VPN Pre-Shared Key with Static IP
This method establishes a VPN tunnel to connect to the
Web Security Serviceusing IKEv1 and a pre-shared key (PSK) for site-to-site authentication. The method requires that your organization have a static public IP address. This IP address is used to identify your site when it connects to
Symantecuses industry standard strong encryption algorithms, including AES-256, to ensure all traffic is kept private as it passes to
WSS. During configuration, you specify a pre-shared key for the VPN tunnel. This enables more control of the security of the IPsec tunnel, as you can change the key as needed to fit any company or compliance requirement.
This section provides a high-level set of technical requirements for this perform this configuration.
- Your organization has been provisioned with aWSSaccount.To confirm this, browse to https://portal.threatpulse.com and log in. If you are unable to log in, verify your account details withSymantecsupport.
- If you are not certain what type of connection is appropriate for your organization, see Connectivity—About Virtual Private Network (IPsec).
- An understanding of how much user traffic routes toWSS.WSSis limited to 1 GBit/s of bandwidth per IPSec tunnel. This is global with the exception of the South Africa and China datacenters, which are limited to 500 MBit/s. If you expect traffic to exceed that, you must plan your network architecture to use an additional tunnel from an additional public IP address for each 1 GBit/s block of bandwidth consumption. For example, if one of your sites consumes 1800 MBit/s of traffic, it must use at least two IPSec tunnels, each connecting toWSSfrom a unique public IP address. If you are not sure about how to configure your VPN device to split traffic in this way, contact support.
- The following information isrequiredto ensure a successful configuration:
- Your site's public IP address.
- Your closest two data center addresses configured for failover to your site.All VPN configurations must include a primary and secondary tunnel toWSS. If one data center connection becomes unavailable, your site traffic can be routed to a secondary tunnel in another data center. See Reference:WSSData Center Ingress IPs for geographical IP address information.
- A list of intranet destinations to exclude from the IPsec VPN tunnel(s).
- Ensure that your IPsec VPN device supportsDead Peer Detection(DPD). This feature ensures that if a connection fails, the failure is detected and the secondary tunnel is used.
- In the event that your VPN device supports Internet Protocol Service Level Agreement (IPSLA) and DPD, the best practice is to configure both to ensure maximum uptime.
- Your network's edge firewall is configured to permit the necessary traffic outbound for IPsec connections: ports80/443; UDP port500; and UDP port4500.For additional ports and URLs used in a connection between your network and theWSS, see Reference: Required Locations, Ports, and Protocols.
- The focus is specify the traffic on your internal network to be encrypted and sent through the tunnel. Each VPN device vendor manages this differently. In most cases, this is done with an Access Control List (ACL) that includes the data ports (typically, TCP ports80and443) and your user subnets, and excludes intranet servers and services.
Procedure—Establish a VPN Connection
A complete VPN configuration requires some configuration both in the portal and on your on-premises VPN device.
Create a Location in the Portal
First, you create a fixed
WSSportal. A Location instructs the
WSSto accept incoming connections from the VPN device's IP address.
- In theWSSportal, navigate toConnectivity > Locations.
- ClickAdd Location.
- Enter theLocationand security information.
- TheNameof the location. For example, the geo-physical location or office name.
- SelectFirewall/VPNas theAccess Method.
- Enter theGateway IPaddress; the public IP address of your network.
- Define theAuthentication Key(pre-shared key) used to authenticate router communication.
- Enter resource and location information.
- Select theEstimated Userrange that represents the number of users behind your VPN device accessing the internet throughWSS.
- (Optional) Select aTime Zone, fill out location information, and enter comments (optional).
- (Optional) Complete location information.
Blueprint—Create a Connection in the VPN Device
If the example configurations in the previous section do not closely match your VPN device, refer to the following required configurations:
- Define Interesting TrafficThe focus is to specify the traffic on your internal network to be encrypted and sent through the tunnel. Each VPN device vendor manages this differently. In most cases, this is done with an Access Control List (ACL) that includes the data ports (typically, TCP ports80and443) and your user subnets. It excludes intranet servers and services.
- Configure the IKE Phase 1 detailsThe first phase of the Internet Key Exchange is to establish a connection through which your data will be tunneled. While Main and Aggressive mode options are present on most VPN devices,WSSsupports Main Mode only. Aggressive Mode is supported in certain circumstances, but only as directed bySymantecsupport personnel.IKE Phase 1 includes the following parameters:
- Destination AddressSet the VPN destination address to the closestWSSData Center to your location. The following article provides a list of data center addresses:
- Internet Key Exchange (IKE) IDSet the public IP address (or FQDN if your public IP address is not static) as the IKE ID.
