Device Configuration : Configure : VPN : IPSec Profiles
IPSec Profiles
The IPSec Profiles displays list all the preconfigured and custom IPSec Profiles.
Policy describes the security parameters used for negotiations to establish and maintain a secure tunnel between two peers.
Before you set up your secure tunnels, to make their configuration faster and easier, you can create VPN policies that work on a global level. Rather than configuring the policy parameters for every tunnel you create, you can configure general policies and then later apply them to your secure tunnels.
Authentication mode
To ensure secure communication, there are two phases to every IKE (Internet Key Exchange) negotiation - Phase 1 (Authentication) and Phase 2 (Key exchange).
The Phase 1 negotiation establishes a secure channel between peers and determines a specific set of cryptographic protocols, exchanges shared secret keys and encryption and authentication algorithm that will be used for generating keys.
The Phase 2 negotiation establishes a secure channel between peers to protect data. During Phase 2 negotiation, the protocol security association for the tunnel is established. Either of the peers can initiate Phase 1 or Phase 2 renegotiation at any time. Both can specify intervals after which to negotiate.
Key life
Lifetime of key is specified as Key life.
Once the connection is established after exchanging authenticated and encrypted keys, connection is not dropped till the key life. If the key life of both the peers is not same then negotiation will take place whenever the key life of any one peer is over. This means intruder has to decrypt only one key to break in your system.
Key generation and key rotation are important because the longer the life of the key, the larger the amount of data at risk, and the easier it becomes to intercept more ciphered text for analysis.
Perfect Forward Secrecy (PFS)
It becomes difficult for a network intruder to get the big picture if keys are changing and they have to keep cracking keys for every negotiation. This is achieved by implementing PFS. By selecting PFS, new key will be generated for every negotiation and a new DH key exchange is included. So every time intruder will have to break yet another key even though he already knows the key. This enhances security.
Diffie-Hellman (DH) Group (IKE group)
Diffie-Hellman is a public-key cryptography scheme that allows peers to establish a shared secret over an insecure communications channel. Diffie-Hellman Key Exchange uses a complex algorithm and public and private keys to encrypt and then decrypt the data.
The Diffie-Hellmann Group describes the key length used in encryption. Group number is also termed as Identifiers.
DH Group
Key length (bits)
1
768
2
1024
5
1536
14
2048
15
3072
16
4096
If mismatched groups are specified on each peer, negotiation fails. The group cannot be switched during the negotiation.
Re-key Margin
Time before the next key is exchanged. Time is calculated by subtracting the time elapsed since the last key exchange from the key life. By turning Re-keying ‘Yes’, negotiation process starts automatically without interrupting service before key expiry.
Dead Peer Detection settings
Use to check whether device is able to connect the IP Address or not. Set time interval after which the status of peer is to be checked and what action to take, if peer is not alive.
Tunnel Negotiation
Negotiation process starts to establish the connection when local or remote peer wants to communicate with each other. Depending on the connection parameters defined, the key is generated which is used for negotiations. Lifetime of key is specified as Key life. Once the connection is established, connection is alive/active and data can be transferred up to the specified key life. Connection will be closed/deactivated once the key expires.
If the connection is to be activated again then the entire negotiation process is to be started all over again. Negotiation process can be started again automatically by either local or remote peer only if Allow Re-keying is set to ‘Yes’. Set the re-keying time in terms of the remaining key life when negotiation is to be started automatically without interrupting the communication before key expiry. For example, if key life is 8 hours and Re-key margin time is 10 minutes then negotiation process will automatically start after 7 hours 50 minutes of key usage.
Negotiation process will generate new key only if Perfect Forward Secrecy (PFS) is set to ‘Yes’. PFS will generate a new key from scratch and there will be no dependency between old and new key.
Re-keying
Result
Yes
Local and remote peer both will be able to initiate request for connection. Depending on PFS, negotiation process will use same key or generate a new key.
No
Only remote peer will be able to initiate request for connection. Depending on PFS, negotiation process will use same key or generate a new key.
Device provides 5 default policies and you can also create a custom policy to meet your organization’s requirement.
To make VPN connection configuration an easy task, following five preconfigured VPN policies are included for the frequently used VPN deployment scenarios:
Road warrior
L2TP
Head office connectivity
Branch office connectivity
Default
It also provides option to add a new policy, update the parameters of an existing policy, or delete the policy. Instead of creating a policy from scratch, you can also create a new policy based on the already created policy by duplicating its parameters.
Duplicate - Click the duplicate icon in the Manage column against the VPN Policy to be duplicated. Add VPN Policy window is displayed which has the same values for parameters as the existing policy. Click OK to add a new policy with modification in values for parameters.
* Default policy can be updated but cannot be deleted.