Feature Configuration

LAN and Intranet IPSec tunnel Configuration

IPsec is a common encryption protocol for IP communications. It has the capability to use multiple types of encryption for data confidentiality as well as multiple hash algorithms to ensure data integrity. However, generally speaking, IPsec is a statically configured protocol and relies on other systems to negotiate security parameters. The most common protocol used is Internet Key Exchange (IKE). IKE negotiates one set of security parameters to secure its own information exchange, then negotiates an independent set of security parameters for the IPsec tunnel.

Access the IPSec configuration elements by selecting Advanced and then Connections. Use the plus symbol to add a new element and use the pencil marker symbol to edit an existing record.

IPsec Tunnels

Select a value for the Service Type parameter.
  • Intranet
  • LAN
  • Palso Alto
  • Zscalar

The default value is Intranet.

Inserting values for IPsec Tunnels

Fill in the following parameters:
  • Name
    • If the service type is Intranet, select the auto-generated name appended with "Intranet_Service".
    • If the service type is LAN, type in the text in the name box.
  • Firewall Zone—Select an entry from drop down list.
  • Local IP—Dropdown list of Virtual IPs
  • Peer IP—The other end of the component for which IP Sec tunnel needs to be established.
  • MTU—The default value is 1500 bytes
  • Keepalive—Is a check box, if enabled the appliance will trigger IKE and IPSec rekey

IKE Settings

IKE settings

Version
The IKE version used to initiate the ISAKMP. Values:
  • IKEv1 (default)
  • IKEv2
Mode
Phase 1 parameter exchange in Main mode or Aggressive mode. Values:
  • Main (default)
  • Aggressive
Identity
Identity of the IKE interface. Values:
  • Auto (default)—IP address for PSK authentication, Certificate DN for certificate authentication
  • IP Address— IP address of the appliance from which IKE interacts.
Authentication
The mode in which peer can authenticate the appliance. Values:
  • pre-shared key (default)
  • certificate
Pre-shared Key
This field appears only if the authentication method is pre-shared key, this field is for secret key of the peer.
Certificate
This field appears only if the authentication method is certificate, an entry should be selected from any of the the pre-configured certificate name which appears in the drop down list. Values: select an entry from the drop down list menu.
Validate Peer Identity
Validate the identity of the peer, which can come in the form of IP or FQDN. Values: Check box not ticked (default).
DH Group
Supported DH groups in the appliance MUST select one from the drop down list. Values:
  • Group 1 – (Modp768)
  • Group 2 – (Modp1024) (default)
  • Group 5 – (Modp1536)
Hash Algorithms
Supported hashing algorithms in the appliance MUST select one from the drop down list. Values:
  • SHA1 (default)
  • MD5
  • SHA256
Encryption Mode
Encryption algorithms used for encryption in phase2 of ISAMKP. Values:
  • AES 128-bit (default)
  • AES 192-bit
  • AES 256-bit
Integrity Algorithm
This field is specific to IKEv2 version. Values:
  • SHA1 (default)
  • MD5
  • SHA256
Lifetime
Proposed IKE SA lifetime value in seconds for the IKE SA established during IKE phase 1 negotiation. Values:
  • Min: 0
  • Max: 86400
  • Default: 3600
Lifetime Max
Maximum IKE SA lifetime accepted for IKE SA lifetime during IKE phase 1 negotiation. Values:
  • Min: 0
  • Max: 86400
  • Default: 3600
DPD Timeout
Timer value in seconds when to send DPD message to peer. Values:
  • Min: 0
  • Max: 86400
  • Default: 300

IPSec Settings

IPSec Settings

Tunnel Type
Type of IPsec child SAs that can be established in phase 2. Values:
  • ESP (Encapsulating Security Payload) (default)
  • ESP + Auth
  • AH (Authentication Header)
  • ESP - NULL
PFS Group
DH group exchange used for Perfect Forward Secrecy. Values:
  • <None> (default)
  • Group 1 (MODP768)
  • Group 2 (MODP1024)
  • Group 5 (MODP1536)
Encryption Mode
Encryption algorithms used in IPSec SAs. Values:
  • AES 128-bit (default)
  • AES 192-bit
  • AES 256-bit
Lifetime
Proposed IPSec SA lifetime value in seconds for the IPSec SA established during IKE phase 2 negotiation. Values:
  • Min: 0
  • Max: 86400
  • Default: 28800
Lifetime Max
Maximum IPSec SA lifetime accepted for IPSec SA lifetime during IKE phase 2 negotiation. Values:
  • Min: 0
  • Max: 86400
  • Default: 3600
Lifetime (KB)
Amount of data , in kilo bytes for an IPSec SA to exist. Values:
  • Min: 0
  • Max: 4194303
  • Default: 0
Network Mismatch Behavior
Choose an action to take if a packet does not match the IP Sec tunnel’s protected network. Values:
  • Drop (default)
  • Send unencrypted
  • Use Non-IPSec Route
IPsec Protected Networks
The allowable set of IP addresses to use IPSec tunnels.

