Connectivity: VPN IKEv2 with Pre-Shared Key and Dynamic IP/FQDN
This method is configuring a VPN tunnel to connect to the Web Security Service using IKEv2 with a fully qualified domain name (FQDN) and a pre-shared key (PSK) for site-to-site authentication. This method is appropriate if your network does not have a static IP address or if your VPN tunnel is initiated behind a device that performs Network Address Translation (NAT).
Symantec uses industry standard strong encryption algorithms, including AES-256, to ensure all traffic is kept private as it passes to the WSS. During configuration, you specify an FQDN to identify your site and a pre-shared key for authentication. You can choose a pre-shared key that fits your company’s compliance requirement. The FQDN and pre-shared key can be changed from the WSS portal if and when needed; however, a change results in the tunnel re-establishing. Note that the WSS does not resolve the FQDN.
This section provides a high-level set of technical requirements for this configuration.
Your organization has been provisioned with an account in the WSS.
To confirm this, browse to https://portal.threatpulse.com and log in. If you are unable to log in, verify your account details with Symantec support.
- If you are not certain what type of connection is appropriate for your organization, see Connectivity—About Virtual Private Network (IPsec).
An understanding of how much user traffic will route to the Web Security Service.
The WSS is limited to 500mbit/s of bandwidth per IPSec tunnel. If you expect traffic to exceed that, you must plan your architecture to use an additional tunnel from an additional public IP address for each 500mbit/s block of bandwidth you expect to consume. For example, if one of your sites consumes 900mbit/s of traffic, it must connect to the WSS using at least two IPSec tunnels, each connecting from a unique public IP address. If you're not sure how to configure your VPN device to split your traffic between multiple connections, please contact Symantec support for assistance.
- The following information is required to ensure a successful configuration.
Your network's fully qualified domain name (FQDN) for authentication.
The two closest data center IP addresses.
All VPN configurations must include a primary and secondary tunnel to the WSS. If one data center connection becomes unavailable, your site's traffic can be routed to a secondary tunnel to another data center. See Reference: Web Security Service Data Center Ingress IPs for geographical IP address information.
A list of intranet destinations to exclude from the IPsec VPN tunnel(s).
For example, as a best practice do not send intranet resources, such as email and internal web services, through the tunnel. Additionally, exclude the server where the Auth Connector is installed from the tunnel as it makes a direct connection to the WSS through port 443. See Forward Specific User and Group Names to the Service.
- Ensure that your IPsec VPN device supports Dead Peer Detection.
This feature ensures that if a connection fails, that failure is detected and the secondary tunnel is used.
- If your VPN device supports IPSLA (Internet protocol service level agreement) and DPD, Symantec suggests that you configure both to ensure maximum uptime.
Your network edge firewall is configured to permit the necessary traffic outbound for IPsec connections: ports 80/443; UDP port 500; and UDP port 4500.
For additional ports and URLs used in a connection between your network and the WSS, see Reference: Required Locations, Ports, and Protocols.
Procedure—Establish a VPN Connection
First, you create a Location in the WSS portal. A Location instructs the WSS to accept incoming connections from your VPN device's FQDN.
- Log in to your WSS portal.
In Service Mode, select Network > Locations.
- Click Add Location.
Enter the Location and security information. Show screen...
- The Name of the location. For example, the geo-physical location or office name.
- Select FQDN IKEv2 Firewall as the Access Method.
- Enter the FQDN Address that you will use for authentication.
- Define the Pre-Shared Key used to authenticate the VPN tunnel from the router.
Enter resource and location information. Show screen...
- Select the Estimated User range that will be sending web requests through this gateway interface.
Symantec uses this information to ensure proper resources.
- (Optional) Select a Time Zone, fill out location information, and enter comments (optional).
- (Optional) Complete location information.
- Select the Estimated User range that will be sending web requests through this gateway interface.
- Click Save.
If the example configurations in the previous section do not closely match your VPN device, refer to the following required configurations.
Decide the version of IKE (IKEv1 or IKEv2) to use.
Not all VPN devices support IKEv2. Verify that your version of the device supports IKEv2.
IPSec VPN tunnel establishment has two phases and hence the configuration is usually made up of two sets of configuration.
