Creating IPsec VPN Tunnels (Ikev1/Ikev2):


In this article, we are going to be covering the creation of the traditional vendor-independent IPsec VPN tunnels between a Ray edge Device and a 3rd Party vendor Security gateway or router.

 

IPsec(Internet Protocol Security):

IPsec is a security method used to protect data as it travels over the internet or a network. It makes sure the data is safe, private, and not altered by encrypting it and checking its authenticity. 


IPsec used


IPsec can be used to protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).


IPsec is currently mostly used to securely establish connections for data flows between networks in geographically disparate locations over the public network such as the Internet.


IPsec is a network protocol suite that ensures both packet encryption and source authentication.



IPsec VPN underlying Protocols:

IPsec uses a group of underlying authentication and encryption protocols to perform specific tasks such as authentication, data integrity checks, confidentiality, encryption..etc.  to be able to establish a secure data channel between a pair of security gateways.


The Three (3) main protocols used by IPsec include;

  1. ) The Security Authentication Header (AH)   Uses the IP protocol ID 51
  2. ) Encapsulating Security Payload (ESP)        Uses the IP protocol ID 50
  3. ) Internet Key Exchange (IKE)


IKE:

IKE is a hybrid protocol based on two underlying security protocols, the Internet Security Association and Key Management Protocol ( or ISAKMP ) and the OAKLEY Key Determination Protocol ( or OAKLEY ).


The IKE protocol defines several Exchange Types to be used during negotiation. Exchange types are used to describe a particular packet sequence and the payload requirements for each packet. Some exchanges are similar in purpose but each is unique in their way.


For instance, the Identity Protect Mode ( or Main Mode ) and Aggressive Mode Exchange types are used during Phase 1 to negotiate ISAKMP SA's. While both exchanges are used for the same purpose, Aggressive Mode completes using three packets whereas Main Mode requires six. However, the Aggressive mode does not offer Peer Identity Protection. Quick Mode is used during Phase 2 to negotiate IPSEC SA's


ISAKMP provides a framework for authentication and key exchange but does not define them.

OAKLEY describes a series of key exchanges, called 'modes', and details the services provided by each.



Basic Operation of IPsec IKE:


The basic operation of IKE can be broken down into two phases.


Phase 1:


This phase is used to negotiate the parameters and key material required to establish an ISAKMP SA. Peer identities and credentials are also verified. The ISAKMP SA is then used to protect future IKE exchanges.


Phase 2:


This phase is used to negotiate the parameters and key material required to establish any number of IPSEC SAs. The IPSEC SA's are then used to protect any network traffic that may require security processing.



Ray IPsec VPN Configuration:


Ray Edge Devices support the creation of IPsec VPN tunnels between Ray Edge appliances and another Ray Edge device or 3rd party vendor (Firewall/Router) using an IPsec Tunnel IKev1/Ikev2.


The following steps are followed in the creation of an IPsec Tunnel of IKev1/Ikev2:

  • Go to Profiles ---> Click on Tunnel 
  • Click on +Create Tunnel



  • On clicking the Create Tunnel tab, pop up window showing tunnel profile settings pop comes up,

            we shall Give our tunnel profile a Name.
            Under definitions, select IPsec VPN (Ikev1/Ikev2)




After Selecting the tunnel Definition as IPsec VPN(Ikev1/Ikev2).

  • We shall now select The interfaces and Subnets to be matched in the tunnel for the local network and Remote Network. as indicated below.



After defining the Local and remote subnets for IPsec tunnel traffic. the next step is to define the encryption and ESP for the IPsec Tunnel SA for Phase 1 and Phase 2.

Note:  
The Security Association and ESP for Phase 1 and Phase 2 and the Pre-shared keys Must match between the Ray Edge Device and Remote 3rd Party vendor Firewall or router for the IPsec tunnel to be successfully Established. 


The encryption and pre-shared key for the IPsec tunnel for Phase 1 and Phase 2 are configured in the next option as shown in the images below.


 

In the Above image Under authentication:


The below parameters must match both ends of the IPsec VPN Configuration:


  • The Pre-shared keys defined here must match the remote device (Firewall/Router) tunnel configuration to successfully establish the IPsec VPN tunnel.


  • The ISAKMP (Phase 1) Encryption, Hash, DH Group, and lifetime must match at both ends including at the remote device (Firewall/Router).


  • The ESP (Phase 2)  configuration must also be identical between Ray Edge and the 3rd party (Firewall/Router) tunnel endpoint.


On completing the above configuration steps on the Ray Edge device and equivalent IPsec VPN configuration on the remote endpoint (Firewall/Router) your IPsec VPN tunnel should come up and you should have site-to-site connectivity.


Note: In some 3rd party vendor firewalls, you may be required to create a firewall policy to permit traffic for the VPN interface.


 You can test your IPsec VPN tunnel by pinging a destination IP address in the Remote Local subnet from an IP address in your LAN.




Thank you,

Ray support Team

image