The following IKEv1 IPsec tunnel settings can be configured:
General
Setting | Description |
---|---|
Name | The tunnel name. You can enter a maximum of 26 characters. |
Disabled | To manually disable the tunnel, select this check box. |
IPv6 | Enable to use IPv6 addresses for the VPN tunnel envelope |
Basics
In this tab, you can edit the following Phase 1 and Phase 2 settings.
Setting | Description |
---|---|
Encryption | The data encryption algorithm. |
Hash Meth. | The hash algorithm. |
DH-Group | The Diffie-Hellman Group that specifies the type of key exchange. The Barracuda CloudGen Firewall supports Group1 to Group18. |
Lifetime [sec] | The re-keying time in seconds that the server offers to the partner. |
Min. Lifetime [sec] | The minimum re-keying time in seconds that the server accepts from its partner. |
Max. Lifetime [sec] | The maximum re-keying time in seconds that the server accepts from its partner. |
Enable Perfect Forward Secrecy | Toggle to enable or disable PFS. The remote gateway mus also support PFS. |
SD-WAN - VPN Envelope Policy
Setting | Description | |||||||||||||||||||||||||||
TOS Policy | This policy setting specifies how Type of Service (ToS) information contained within a packet’s IP header is handled. In networks, the ToS may be used to define the handling of the datagram during transport. If the ToS is enveloped, this information is lost. You can select one of the following options:
For more information about precedence values, see http://www.bogpeople.com/networking/dscp.shtml and http://www.tucny.com/Home/dscp-tos. | |||||||||||||||||||||||||||
Band Policy | The Band Policy settings rely on connection objects that are assigned to bands in the firewall rulesets and specify bandwidth assignment to transports as a whole. Multiple transports can share a single band if they are processed by the same interface. You can select one of the following options:
| |||||||||||||||||||||||||||
Replay Window Size | If ToS policies assigned to VPN tunnels or transports packets are not forwarded instantly according to their sequence number, you can configure the replay window size for sequence integrity assurance and to avoid IP packet "replaying." The window size specifies a maximum number of IP packets that can be on hold until it is assumed that packets have been sent repeatedly and sequence integrity has been violated. Individual window size settings are configurable per tunnel and transport, overriding any global policy settings. Set to
|
Advanced
Setting | Description |
---|---|
DPD intervals [s] | Enter the number of seconds between sending IKE notify checks if the peer is still available. Default 5 sec. |
Interface Index | By default, the tunnel is fed through vpn0. To use another VPN interface, enter it in this field. Before using this option, you must first create the indexed VPN interface in the VPN Settings. |
VPN Next Hop Routing | Enter the IP address of the remote VPN tunnel interface that is reachable via the vpnr interface using the index entered as the Interface Index. |
Phase 2 Lifetime Adjust [s] | This setting ensures that the firewall initiates rekeying. On CloudGen Firewall devices with firmware 8.0.1 or higher, you can leave this field blank. |
NAT-T Autodetect | Attempt to detect the UDP NAT-T type supported by the remote VPN gateway. |
RAW IPSec
In this section, you can add optional parameters for establishing IPsec tunnels. When appending a parameter, first specify the section that the parameter is assigned to. Then, specify the new parameter itself in the next line. Enter one single value per line. For example:
[Section]
key=value
To set the IPSec ID for Phase 1, use the following format:
[IPSEC-<tunnelname>-ID]
ID-Type= IPV4_ADDR
Address= <IP address>
[IPSEC-<tunnelname>]
ID= IPSEC-<tunnelname>-ID
Example:
[IPSEC-TestTunnel-ID]
ID-Type= IPV4_ADDR
Address= 198.51.100.30
[IPSEC-TestTunnel]
ID= IPSEC-TestTunnel-ID
New sections are added to the end of the isakmpd.conf
file. New parameters are added to the top of the specified section. For more information on the syntax to be used in this field, see the isakmpd.conf
man page at www.openbsd.org/cgi-bin/man.cgi.
Local Networks
Setting | Description |
---|---|
Initiates Tunnel | Specifies whether the tunnel is active or passive. You can select one of the following options:
Active also implies that incoming VPN connection attempts are accepted. |
Local IKE Gateway | The IP address of the local IKE gateway. If you are using dynamic IP addresses, enter 0.0.0.0/0 |
ID-type |
|
Identify
Setting | Description |
---|---|
Identification Type |
|
Mode |
|
Remote Networks
Setting | Description |
---|---|
Remote IKE Gateway | The IP address of the remote IKE gateway. If the remote IPsec gateway is connected to the Internet with a dynamic IP address, enter the DDNS (Dynamic Domain Name System) hostname of the gateway. |
Network Address | To add the network address of the VPN partner, enter it in this field and then click Add. |
Peer Identification
Depending on which identification type is selected, different fields are unlocked in the Peer Identification section.
Setting | Description |
---|---|
Shared Secret | Enter the shared passphrase used to authenticate. Passphrases using the hash (#) character are not accepted. |
CA Root | Select the root certificate used to validate the certificate. |
X509 Condition | Enter the certificate key patterns the certificate is required to match when X.509 certificate authentication is used. |
Explicit X509 | Import an explicit certificate for X.509 certificate authentication. |