VPN Pre-Shared Key with Static IP

This method establishes a VPN tunnel to connect to the
Web Security Service
using IKEv1 and a pre-shared key (PSK) for site-to-site authentication. The method requires that your organization have a static public IP address. This IP address is used to identify your site when it connects to
WSS
.
Symantec
uses industry standard strong encryption algorithms, including AES-256, to ensure all traffic is kept private as it passes to
WSS
. During configuration, you specify a pre-shared key for the VPN tunnel. This enables more control of the security of the IPsec tunnel, as you can change the key as needed to fit any company or compliance requirement.

Technical Requirements

This section provides a high-level set of technical requirements for this perform this configuration.
  • Your organization has been provisioned with a
    WSS
    account.
    To confirm this, browse to https://portal.threatpulse.com and log in. If you are unable to log in, verify your account details with
    Symantec
    support.
  • If you are not certain what type of connection is appropriate for your organization, see Connectivity—About Virtual Private Network (IPsec).
  • An understanding of how much user traffic routes to
    WSS
    .
    WSS
    is limited to 1 GBit/s of bandwidth per IPSec tunnel. This is global with the exception of the South Africa and China datacenters, which are limited to 500 MBit/s. If you expect traffic to exceed that, you must plan your network architecture to use an additional tunnel from an additional public IP address for each 1 GBit/s block of bandwidth consumption. For example, if one of your sites consumes 1800 MBit/s of traffic, it must use at least two IPSec tunnels, each connecting to
    WSS
    from a unique public IP address. If you are not sure about how to configure your VPN device to split traffic in this way, contact support.
  • The following information is
    required
    to ensure a successful configuration:
    • Your site's public IP address.
    • Your closest two data center addresses configured for failover to your site.
      All VPN configurations must include a primary and secondary tunnel to
      WSS
      . If one data center connection becomes unavailable, your site traffic can be routed to a secondary tunnel in another data center. See Reference:
      WSS
      Data Center Ingress IPs
      for geographical IP address information.
    • A list of intranet destinations to exclude from the IPsec VPN tunnel(s).
    • Ensure that your IPsec VPN device supports
      Dead Peer Detection
      (DPD). This feature ensures that if a connection fails, the failure is detected and the secondary tunnel is used.
      • In the event that your VPN device supports Internet Protocol Service Level Agreement (IPSLA) and DPD, the best practice is to configure both to ensure maximum uptime.
    • Your network's edge firewall is configured to permit the necessary traffic outbound for IPsec connections: ports
      80/443
      ; UDP port
      500
      ; and UDP port
      4500
      .
      For additional ports and URLs used in a connection between your network and the
      WSS
      , see Reference: Required Locations, Ports, and Protocols.
    • The focus is specify the traffic on your internal network to be encrypted and sent through the tunnel. Each VPN device vendor manages this differently. In most cases, this is done with an Access Control List (ACL) that includes the data ports (typically, TCP ports
      80
      and
      443
      ) and your user subnets, and excludes intranet servers and services.

Procedure—Establish a VPN Connection

A complete VPN configuration requires some configuration both in the portal and on your on-premises VPN device.
Create a Location in the Portal
First, you create a fixed
Location
in the
WSS
portal. A Location instructs the
WSS
to accept incoming connections from the VPN device's IP address.
  1. In the
    WSS
    portal, navigate to
    Connectivity > Locations
    .
  2. Click
    Add Location
    .
  3. Enter the
    Location
    and security information.
    Add Firewall/VPN Location 1
    1. The
      Name
      of the location. For example, the geo-physical location or office name.
    2. Select
      Firewall/VPN
      as the
      Access Method
      .
    3. Enter the
      Gateway IP
      address; the public IP address of your network.
    4. Define the
      Authentication Key
      (pre-shared key) used to authenticate router communication.
  4. Enter resource and location information.
    Firewall/VPN Location Information
    1. Select the
      Estimated User
      range that represents the number of users behind your VPN device accessing the internet through
      WSS
      .
    2. (Optional) Select a
      Time Zone
      , fill out location information, and enter comments (optional).
    3. (Optional) Complete location information.
  5. Click
    Save
    .

