Product Documentation

Configuring Virtual WAN IPsec for FIPS Compliant Operation

Aug 09, 2017

In release 9.2, IPSec security setting enhancements are introduced with addition of DH groups and random number generator functionality for compliance with Federal Standards.

To configure Virtual Path IPsec Settings:

  • Enable Virtual Path IPsec Tunnels for all Virtual Paths where FIPS compliance is required. IPsec settings for Virtual Paths are controlled via Default Sets.
  • Configure message authentication by changing the IPsec Mode to AH or ESP+Auth and use a FIPS approved hashing function. SHA1 is currently accepted by FIPS, but SHA256 is highly recommended.
  • IPsec lifetime should be configured for no more than 8 hours (28800 seconds).

The Virtual WAN uses IKE version 2 with pre-shared-keys to negotiate IPsec tunnels through the Virtual Path using the following settings:

  • DH Group Group 19: ECP256 (256-bit Elliptic Curve) for key negotiation
  • 256-bit AES-CBC Encryption
  • SHA256 hashing for message authentication
  • SHA256 hashing for message integrity
  • DH Group 2: MODP-1024 for Perfect Forward Secrecy

To configure IPsec Tunnel for a third party, use the following settings:

          a)    Configure FIPS approved DH Group. Groups 2 and 5 are permissible under FIPS, however groups 14 and above are highly recommended.     

          b)    Configure FIPS approved hash function. SHA1 is currently accepted by FIPS, however SHA256 is highly recommended.

          c)     If using IKEv2, configure a FIPS approved integrity function. SHA1 is currently accepted by FIPS, however SHA256 is highly recommended.

          d)    Configure an IKE lifetime, and max lifetime, of no more than 24 hours (86400 seconds).

          e)    Configure IPsec message authentication by changing the IPsec Mode to AH or ESP+Auth and use a FIPS approved hashing function. SHA1 is currently accepted by FIPS, but SHA256 is highly recommended.

          f)     Configure an IPsec lifetime, and max lifetime, of no more than 8 hours (28800 seconds).

To configure IPSec tunnels:

     1.    On the MCN appliance, go to Configuration -> Virtual WAN -> Configuration Editor. Open an existing configuration package. Click the Advanced tab. Go to Connections > IPSec Tunnels.

localized image

     2.  Expand IKE Settings. Configure groups in DH Group drop-down list.

localized image

     3. Expand IPsec Settings. Configure groups in the PFS Group drop-down list.

localized image