top of page

IPSEC VPN. Basics Concepts III. Configuration Overview.

Everything is clear up to here? I hope yes, so go ahead with the configuration o fan IPSEC VPN.

What we need in order to set up an IPSEC VPN is the below:

  • NETWORK LEVEL (mandatory in dark black).

  • Remote Gateway: It could be an IP address of the remote peer (usually public IP) or a FQDN or a Dialup.

  • Interface: Interface facing remote peer IP/FQDN, usually WAN interface.

  • NAT-T: we will see details in further “advance setting” post.

  • Keepalive: we will see details in further “advance setting” post.

  • Mode Config: we will see details in further “advance setting” post.

  • Dead Peer Detection (DPD) : we will see details in further “advance setting” post.

  • AUTHENTICATION (mandatory).

  • Preshared Key (PSK) or digital signature (Certificate).

  • PHASE 1 (mandatory in dark black).

  • Encryption algorithm (DES, 3DES, AES128, AES192, AES256…).

  • Authentication algorithm (MD5, SHA1, SHA256, SHA384, SHA512...).

  • Diffie-Hellman Group. (1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30…).

  • Lifetime. (lifetime for de session in seconds).

  • PHASE 2 (mandatory in dark black).

  • Encryption algorithm (DES, 3DES, AES128, AES192, AES256…).

  • Authentication algorithm (MD5, SHA1, SHA256, SHA384, SHA512...).

  • Replay Detection (enable/disable) : we will see details in further “advance setting” post.

  • Diffie-Hellman Perfect Forward Secrecy (PFS) : we will see details in further “advance setting” post.

  • Lifetime (lifetime for de session in seconds/kylobytes).

  • Encryption Domains. (well-known as proxy-IDs, quick mode selectors, etc.).

But that is not all. At this point I would like to explain that we can differentiate two kind of IPSEC VPN configuration route-based and policy-based.

The previos config is common to both of them, but since here there are diferences, let´s take a look on this:

Route-Based VPN as its name says, needs a specific route configuration in order to let firewall know what traffic it must send through VPN tunnel so in case we want to configure a route-based VPN in addiction to the previous config we have to ser:

  • Static route pointing to the remote encrytion domain through sub-interface tunnel interface.

  • Firewall policy rules, exactly two, one for each direction.

Policy-Based VPN as its name too says, use the firewall rules tol et firewall know what traffic it must send through the VPN tunnel, so you have to set:

  • Only one bi-directional firewall policy between the encryption domain but in the action field, instead of accept/deny you must set IPSEC/VPN and select VPN you want to use for that traffic Flow.

Well that is all the basics in order to set up an IPSEC VPN. We will see advance topics/settings in the following posts.

Just only one more thing sure you are asking yourself right now, what is better, route or policy-based VPNs? Well, here you are my opinion: none and both of them, in fact, there are several vendors which supports only route-based, other only policy-based and other both. In case you use a vendor which supports both, you can select the type you feel more confortable, there is not too much advantages one over the other… it is well-known that route-based should offers more control and flexibility (for example for redundant VPNs) but for the most of cases, both types should work fine.

Take a look to the preious posts clicking here or be patient for the following post for IPSEC VPN Advance concepts and settings.

Highlighted entries
Recent entries
Archive
Follow me
  • Icono social LinkedIn
bottom of page