Blueprint—Create a Connection in the VPN Device

If the example configurations in the previous section do not closely match your VPN device, refer to the following required configurations:
  1. Define Interesting Traffic
    The focus is to specify the traffic on your internal network to be encrypted and sent through the tunnel. Each VPN device vendor manages this differently. In most cases, this is done with an Access Control List (ACL) that includes the data ports (typically, TCP ports
    80
    and
    443
    ) and your user subnets. It excludes intranet servers and services.
  2. Configure the IKE Phase 1 details
    The first phase of the Internet Key Exchange is to establish a connection through which your data will be tunneled. While Main and Aggressive mode options are present on most VPN devices,
    WSS
    supports Main Mode only. Aggressive Mode is supported in certain circumstances, but only as directed by
    Symantec
    support personnel.
    IKE Phase 1 includes the following parameters:
    • Destination Address
      Set the VPN destination address to the closest
      WSS
      Data Center to your location. The following article provides a list of data center addresses:
    • Internet Key Exchange (IKE) ID
      Set the public IP address (or FQDN if your public IP address is not static) as the IKE ID.
    • IPsec Lifetime
      The IPSEC lifetime determines when the Phase 2 tunnel expires. This can be specified both in terms of time and is terms of bytes or packets transferred. The best practice is to use time only. Configure VPN devices to re-establish a new tunnel with new encryption keys before an existing Phase 2 tunnel expires–this process is called rekeying.
      The time configured should be more than 1 hour (3600 seconds) and less than the Phase 1 lifetime. The best practice value is 4 hours.
      Notes:
      • IKEv1 allows negotiating a lifetime between the two sides.
        WSS
        will not expire a tunnel before the other side (your VPN device).
      • IKEv2 does not allow a lifetime to be negotiated and each side is free to choose its own time for expiring a tunnel. Currently,
        WSS
        uses one  hour for its Phase 2 (IPSec) IKEv2 tunnel. To ensure maximum uptime,
        Symantec
        requires that you configure your VPN device to use a value slightly less than one hour and allow re-key of the tunnel before tunnel expiration.
    • Pre-Shared Key (PSK)
      Define this as you did in the portal. If these values fail to match, the connection fails.
    • Diffie-Hellman (DH) Exchange.
      This value is used by both ends of the VPN connection to exchange matching shared secret keys. It secures the tunnel between your VPN device and
      WSS
      for Phase 2. The following table provides the DH groups supported by
      WSS
      .
    • Encryption Algorithm
      This is the type of encryption used to secure the data exchanged between your VPN device and
      WSS
      . The following table provides the values.
    • Dead Peer Detection (DPD)
      Depending on your VPN device and network configuration, the best practice is that DPD is set to check every 30 seconds with 5 retries. The following is known list of common vendor instructions to set DPD:
    • IPsec Anti-Replay
      This option prevents a man-in-the-middle attack by detecting if any packets have been sent or received. If this occurs, the connection is broken and re-established. Some amount of retransmitted traffic is expected. Set this to a value that provides the best security and flexibility. The best practice is to set the window to 32.
  3. Configure the IKE Phase 2 details.
    The second phase of the Internet Key Exchange is used to negotiate IPsec Security Associations (SAs) to set up the IPsec tunnel.
    • For Phase 2, the best practice is four hours or less to avoid split protocol and other connection issues.
    • Associate your traffic ACL with this configuration.
    • Enable Perfect Forward Secrecy (PFS).
    • Network Address Translation.
      Disabling this option ensures that all traffic from your users reaches
      WSS
      with its original source IP address. Failing to disable NAT can lead to users not authenticated or to policy rules not applying to traffic as expected.
  4. Save the VPN configuration, and repeat this process with the data center that is the next closest to your geographic location.
Helpful Tips
The following knowledge base articles cover information that can be useful in troubleshooting issues once the VPN tunnel is established.
VPN Device Reference Configurations
The following links provide example vendor device configurations. Use these as
guidelines only
.
Symantec
cannot guarantee the validity of third-party products and procedures. If you encounter configuration discrepancies, you must default to the best practices and configuration parameters provided by
Symantec
in this topic. Per the SLA, Technical Support might not be able to provide guidance if you perform configurations outside of the requirements outlined in this guide.
VPN device vendors routinely change user interfaces. However, the required VPN-to-VPN settings rarely change.
Vendor VPN Setup Instructions
Symantec cannot maintain testing of all vendor devices and versions. In the next section,
Symantec
provides a configuration blueprint that is not specific to any specific device. If you require additional assistance, refer to the vendor's documentation for steps to configure and enable a VPN connection. The following links refer to the most prominent VPN vendor help pages.

Notes

  • IKEv1 allows negotiation of a lifetime between the two sides.
    WSS
    will not expire a tunnel before the other side (your VPN device).
  • IKEv2 does not allow negotiation of a lifetime and each side is free to choose its one time for expiring a tunnel. Currently,
    WSS
    uses 1 hour for its Phase 2 (IPSec) IKEv2 tunnel. To ensure maximum uptime,
    Symantec
    requires that you configure your VPN device to use a value slightly less than 1 hour and allow re-key of the tunnel before expiry of the tunnel.

Next Selection