Creating IPsec VPN Tunnels (Ikev1/Ikev2):
Hello Everyone,
In this article, we are going to be covering the creation of the traditional vendor-independent IPsec VPN tunnels between a Ray edge Device and a 3rd Party vendor Security gateway or router.
IPsec VPN:
Before we can start the configuration of IPsec VPNs, It's important to briefly talk about and understand what IPsec is its purpose, and the protocols it uses.
What is IPsec?
IPsec ( Internet Protocol Security ) is a secure network protocol suite that enables the establishment of secure communications between a pair of secure gateways or routers over IP networks.
Where can be IPsec used?
IPsec can be used to protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).
IPsec is currently mostly used to securely establish connections for data flows between networks in geographically disparate locations over the public network such as the Internet.
IPsec is a network protocol suite that ensures both packet encryption and source authentication.
IPsec VPN underlying Protocols:
It is important to understand that IPsec is not a single protocol.
IPsec uses a group of underlying authentication and encryption protocols to perform specific tasks such as authentication, data integrity checks, confidentiality, encryption..etc. to be able to establish a secure data channel between a pair of security gateways.
The Three (3) main protocols used by IPsec include;
- ) The Security Authentication Header (AH) Uses the IP protocol ID 51
- ) Encapsulating Security Payload (ESP) Uses the IP protocol ID 50
- ) Internet Key Exchange (IKE)
IKE:
Among the above 3 main protocols used by IPsec, I am going to briefly discuss IKE and what it's used for.
What is IKE?
IKE is a hybrid protocol based on two underlying security protocols, the Internet Security Association and Key Management Protocol ( or ISAKMP ) and the OAKLEY Key Determination Protocol ( or OAKLEY ).
The IKE protocol defines several Exchange Types to be used during negotiation. Exchange types are used to describe a particular packet sequence and the payload requirements for each packet. Some exchanges are similar in purpose but each is unique in their way.
For instance, the Identity Protect Mode ( or Main Mode ) and Aggressive Mode Exchange types are used during Phase 1 to negotiate ISAKMP SA's. While both exchanges are used for the same purpose, Aggressive Mode completes using three packets whereas Main Mode requires six. However, the Aggressive mode does not offer Peer Identity Protection. Quick Mode is used during Phase 2 to negotiate IPSEC SA's
ISAKMP provides a framework for authentication and key exchange but does not define them.
OAKLEY describes a series of key exchanges, called 'modes', and details the services provided by each.
Basic Operation of IPsec IKE:
The basic operation of IKE can be broken down into two phases.
Phase 1:
This phase is used to negotiate the parameters and key material required to establish an ISAKMP SA. Peer identities and credentials are also verified. The ISAKMP SA is then used to protect future IKE exchanges.
Phase 2:
This phase is used to negotiate the parameters and key material required to establish any number of IPSEC SAs. The IPSEC SA's are then used to protect any network traffic that may require security processing.
Ray IPsec VPN Configuration:
Ray Edge Devices support the creation of IPsec VPN tunnels between Ray Edge appliances and another Ray Edge device or 3rd party vendor (Firewall/Router) using an IPsec Tunnel IKev1/Ikev2.
The following steps are followed in the creation of an IPsec Tunnel of IKev1/Ikev2:
Click on the Profiles menu
Click on the tunnel Submenu
Click on +Create Tunnel
The above steps are depicted in the image below;
On clicking the Create Tunnel tab, pop up window showing tunnel profile settings pop comes up,
we shall Give our tunnel profile a name, under definitions, we select IPsec VPN (Ikev1/Ikev2)
as shown below.
After Selecting the tunnel Definition as IPsec Vpn(Ikev1/Ikev2).
We shall now select the interfaces and subnets to be matched in the tunnel for the local network and Remote Network. as indicated below.
After defining the Local and remote subnets for IPsec tunnel traffic. the next step is to define the encryption and ESP for the IPsec Tunnel SA for Phase 1 and Phase 2.
Note: The Security Association and ESP for Phase 1 and Phase 2 and the Preshared keys Must match between the Ray Edge Device and Remote 3rd Party vendor Firewall or router for the IPsec tunnel to be successfully Established.
The encryption and preshared key for the IPsec tunnel for Phase 1 and Phase 2 are configured in the next option as shown in the images below.
In the Above image Under authentication:
The below parameters must match both ends of the IPsec VPN Configuration:
- The Preshared keys defined here must match the remote device (Firewall/Router) tunnel configuration to successfully establish the IPsec VPN tunnel.
- The ISAKMP (Phase 1) Encryption, Hash, DH Group, and lifetime must match at both ends including at the remote device (Firewall/Router).
- The ESP (Phase 2) configuration must also be identical between Ray Edge and the 3rd party (Firewall/Router) tunnel endpoint.
On completing the above configuration steps on the Ray Edge device and equivalent IPsec VPN configuration on the remote endpoint (Firewall/Router) your IPsec VPN tunnel should come up and you should have site-to-site connectivity.
Note: In some 3rd party vendor firewalls, you may be required to create a firewall policy to permit traffic for the VPN interface.
You can test your IPsec VPN tunnel by pinging a destination IP address in the Remote Local subnet from an IP address in your LAN.
Thank you,
Ray support Team