Creating IPsec VPN Tunnels (Ikev1/Ikev2):
Hello Everyone,
In this Article we are going to be covering the creation of the traditional vendor independent IPsec VPN tunnels between a Ray edge Device and a 3rd Party vendor Security gateway or router.
IPsec VPN:
Before we can start the configuration of IPsec VPNs, It's important to briefly talk about and understand what IPsec is and its purpose and protocols it uses.
What is IPsec?
IPsec ( Internet Protocol Security ) is a secure network protocol suite that enables the establishment of secure communications between a pair of secure gateways or routers over IP networks.
Where can be IPsec used?
IPsec can be used to protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).
IPsec is currently mostly used to securely establish connections for data flows between networks in geographically disparate locations over the public network such as the internet.
IPsec is a network protocol suite that ensures both packet encryption and source authentication.
IPsec VPN underlying Protocols:
It is important to understand that IPsec is not a single protocol.
IPsec uses a group of underlying authentication and encryption protocols to perform specific tasks such as authentication, data integrity checks, confidentiality and encryption..etc. in order to be able to establish a secure data channel between a pair of security gateways.
The Three (3) main protocols used by IPsec include;
- ) The Security Authentication Header (AH) Uses the IP protocol ID 51
- ) Encapsulating Security Payload (ESP) Uses the IP protocol ID 50
- ) Internet Key Exchange (IKE)
IKE:
Among the above 3 main protocols used by IPsec, I am going to briefly discuss IKE and what its used for.
What is IKE?
IKE is a hybrid protocol based on two underlying security protocols, the Internet Security Association and Key Management Protocol ( or ISAKMP ) and the OKLEY Key Determination Protocol ( or OAKLEY ).
The IKE protocol defines several Exchange Types to be used during negotiation. Exchange types are used to describe a particular packet sequence and the payload requirements for each packet. Some exchanges are similar in purpose but each is unique in their own way.
For instance, the Identity Protect Mode ( or Main Mode ) and Aggressive Mode Exchange types are used during Phase 1 to negotiate ISAKMP SA's. While both exchanges are used for the same purpose, Aggressive Mode completes using three packets where Main Mode requires six. However, Aggressive mode does not offer the Peer Identity Protection. Quick Mode is used during Phase 2 to negotiate IPSEC SA's
ISAKMP provides a framework for authentication and key exchange but does not define them.
OAKLEY describes a series of key exchanges, called 'modes', and details the services provided by each.
Basic Operation of IPsec IKE:
The basic operation of IKE can be broken down into two phases.
Phase 1:
This phase is used to negotiate the parameters and key material required to establish an ISAKMP SA. Peer identities and credentials are also verified. The ISAKMP SA is then used to protect future IKE exchanges.
Phase 2:
This phase is used to negotiate the parameters and key material required to establish any number of IPSEC SA's. The IPSEC SA's are then used to protect any network traffic that may require security processing.
Ray IPsec VPN Configuration:
Ray Edge Devices support creation of IPsec VPN tunnels between Ray Edge appliances and another Ray Edge device or 3rd party vendor (Firewall/Router) using an IPsec Tunnel IKev1/Ikev2.
The following steps are followed in creation of an IPsec Tunnel of IKev1/Ikev2:
Click on Profiles menu
Click on Available Profiles
Click on tunnel Submenu
Click on create Tunnel:
The above steps are depicted in image below;
On clicking the create tunnel tab, pop up window showing tunnel profile settings pop comes up,
we shall Give our tunnel profile a name, under definitions, we select IPsec VPN (Ikev1/Ikev2)
as shown below.
After Selecting the tunnel Definition as IPsec Vpn(Ikev1/Ikev2).
We shall now select the interfaces and subnets to be matched in the tunnel for the local network and Remote Network. as indicated below.
After defining the Local and remote subnets for IPsec tunnel traffic. the next step is to define the encryption and ESP for the IPsec Tunnel SA for phase 1 and Phase 2.
Note: The Security Association and ESP for phase 1 and Phase 2 and the Preshared keys Must match between the Ray Edge Device and Remote 3rd Party vendor Firewall or router for the IPsec tunnel to be successfully Established.
The encryption and preshared key for the ipsec tunnel for phase 1 and Phase 2 are configured in next option as shown in images below.
In the Above image Under authentication:
The below parameters must match in both ends of the IPsec VPN Configuration:
- The Preshared keys defined here must match at the remote device (Firewall/Router) tunnel configuration in order to successfully establish the IPsec VPN tunnel.
- The ISAKMP (Phase 1) Encryption, Hash, DH Group and lifetime must match at both ends including at the remote device (Firewall/Router).
- The ESP (Phase 2) configuration must also be identical between Ray edge and the 3rd party (Firewall/Router) tunnel endpoint.
On completing the above configuration steps on the Ray Edge device and equivalent IPsec VPN configuration on the remote end point (Firewall/Router) your IPsec VPN tunnel should come up and you should have site-to-site connectivity.
Note: In some 3rd party vendor firewalls, you may be required to create a firewall policy to permit traffic for the VPN interface.
You can test your IPsec VPN tunnel by pinging a destination IP address in the Remote Local subnet from an IP address in your LAN.
we hope this Article was Useful.
Kind Regards,
Ray Support
ray.life