Example VPN configuration 2: create a VPN Profile element

The VPN Profile must contain VPN settings that match the settings defined on the external VPN gateway.

Before you begin

You must have defined a site for the external VPN gateway in configuration 2.

Note: This configuration scenario does not explain all settings related to VPN Profiles.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to SD-WAN.
  2. Browse to Other Elements > Profiles > VPN Profiles.
  3. Right-click VPN Profiles, then select New VPN Profile.
  4. In the Name field, enter a unique name.
  5. On the IKE SA tab, configure the IKE SA settings.
    1. Select the Version.
      You can select IKEv1, IKEv2, or both. If both versions are selected, IKEv2 is tried first in the negotiations, and IKEv1 is only used if the remote gateway does not support IKEv2.
    2. In the Cipher Algorithms section, select one or more encryption methods that match the settings of the external gateway device.
      We recommend that you limit the selection to as few choices as possible. Do not select DES unless you are required to do so. DES is no longer secure, since it is relatively easy to break DES encryption with modern computers. 3DES (Triple-DES) has a relatively high overhead compared to other protocols with a comparable level of security. For this reason, 3DES is not a good choice when high throughput is required.
      Note: The restricted (-R) product version has no strong encryption algorithms.
    3. Select the Message Digest Algorithm that matches the settings of the external gateway device.
      • In IKE, the message digest algorithm is used for integrity checking and key derivation.
      • If you select SHA-2, define the Minimum Length for the digest: 256, 384, or 512 bits. Set the length so that it is in line with the overall security strength.
    4. Select the Diffie-Hellman group or groups (used for key exchange) to be allowed to be used with the external gateway device.
      We recommend that you select from groups 14-21 according to the security requirements for the VPN. Groups 1, 2, and 5 are not sufficiently secure in all cases, although they might be required for interoperability with legacy systems.
    5. Select the Authentication Method.
    6. If IKEv1 is selected as the Version, adjust the SA Lifetime in Minutes to match the settings of the external gateway device.
      In IKEv2, lifetime is set locally, so it does not have to match the lifetime settings of the external gateway.
    7. If one of the Gateways has a dynamic IP address, change the IKEv1 Negotiation Mode to Aggressive.
  6. On the IPsec SA tab, configure the IPsec SA settings.
    1. Select the IPsec Type:
      • The recommended setting is ESP (the communications are encrypted).
      • Usually, AH is not a valid option. The AH setting disables encryption for the VPN, fully exposing all traffic that uses the VPN to anyone who intercepts it in transit. You can use AH to authenticate and check the integrity of communications without encrypting them.
    2. In the Cipher Algorithms section, select one or more encryption methods that match the settings of the external gateway device
      • Do not select Null. This option disables encryption and allows anyone to view the data in transit.
      • Do not select DES unless you are required to do so. DES is no longer secure, as it is relatively easy to break DES encryption with modern computers.
      • 3DES (Triple-DES) has a relatively high overhead compared to other protocols with a comparable level of security. It is not a good choice when high throughput is required.
      • AES-GCM-128 or AES-GCM-256 are recommended for high-speed networks.
    3. Select the Message Digest Algorithm that matches the settings of the external gateway device.
      • In IPsec, the message digest algorithm is used for integrity checking (except when authenticated encryption such as AES-GCM is used).
      • If you select SHA-2, define the Minimum Length for the digest: 256, 384, or 512 bits. Set the length so that it is in line with the overall security strength.
    4. Make sure that Compression Algorithm is set to None.
      The external gateway must not use compression.
    5. Adjust the IPsec Tunnel Lifetime to match the settings of the external gateway device.
    6. Select the Security Association Granularity for Tunnel Mode that matches the settings of the external gateway device.
    7. (Recommended) Select Use PFS with Diffie-Hellman Group if the external gateway device can use perfect forward secrecy (PFS), and select the Diffie-Hellman group to use with PFS.
      We recommend that you select from groups 14-21 according to the security requirements for the VPN. Groups 1, 2, and 5 are not considered sufficiently secure in all cases, although they might be required for interoperability with legacy systems.
  7. Click OK.

Next steps

Create a Policy-Based VPN element.