Connectivity: VPN IKEv2 with Pre-Shared Key and Dynamic IP/FQDN

This method is configuring a VPN tunnel to connect to the Web Security Service using IKEv2 with a fully qualified domain name (FQDN) and a pre-shared key (PSK) for site-to-site authentication. This method is appropriate if your network does not have a static IP address or if your VPN tunnel is initiated behind a device that performs Network Address Translation (NAT).

Symantec uses industry standard strong encryption algorithms, including AES-256, to ensure all traffic is kept private as it passes to the WSS. During configuration, you specify an FQDN to identify your site and a pre-shared key for authentication. You can choose a pre-shared key that fits your company’s compliance requirement. The FQDN and pre-shared key can be changed from the WSS portal if and when needed; however, a change results in the tunnel re-establishing. Note that the WSS does not resolve the FQDN.

Technical Requirements

This section provides a high-level set of technical requirements for this configuration.

  • Your organization has been provisioned with an account in the WSS.

    To confirm this, browse to and log in. If you are unable to log in, verify your account details with Symantec support.

  • If you are not certain what type of connection is appropriate for your organization, see Connectivity—About Virtual Private Network (IPsec).
  • An understanding of how much user traffic will route to the Web Security Service.

    The WSS is limited to 500mbit/s of bandwidth per IPSec tunnel. If you expect traffic to exceed that, you must plan your architecture to use an additional tunnel from an additional public IP address for each 500mbit/s block of bandwidth you expect to consume. For example, if one of your sites consumes 900mbit/s of traffic, it must connect to the WSS using at least two IPSec tunnels, each connecting from a unique public IP address. If you're not sure how to configure your VPN device to split your traffic between multiple connections, please contact Symantec support for assistance.

  • The following information is required to ensure a successful configuration.
    • Your network's fully qualified domain name (FQDN) for authentication.

    • The two closest data center IP addresses.

      All VPN configurations must include a primary and secondary tunnel to the WSS. If one data center connection becomes unavailable, your site's traffic can be routed to a secondary tunnel to another data center. See Reference: Web Security Service Data Center Ingress IPs for geographical IP address information.

    • A list of intranet destinations to exclude from the IPsec VPN tunnel(s).

      For example, as a best practice do not send intranet resources, such as email and internal web services, through the tunnel. Additionally, exclude the server where the Auth Connector is installed from the tunnel as it makes a direct connection to the WSS through port 443. See Forward Specific User and Group Names to the Service.

    • Ensure that your IPsec VPN device supports Dead Peer Detection.
      This feature ensures that if a connection fails, that failure is detected and the secondary tunnel is used.
      • If your VPN device supports IPSLA (Internet protocol service level agreement) and DPD, Symantec suggests that you configure both to ensure maximum uptime.
    • Your network edge firewall is configured to permit the necessary traffic outbound for IPsec connections: ports 80/443; UDP port 500; and UDP port 4500.

      For additional ports and URLs used in a connection between your network and the WSS, see Reference: Required Locations, Ports, and Protocols.

Procedure—Establish a VPN Connection

Known Issue

Next Selection