The terminology used to define the two phases differs from vendor to vendor and also differs based on the IKE version used. Phase1, ISAKMP, IKEv1, IKEv2 or IKE are some of the common terms used to refer to the class of configuration for the IKE tunnel(connection). The IKE tunnel is then used to setup the IPSec tunnel over which the actual data is transferred. Phase 2 and IPSec are some of the common terms used to refer to this class of configuration.
Define interesting traffic.
Each VPN device vendor manages this differently, but the focus is to define what traffic on your internal network will be encrypted and sent through the tunnel. In most cases, this is done with an access control list (ACL) that includes the data ports (typically, TCP ports 80 and 443) and your user subnets, and excludes intranet servers and services.
Configure the IKE Phase 1 details.
The first phase of IKE is to establish a secure connection over which further IKE exchanges happen. This phase authenticates each of the endpoint devices in the tunnel to each other. Phase 1 is also used to negotiate phase 2 tunnel parameters. IKEv1 supports two different modes for phase 1 - Main Mode and Aggressive mode. The WSS supports Main mode only. Aggressive mode is supported in certain circumstances, but only as directed by Symantec support personnel. IKEv2 has only one mode.
IKE Phase 1 configuration includes the following parameters:
- If using IKEv1, select Main Mode for configuration. There is only one mode for IKEv2.
- When asked to select Tunnel or Transport type/mode of connection, select Tunnel mode.
- Destination address.
- Internet Key Exchange (IKE) ID.
- IKE Lifetime.
Set the VPN destination address as the closest WSS Data Center to your location. A list of Data Center addresses—
IKE IDs are how each peer in the VPN tunnel identifies itself to the other side. There is a Local Identifier, which is the identifier for your device; and there is Remote Identifier, which is the identifier for the other side of the connection (Data Center in this case). The names might vary based on your device vendor.
Set the Local Identifier to be the public IP address of your device. This is the IP that is used to create the location in the WSS Portal.
Set the Remote Identifier to be the IP of the Data Center you are connecting to.
This lifetime determines the time when the Phase 1 tunnel is renegotiated. Symantec recommends this to be in hours. Commonly used values are 12 and 24 hours
Tip: Many VPN devices expect the IKE lifetime value to be detailed in minutes. Consult your documentation to confirm.
Pre-Shared Key (PSK).
Define this as you did in the portal. If these values fail to match, the connection does not establish.
Encryption Algorithm Proposals
A proposal used to specify the encryption algorithm, the data integrity algorithms and the strength of the Diffie-Hellman (DH) exchange (defined by the group of the DH group). The initiator of the phase 1 (your VPN device) will send a list of one or more such proposals during the IKE handshake and WSS will choose one that it supports from this list. The two sides negotiate an encryption algorithm, a data integrity algorithm and a DH group that both sides support.
After the handshake is completed successfully, a Security Association (SA) is setup between the two sides that uses this proposal that the two sides agree upon.
The following text lists the different encryption algorithms, the data authentication mechanism and the DH groups supported by WSS.
Encryption Algorithm—This is the type of encryption used to secure the data exchanged with between your VPN device and the Web Security Service. The following values are supported:
These algorithms are used to enforce the integrity of the data exchanged.
Diffie-Hellman (DH) Exchange.
This value is used by both ends to exchange matching shared secret keys that are used to secure the tunnel between your VPN device and WSS.
The following table provides the DH groups supported by the WSS:
Dead Peer Detection (DPD)—Ensure this option is enabled, and set to check every ten seconds with three retries. The following is known list of common vendor instructions for DPD.
- Cisco Router info for DPD- Cisco Routers DPD
- Cisco Community DPD Article- Cisco DPD Info
- Checkpoint DPD Info - Checkpoint KB on DPD
- Juniper DPD - Juniper DPD Info
- Palo Alto DPD - Palo Alto DPD KB
- Fortinet Fortigate DPD - Fortigate DPD
- If your manufacturer is not listed, consult their website or support team for assistance with this feature.
Note: Each VPN device vendor provides details specific to site-to-site VPN connections with their own devices only. In some cases, the values provided here may not provide the best experience. If you experience issues with dead peer detection on your tunnel connections with the WSS, contact Symantec support.
This option prevents a man-in-the-middle attack by detecting if any packets have been sent or received already. If they are, the connection is broken and re-established. Some amount of retransmitted traffic is expected; therefore it is important to set this as a value that provides the best security and flexibility. Symantec recommends setting the window to 32.
