Product Documentation

How To Configure IPsec Tunnel Between SD-WAN and Third-Party Devices

Aug 09, 2017

To configure IPsec Tunnel for Intranet or LAN service:

          1. In the Configuration Editor, navigate to Connections [Site Name]IPsec Tunnels. Choose a Service Type (LAN or Intranet).

          2. Enter a Name for the service type. For Intranet service type, the configured Intranet Server will determine which Local IP addresses are available. 

          3. Select the available Local IP address and enter the Peer IP address for the virtual path to peer with.

 

Note

If the Service Type is Intranet, the IP address is pre-determined by the chosen Intranet Service. 

localized image

     4.   Configure IPsec settings by applying the criteria described in the following tables. When finished, click Apply to save your settings.

Field Description Values (s)

Service Type

Choose a service type from the drop-down menu.

  • Intranet
  • LAN

Name

If the service type is Intranet, choose from the list of configured intranet services in the drop-down menu. If the service type is LAN, enter a unique name.  

  • Text string

Local IP

Choose the local IP address of the IPsec Tunnel from the drop-down menu of available virtual IP addresses configured at this Site.  

  • IP address

Peer IP

Enter the peer IP address of the IPsec Tunnel.  

  • IP address

MTU

Enter the MTU for fragmenting IKE and IPSec fragments

  • Default: 1500

IKEv1 Settings

Version: Choose an IKE version from the drop-down menu.

  • IKEv1
  • IKEv2

Mode: Choose a mode from the drop-down menu.

  • Main
  • Aggressive

Identity: Choose an Identity from the drop-down menu.

  • Auto
  • IP Address

Authentication: Choose the authentication type from the drop-down menu. 

 Pre-Shared Key

  • If you are using a pre-shared key, copy and paste it into this field. Click on the Eyeball () icon to view the Pre-Shared Key.

Certificate

  • If you are using an identity certificate, choose it from the drop-down menu.  

Validate Peer Identity: Click this checkbox to validate the IKE’s peer. If the peer’s ID type is not supported, do not enable this feature.

  • None

DH Group: Choose the Diffie–Hellman group to use for IKE key generation from the drop-down menu.

  • Group 1
  • Group 2
  • Group 5

Hash Algorithm: Choose an algorithm from the drop-down menu to authenticate IKE messages.

  • MD5
  • SHA1
  • SHA-256

Encryption Mode: Choose the Encryption Mode for IKE messages from the drop-down menu. 

  • AES 128-bit
  • AES 192-bit
  • AES 256-bit

Lifetime (s): Enter the preferred duration, in seconds, for an IKE security association to exist. 

  • 3600 seconds (default)

Lifetime Max (s):  Enter the maximum preferred duration, in seconds, to allow an IKE security association to exist. 

  • 86400 seconds (default)

DPD Timeout (s): Enter the Dead Peer Detection timeout, in seconds, for VPN connections. 

  • 300 seconds (default)

IKEv2

Peer Authentication: Choose Peer Authentication from the drop-down menu.

  • Mirrored
  • Pre-Shared Key
  • Certificate

Peer Pre-Shared Key: Paste the IKEv2 Peer Pre-Shared Key into this field for authentication. Click the eyeball () icon to view the Pre-Shared Key.

  • Text string

Integrity Algorithm: Choose an algorithm as the hashing algorithm to use for HMAC verification from the drop-down menu.

  • MD5
  • SHA
  • SHA-256
localized image
localized image

IPsec and IPsec Protected Network Settings

Field Description Value (s)

Tunnel Type

Choose the Tunnel Type from the drop-down menu.

  • ESP
  • ESP+Auth
  • ESP + NULL 
  • AH 

PFS Group

Choose the Diffie–Hellman group to use for perfect forward secrecy key generation from the drop-down menu.

  • Group 1
  • Group 2
  • Group 5

Encryption Mode

Choose the Encryption Mode for IPsec messages from the drop-down menu. 

If you chose ESP or ESP+ Auth, select either one of the following:

  • AES 128-bit
  • AES 192-bit
  • AES 256-bit

Lifetime (s)

Enter the amount of time, in seconds to allow an IPsec security association to exist. 

  • 28800 seconds (default)

Lifetime Max (s)

Enter the maximum amount of time, in seconds to allow an IPsec security association to exist. 

  • 86400 seconds (default)

Lifetime (KB)

Enter the amount of data, in kilobytes, for an IPsec security association to exist.

  • Kilobytes

Lifetime (KB) Max

Enter the maximum amount of data, in kilobytes, to allow an IPsec security association to exist.

  • Kilobytes

Network Mismatch Behavior

Choose the action to take if a packet does not match the IPsec Tunnel’s Protected Networks from the drop-down menu.  

  • Drop
  • Send Unencrypted
  • Use Non-IPsec Route 

IPsec Protected Networks

Source IP/Prefix: After clicking the Add (+ Add) button, enter the Source IP and Prefix of the network traffic the IPsec Tunnel will protect.  

  • IP address

Destination IP/Prefix: Enter the Destination IP and Prefix of the network traffic the IPsec Tunnel will protect.

  • IP address
localized image