- IPsec LifetimeThe IPSEC lifetime determines when the Phase 2 tunnel expires. This can be specified both in terms of time and is terms of bytes or packets transferred. The best practice is to use time only. Configure VPN devices to re-establish a new tunnel with new encryption keys before an existing Phase 2 tunnel expires–this process is called rekeying.The time configured should be more than 1 hour (3600 seconds) and less than the Phase 1 lifetime. The best practice value is 4 hours.Notes:
- IKEv1 allows negotiating a lifetime between the two sides.WSSwill not expire a tunnel before the other side (your VPN device).
- IKEv2 does not allow a lifetime to be negotiated and each side is free to choose its own time for expiring a tunnel. Currently,WSSuses one hour for its Phase 2 (IPSec) IKEv2 tunnel. To ensure maximum uptime,Symantecrequires that you configure your VPN device to use a value slightly less than one hour and allow re-key of the tunnel before tunnel expiration.
- Pre-Shared Key (PSK)Define this as you did in the portal. If these values fail to match, the connection fails.
- Diffie-Hellman (DH) Exchange.This value is used by both ends of the VPN connection to exchange matching shared secret keys. It secures the tunnel between your VPN device andWSSfor Phase 2. The following table provides the DH groups supported byWSS.
- Encryption AlgorithmThis is the type of encryption used to secure the data exchanged between your VPN device andWSS. The following table provides the values.
- Dead Peer Detection (DPD)Depending on your VPN device and network configuration, the best practice is that DPD is set to check every 30 seconds with 5 retries. The following is known list of common vendor instructions to set DPD:
- Cisco Router info for DPD—Cisco Routers DPD
- Cisco Community DPD Article—Cisco DPD Info
- Checkpoint DPD Info—Checkpoint KB on DPD
- Juniper DPD—Juniper DPD Info
- Palo Alto DPD—Palo Alto DPD KB
- Fortinet Fortigate DPD—Fortigate DPD
- If your manufacturer is not listed, consult their website or support team for assistance with this feature.
- IPsec Anti-ReplayThis option prevents a man-in-the-middle attack by detecting if any packets have been sent or received. If this occurs, the connection is broken and re-established. Some amount of retransmitted traffic is expected. Set this to a value that provides the best security and flexibility. The best practice is to set the window to 32.
- Configure the IKE Phase 2 details.The second phase of the Internet Key Exchange is used to negotiate IPsec Security Associations (SAs) to set up the IPsec tunnel.
- For Phase 2, the best practice is four hours or less to avoid split protocol and other connection issues.
- Associate your traffic ACL with this configuration.
- Enable Perfect Forward Secrecy (PFS).
- Network Address Translation.Disabling this option ensures that all traffic from your users reachesWSSwith its original source IP address. Failing to disable NAT can lead to users not authenticated or to policy rules not applying to traffic as expected.
- Save the VPN configuration, and repeat this process with the data center that is the next closest to your geographic location.
The following knowledge base articles cover information that can be useful in troubleshooting issues once the VPN tunnel is established.
- Data to collect before opening a support case withSymantecsupport: https://knowledge.broadcom.com/external/article?legacyId=TECH203533
- Troubleshoot latency and performance issues: https://knowledge.broadcom.com/external/article?articleId=169051
- Enable SSL Interception in theWSS: Create SSL Policy
- Browser Error on IPsec VPN if First Request is HTTPS: https://knowledge.broadcom.com/external/article?legacyId=TECH246221
VPN Device Reference Configurations
The following links provide example vendor device configurations. Use these as
Symanteccannot guarantee the validity of third-party products and procedures. If you encounter configuration discrepancies, you must default to the best practices and configuration parameters provided by
Symantecin this topic. Per the SLA, Technical Support might not be able to provide guidance if you perform configurations outside of the requirements outlined in this guide.
VPN device vendors routinely change user interfaces. However, the required VPN-to-VPN settings rarely change.
Vendor VPN Setup Instructions
Symantec cannot maintain testing of all vendor devices and versions. In the next section,
Symantecprovides a configuration blueprint that is not specific to any specific device. If you require additional assistance, refer to the vendor's documentation for steps to configure and enable a VPN connection. The following links refer to the most prominent VPN vendor help pages.
- Fortinet Fortigate: https://cookbook.fortinet.com/site-to-site-ipsec-vpn-with-two-fortigates-60/
- IKEv1 allows negotiation of a lifetime between the two sides.WSSwill not expire a tunnel before the other side (your VPN device).
- IKEv2 does not allow negotiation of a lifetime and each side is free to choose its one time for expiring a tunnel. Currently,WSSuses 1 hour for its Phase 2 (IPSec) IKEv2 tunnel. To ensure maximum uptime,Symantecrequires that you configure your VPN device to use a value slightly less than 1 hour and allow re-key of the tunnel before expiry of the tunnel.