The IPsec protocol suite can set up direct and encrypted connections between supported devices by offering a framework for securing data traffic between two servers.
Creating an IPsec tunnel via Timus, you can transfer the data securely between the peers of the connection.To create a site-to-site IPsec VPN gateway connection between your on-premises network and a virtual network (VNet) please follow these steps:Here are the two phases of internet key exchange (IKE) required to set up an IPsec connection using Timus.
IKE PHASE 1
General Settings
- Go to Timus Manager > Sites page.
- Click Create New in the upper right corner of the page.
- Select Connector.
- In the General tab, enter a Name of up to 30 characters.
- Select IPsec as the Tunnel Type.
-
Set the Status to Enabled.
Parameters
As shown in the sample image below of the parameters tab, there are default settings that need to be configured for the IPsec tunnel connection you are about to create in order for it to function correctly:
- Click the Parameters tab on the Connector page.
- Local Peer represents the originating gateway. Choose the Network > the Primary WAN from here.
-
Please enter the PUBLIC WAN IP of your Timus Manager in the Local Peer Identifier box located to the right of the Local Peer.
- To access the IP address and insert it into the Peer Identifier box, go to the Timus Manager -> Sites -> relevant Site's line and click on the ellipsis icon. Then, select View. On the page that opens, the Gateway's IP address is displayed in the Site information field. Copy this PUBLIC WAN IP.
- Remote Peer represents the WAN IP of the remote device. Enter the WAN IP of the device (i.e. firewall) at the other side of the tunnel.
- Peer Identifier is to facilitate communication and data exchange between peers. If your network topology does not include the local WAN IP, you might consider leaving this Peer Identifier box to the right of Local Peer blank.
- However, your device may also require Remote Peer Identifier. So even if the IPsec tunnel you want to establish ends in the PUBLIC WAN IP, you may need to enter the same IP address in the Remote Peer into Peer Identifier (Optional) box without putting network classes such as /32
- Here is an example below:
- Remote Peer: 8.8.8.8/32
- Remote Identifier: 8.8.8.8
To find your Local Primary WAN IP address,
- Go to the Timus Manager -> Sites -> relevant Site's line and click on the ellipsis icon.
-
Then, select View.
- On the page that opens, the Local Primary WAN IP address is displayed in the Networks area field at the bottom of the screen. You can use this Local Primary WAN IP Address for your Remote Peer Identifier field.
- To be able to create an IPsec with some devices, the Local Peer Identifier (optional) must be your Local Primary WAN IP address as the image below
- In the Authentication and Encryption section, you will specify the mode of Phase 1 for authentication and encryption and complete the configuration of an association that both parties agree on.
- It is recommended to choose IKEv2 as the Key Exchange Type, which provides greater efficiency and flexibility.
- Create an IPsec password as a Preshared Key. Be careful not to use simple passwords and algorithms for network security. Timus supports a maximum of 50 characters for the Preshared Key. However, due to the 18-character key restriction on certain devices, it would be useful to verify whether this limit applies to the remote peer.
- Select the Mode for negotiation, either Main or Aggressive.
- The choice between Main Mode (The default and more secure) and Aggressive Mode (This mode is faster but less secure. However, it is useful in situations where one or both devices are behind a NAT device, as NAT can interfere with the Main Mode negotiation process) depends on your specific needs and the level of security required. You should always consider the trade-off between security and speed when making this decision.
- For Authentication Algorithm, you should choose between sha1 or sha256.
- For the Encryption Algorithm, the widely used and supported AES128 algorithm is available for establishing a secure connection.
- modp1024(2) or Group 2 is the minimum acceptable group for DH Group's security algorithm. However, for higher security needs, consulting a network security professional and choosing higher groups from the list, such as modp2048(14) or modp3072(15), is recommended.
- The important point to note is that in order for tunneling to be established correctly, the values used in the Authentication and Encryption section must be exactly the same as on the peer device at the other side of the tunnel.
Miscellaneous
- You can configure the retry methods for the IPsec tunnel connection in the Miscellaneous tab.
- The recommended/default settings in this tab are displayed in the image below.
- Ensure that the same values are entered for both devices in order to establish a correct connection in this tab as well.
-
Enable NAT Traversal to ensure the proper functioning of the IPsec connection. Please note that this option should be enabled on both Timus and your IPsec device. If you do not have any options to enable it on the on-prem IPsec device/Firewall, please keep it disabled.
IKE PHASE 2
- You must create a tunnel where you will determine the traffic that will pass through the Connector you have created in the Phase 1 section.
- As in Phase 1, you must enter all the same values for the connection health of the IPsec tunnel for both devices.
- Here are the steps you need to follow to create a tunnel:
- Go to Timus Manager -> Sites page.
- The Connector you have created in the Phase 1 chapter is in the drop-down menu under the selected gateway. Use the right and down slider button icons to view the connector's line.
-
Click on the icon at the end of the Connector’s line. Then click "View."
- The page that opens is the Phase 2 table of IPsec. In the Site section on the right side of the page, you can view the Phase 1 methods you have configured.
-
Click on Create Tunnel on the page that opens.
- Enter a Name for the IPsec tunnel.
- Set the Status to Enabled.
- Select Authentication and Encryption Algorithms.
- Choose from the list if you want to create an IPsec tunnel over a particular protocol.
- In Phase 2, select multiple algorithms to increase security.
- To access and enter the IP to Local Network section, go to Sites-> Relevant Gateway -> View -> Networks.
- Copy the IP address you desire from under the Network heading.
- For instance, the WireGuard tunnel for IPsec is 192.168.249.0/24, and the OpenVPN tunnel for IPsec is 192.168.255.0/24 in the below picture.
- You can prioritize traffic to pass through the tunnel by enabling NAT Status for LAN.
- NAT Status: Ensuring traffic comes from a different IP block prevents you from losing network connectivity even if local networks conflict.
- In the Remote Network section, you can select the local subnet of the remote device.
- Enable or disable the PFS feature.
-
Enable Perfect Forward Secrecy (PFS) only if you are sure that PFS can be enabled on the peer device. If the peer device is old, disabling PFS may be a viable option.
- After configuring the Phase 2, click on Save.
0 comments
Please sign in to leave a comment.