IPSec Protected Networks

Source IP/Prefix
The source IP address which is allowed to use IPSec tunnels
Destination IP/Prefix
The destination IP address which is allowed to use IPSec tunnels

Certificate Configuration

In order to support IKE certificate authentication, an ability to define Identity and Trusted certificates will be created in the configuration editor. To add certificates, click Advanced, and then Sites, and then Certificates. Use the plus symbol to add a new element and use the pencil marker symbol to edit the existing records.

Add certs

To create a new entry click on the plus symbol, enter a certificate name, and paste the public and private keys.

Add identity

Add trusted certificates who signed the certificates of the appliance.

Trusted

The trusted certificate name and public key should be entered here.

Add Trusted Certificate

IPSec protected Conduits

For conduit scenario the IPSec SAs can be statically configured between two appliances, again for the establishment of IPSec tunnels IKE protocol is used. This section will allow users to configure the following information required for tunnel creation.

Secure Conduit

On selecting the check box for secure conduit user data with IPSec, there will be an option to select encapsulation type, encryption mode and the IPSec SA lifetime.

Secure Conduit User Data

Tunnel Mode
Type of IPSec child SAs that can be established in phase 2. Values:
  • ESP (default)
  • ESP + Auth
  • AH
Encryption Mode
Encryption algorithms used in IPSec SAs. Values:
  • AES 128-bit
  • AES 256-bit
Lifetime
Proposed IPSec SA life time in seconds for and IPSec SA during IKE phase 2 negotiation. Values:
  • Min: 0
  • Max: 86400
  • Default: 28800

Dynamic Conduit IPSec

If there is no conduit configured between two sites CL1-E50 and CL2-E50 as shown in the below diagram, the data can be transferred between these two sites via WAN-to-WAN forwarding. The intermediate site (NCN-E100) must have WAN-to-WAN forwarding enabled. Traffic has to go through two hops to get to the destination site. This puts lots of burden on the intermediate site and there might be delay if the sites are in different geographical locations. The dynamic conduit feature can solve these problems as the dynamic conduits can be created on the fly when it is needed, and removed when it's no longer needed. There is a limitation on the maximum conduits can be configured per site based on the hardware type.

On NCN side, the check box enable WAN-to-WAN Forwarding should be enabled and also the Enable Site as Intermediate Node should be enabled.

WAN-to-WAN forwarding

The Dynamic IPSec has to be configured, it is under Global->Default Sets->Dynamic Conduit Default Sets.

Secure Conduit

The field Enable Dynamic Conduits under connections table should be enabled for each of the client nodes (APNAs) between whom dynamic conduits needs to be setup.

Enable Dynamic Conduit

There shouldn’t be any static conduits configured between the client nodes for which dynamic conduits

Set the “Autopath Group” to “default_group"

Conduits

Firewall

The Firewall is a way of applying a set of security policies during the route lookup processing phase. The Talari Firewall does connection tracking so that policies can block inbound traffic that is not a result of an outbound session initiation. The Firewall application is integrated so that it knows about the different services (Conduit, Intranet, Internet, Local vs WAN, Zones) that SDWAN provides. This allows the Firewall policies to reference services, which an external firewall device would not be able to do. An external firewall has no ability to look inside SDWAN’s encapsulated conduit traffic to apply policies, which the integrated inbuilt SDWAN Firewall can do.

Firewall

Changing a Password

To change the local user password:

  1. Click Manage SD-WAN Edge and then Users/Authentication.
    Login panel
  2. Enter the current password.
  3. Enter a new password.
  4. Confirm the new password.
  5. Click Change Password.
Previous
Previous 		Next
Next
Go To Table Of Contents
Contents