The VPN Profile must contain VPN settings that match the settings defined on the external VPN gateway.
Before you begin
You must have defined a site for the external VPN gateway in configuration 2.
Note: This configuration scenario does not explain all settings related to VPN Profiles.
For more details about the product and how to configure features, click Help or
press F1.
Steps
-
Select Configuration, then browse to SD-WAN.
-
Browse to .
-
Right-click VPN Profiles, then select New VPN Profile.
-
In the Name field, enter a unique name.
-
On the IKE SA tab, configure the IKE SA settings.
-
Select the Version.
You can select IKEv1, IKEv2, or both. If both versions are selected, IKEv2
is tried first in the negotiations, and IKEv1 is only used if the remote gateway does not support IKEv2.
-
In the Cipher Algorithms section, select one or more encryption methods that match the settings of
the external gateway device.
We recommend that you limit the selection to as few choices as possible. Do not select
DES unless
you are required to do so. DES is no longer secure, since it is relatively easy to break DES encryption with modern
computers.
3DES (Triple-DES) has a relatively high overhead compared to other protocols with a
comparable level of security. For this reason, 3DES is not a good choice when high throughput is required.
Note: The
restricted (-R) product version has no strong encryption algorithms.
-
Select the Message Digest Algorithm that matches the settings of the external gateway device.
- In IKE, the message digest algorithm is used for integrity checking and key derivation.
- If you select SHA-2, define the Minimum Length for the digest:
256, 384, or 512 bits. Set the length so
that it is in line with the overall security strength.
-
Select the Diffie-Hellman group or groups (used for key exchange) to be allowed to be used with the external gateway
device.
We recommend that you select from groups 14-21 according to the security requirements for the VPN. Groups 1, 2, and 5
are not sufficiently secure in all cases, although they might be required for interoperability with legacy systems.
-
Select the Authentication Method.
-
If IKEv1 is selected as the Version, adjust the SA Lifetime in Minutes to match the settings of
the external gateway device.
In IKEv2, lifetime is set locally, so it does not have to match the lifetime settings of the external gateway.
-
If one of the Gateways has a dynamic IP address, change the IKEv1 Negotiation Mode to
Aggressive.
-
On the IPsec SA tab, configure the IPsec SA settings.
-
Select the IPsec Type:
- The recommended setting is ESP (the communications are encrypted).
- Usually, AH is not a valid option. The AH setting disables encryption for the VPN, fully
exposing all traffic that uses the VPN to anyone who intercepts it in transit. You can use AH to authenticate and
check the integrity of communications without encrypting them.
-
In the Cipher Algorithms section, select one or more encryption methods that match the settings of
the external gateway device
- Do not select Null. This option disables encryption and allows anyone to view the data in
transit.
- Do not select DES unless you are required to do so. DES is no longer secure, as it is
relatively easy to break DES encryption with modern computers.
- 3DES (Triple-DES) has a relatively high overhead compared to other protocols with a
comparable level of security. It is not a good choice when high throughput is required.
- AES-GCM-128 or AES-GCM-256 are recommended for high-speed networks.
-
Select the Message Digest Algorithm that matches the settings of the external gateway device.
- In IPsec, the message digest algorithm is used for integrity checking (except when authenticated encryption such
as AES-GCM is used).
- If you select SHA-2, define the Minimum Length for the digest:
256, 384, or 512 bits. Set the length so
that it is in line with the overall security strength.
-
Make sure that Compression Algorithm is set to None.
The external gateway must not use compression.
-
Adjust the IPsec Tunnel Lifetime to match the settings of the external gateway device.
-
Select the Security Association Granularity for Tunnel Mode that matches the settings of the
external gateway device.
-
(Recommended) Select Use PFS with Diffie-Hellman Group if the external gateway device can use perfect forward secrecy (PFS),
and select the Diffie-Hellman group to use with PFS.
We recommend that you select from groups 14-21 according to the security requirements for
the VPN.
Groups 1, 2, and 5 are not considered sufficiently secure in all cases, although they might be required for interoperability
with legacy systems.
-
Click OK.
Next steps
Create a Policy-Based VPN element.