared secret keys that are used to secure the tunnel between your VPN device andWSS. The following table provides the DH groups supported byWSS:
- Dead Peer Detection (DPD)—Ensure this option is enabled. Set it to check everyten secondswiththree retries. The following is a list of common vendor instructions to set DPD:
Each VPN device vendor provides details specific to site-to-site VPN connections pertinent only to their own devices. In some cases, the values provided here may not provide the best experience. If you experience issues with DPD on your tunnel connections withWSS, contactSymantecsupport.
- Cisco Router info for DPD—Cisco Routers DPD
- Cisco Community DPD Article—Cisco DPD Info
- Checkpoint DPD Info—Checkpoint KB on DPD
- Juniper DPD—Juniper DPD Info
- Palo Alto DPD—Palo Alto DPD KB
- Fortinet Fortigate DPD—Fortigate DPD
- If your manufacturer is not listed, consult their website or support team for assistance with this feature.
- IPsec Anti-ReplayThis option prevents a man-in-the-middle attack by detecting if any packets have been sent or received. If this occurs, the connection is broken and re-established. Some amount of re-transmitted traffic is expected. It is important to set this as a value that provides the best security and flexibility. The best practice is set the window to 32.
- Configure the IKE Phase 2 Details
- Phase 2 or IPSec Encryption Algorithm ProposalsSimilar to Phase 1 proposals, a Phase 2 proposal is used to specify the encryption algorithm, the data integrity algorithms and the strength of the Diffie-Hellman (DH) exchange (defined by the DH group) for the IPSec tunnel through which the actual data requiring protection byWSSis exchanged.For Phase 2, the protocol to be used for the IPSec encoding might need to be configured. The standard defines two protocols—Encapsulating Security Payload (ESP) and Authentication Header (AH).WSSuses only ESP.The initiator of the Phase 2 handshake (your VPN device) sends a list of one or more such proposals during the handshake.WSSselects one that it supports from this list. The two sides thus negotiate an encryption algorithm, a data integrity algorithm, and a DH group that both sides support.After the handshake is completed successfully, an IPSec Security Association that uses this proposal is set up.The following table lists the different encryption algorithms, the data authentication mechanism, and the DH groups supported byWSS.Selecting DH Groups also enables Perfect Forward Secrecy (PFS) in many VPN devices.
- Perfect Forward SecrecyUse of PFS increases security by protecting against compromises of encryption keys. The best practice is use PFS.
- IPSec LifetimeThe IPSec lifetime determines when the Phase 2 tunnel expires. The lifetime can be specified both in terms of time and in terms of bytes or packets transferred. The best practice is using time only. Configure the VPN devices to re-establish a new tunnel with new encryption keys before an existing Phase 2 tunnel expires. This process is calledre-keying.The time configured should be more than 1 hour (3600 seconds) and less than the Phase 1 lifetime. The best practice value is 4 hours.IKEv1 allows the negotiating of a lifetime between the two sides.WSSwill not expire a tunnel before the other side (your VPN device).IKEv2 does not allow negotiation of a lifetime and each side is free to select its own time to expire a tunnel. Currently,WSSuses 1 hour for its Phase 2 (IPSec) IKEv2 tunnel. The best practice is to configure your VPN device to use a value of 55 minutes. This ensures that the tunnel re-keys before it expires.
- IPsec Anti-ReplayThis option prevents a man-in-the-middle attack by detecting if any packets have been sent or received. If this occurs, the connection is broken and re-established. Some amount of retransmitted traffic is expected. Set this to a value that provides the best security and flexibility. The best practice is to set the window to 32.
- Network Address TranslationDisabling this option ensures that all traffic from your users reachesWSSwith its original source IP address. Failing to disable NAT can lead to users not authenticated or to policy rules not applying to traffic as expected .
- NAT Traversal (NAT-T)If your VPN device is behind a NAT (the public IP address is not on the device, but on a upstream router), then one of the following configuration changes are required to make the tunnel work:
There can be only one VPN device behind this public IP connecting toWSS. This restriction applies only to this type of VPN connectivity (VPN PSK Static IP address).
- Enable NAT-T on the device, but configure the device to send the upstream public IP address as its Local Identifier.
- Disable NAT-T on the device (if this is supported).
- Save the VPN configuration, and repeat this process to configure a secondary tunnel to the data center that is the next closest to your site.
The following knowledge base articles cover information that can be useful in troubleshooting issues once the VPN is established.
- Data to collect before opening a support case withSymantecsupport: https://knowledge.broadcom.com/external/article?legacyId=TECH245852
- Troubleshoot latency and performance issues: https://knowledge.broadcom.com/external/article?legacyId=TECH245852
- Enable SSL Interception in theWSS: Create SSL Policy
- Browser Error on IPsec VPN if First Request is HTTPS: https://knowledge.broadcom.com/external/article?legacyId=TECH246221
VPN Device Reference Configurations
VPN Device Reference Configurations
The following links provide example vendor device configuration examples. Use these as guidelines only.
Symanteccannot guarantee the validity of third-party products and procedures. If you encounter configuration discrepancies, you must default to the best practices and configuration parameters provided by
Symantec(in this topic). Per the SLA, Technical Support might not be able to provide guidance if you perform configurations outside of these recommendations.
VPN device vendors routinely change user interfaces. However, the required VPN-to-VPN settings rarely change.
- IKEv2 tunnels.ISSUE:Child SAs (Phase 2 tunnels) from IKEv2 FQDN sites expire one hour after the time of creation.WORKAROUND:To ensure no loss of connectivity, configure firewalls to have child SA (or Phase 2) lifetime of less than an hour. This ensures that a new SA is in place before the old SA expires.(DP-310)
Vendor VPN Setup Instructions
Symantec cannot maintain testing of all vendor devices and versions. In the next section,
Symantecprovides a configuration blueprint that is not specific to any specific device. If you require additional assistance, refer to the vendor's documentation for steps to configure and enable a VPN connection. The following links refer to the most prominent VPN vendor help pages.
- Fortinet Fortigate: https://cookbook.fortinet.com/site-to-site-ipsec-vpn-with-two-fortigates-60/