Configure the IKE Phase 2 details.
- Phase 2 or IPSec Encryption Algorithm Proposals
PFS (Perfect Forward Secrecy)
Use of PFS increases security by protecting against compromises of encryption keys. Symantec recommends use of PFS.
The IPSEC lifetime determines when the phase 2 tunnel expires. This can be specified both in terms of time and is terms of bytes or packets transferred. Symantec recommends using time only. Your VPN devices should be configured to re-establish a new tunnel with new encryption keys before an existing phase 2 tunnel expires. This process is called re-keying.
The time configured should be more than 1 hour (3600 seconds) and less than the Phase 1 lifetime. Symantec recommends this value to be 4 hours.
Note: IKEv1 allows negotiation of a lifetime between the two sides. The WSS will not expire a tunnel before the other side (your VPN device).
Note: IKEv2 does not allow negotiaton of a lifetime and each side is free to choose its one time for expiring a tunnel. Currently, WSS uses 1 hour for its Phase 2 (IPSec) IKEv2 tunnel. Symantec recommends that you configure your VPN device to use a value of 55 minutes. This ensures the tunnel re-keys before it expires.
This option prevents a man-in-the-middle attack by detecting if any packets have been sent or received already. If they are, the connection is broken and re-established. Some amount of retransmitted traffic is expected; therefore, it is important to set this has a value that provides the best security and flexibility. Symantec recommends setting the window to 32.
Network Address Translation.
Disable this option. This ensures that all traffic from your users reaches the WSS with its original source IP address. Failing to observe this can lead to users not being authenticated, or to policy rules not applying to traffic as expected.
NAT Traversal (NAT-T).
If your VPN device is behind NAT (the public IP is not on the device, but on a upstream router), then the following configuration changes are needed to make the tunnel work:
- Enable NAT-T on the device, but configure the device to send the upstream public IP as its Local Identifier.
- Disable NAT-T on the device (if this is supported).
Note: There can be only one VPN device behind this public IP connecting to the WSS. This restriction applies only to this type of VPN connectivity (VPN PSK Static IP)
Similar to Phase 1 proposals, a phase 2 proposal is used to specify the encryption algorithm, the data integrity algorithms and the strength of the Diffie-Hellman (DH) exchange (defined by the group of the DH group) for the IPSec tunnel on which the actual data (the data that needs to be protected by the WSS) is exchanged.
For phase 2, an additional parameter may need to be configured. This is the protocol to be used for the IPSec encoding. There are two protocols defined by the standard—Encapsulating Security Payload(ESP) and Authentication Header (AH). WSS uses only ESP.
The initiator of the Phase 2 handshake (your VPN device) sends a list of one or more such proposals during the handshake and the WSS selects the one that it supports from this list. The two sides thus negotiate an encryption algorithm, a data integrity algorithm, and a DH group that both sides support.
After the handshake is completed successfully, an IPSec Security Association (SA) is setup between the two sides that uses this proposal that the two sides agree upon.
The following text list the different encryption algorithms, the data authentication mechanism and the DH groups supported by WSS:
Note: Choosing DH Groups will also enable Perfect Forward Secrecy PFS (described below) in many VPN devices.
- Save the VPN configuration, and repeat this process to configure a secondary tunnel to a data center that is the next closest to your site.
The following knowledge base articles cover information that can be useful in troubleshooting issues once the VPN is established.
- Data to collect before opening a support case with Symantec support: https://knowledge.broadcom.com/external/article?legacyId=TECH245852
Data Center Egress IP Addresses. The following articles provide the public IP addresses used to reach internet resources from WSS Data Centers worldwide:
The following links provide example vendor device configuration examples. Use these as guidelines only. Symantec cannot guarantee the validity of third-party products and procedures. If you encounter configuration discrepancies, you must default to the best practices and configuration parameters provided by Symantec in this topic. Per the SLA, Technical Support might not be able to provide guidance if you perform configurations outside of the recommendations.
Note: VPN device vendors routinely change user interfaces; however, the required VPN-to-VPN settings rarely change.
ISSUE: Child SAs (phase 2 tunnels) from IKEv2 FQDN sites expire one hour after the time of creation.
WORKAROUND: To ensure that there is no loss of connectivity, configure the firewalls to have child SA (or phase 2) lifetime of less than an hour to ensure that a new SA is in place before the old SA expires.