Connectivity: VPN Pre-Shared Key with Static IP
This method is configuring a VPN tunnel to connect to the Web Security Service using IKEv1 and a pre-shared key (PSK) for site-to-site authentication. The method requires that your organization have a static public IP address. That IP address is used to identify your site when it connects to the WSS.
Symantec uses industry standard strong encryption algorithms, including AES-256, to ensure all traffic is kept private as it passes to the WSS. During configuration, you specify a pre-shared key for the VPN tunnel. This enables more control of the security of the IPsec tunnel, as you can change the key as needed to fit any company or compliance requirement.
This section provides a high-level set of technical requirements for this perform this configuration.
Your organization has been provisioned with an account in the WSS.
To confirm this, browse to https://portal.threatpulse.com and log in. If you are unable to log in, verify your account details with Symantec support.
- If you are not certain what type of connection is appropriate for your organization, see Connectivity—About Virtual Private Network (IPsec).
An understanding of how much user traffic will route to the Web Security Service.
The WSS is limited to 500mbit/s of bandwidth per IPSec tunnel. If you expect traffic to exceed that, you must plan your architecture to use an additional tunnel from an additional public IP address for each 500mbit/s block of bandwidth you expect to consume. For example, if one of your sites consumes 900mbit/s of traffic, it must connect to the WSS using at least two IPSec tunnels, each connecting from a unique public IP address. If you are not sure how to configure your VPN device to split traffic in this way, please contact Symantec support.
- The following information is required to ensure a successful configuration.
Your site's public IP address.
Your closest two data center addresses configured for failover to your site.
All VPN configurations must include a primary and secondary tunnel to the WSS. If one data center connection becomes unavailable, your site's traffic can be routed to a secondary tunnel to another data center. See Reference: Web Security Service Data Center Ingress IPs for geographical IP address information.
- A list of intranet destinations to exclude from the IPsec VPN tunnel(s).
- Ensure that your IPsec VPN device supports Dead Peer Detection.
This feature ensures that if a connection fails, that failure is detected and the secondary tunnel is used.
- In the event that your VPN device supports IPSLA (Internet protocol service level agreement) and DPD, Symantec suggests that you configure both to ensure maximum up-time.
Your network's edge firewall is configured to permit the necessary traffic outbound for IPsec connections: ports 80/443; UDP port 500; and UDP port 4500.
For additional ports and URLs used in a connection between your network and the WSS, see Reference: Required Locations, Ports, and Protocols.
- Each VPN device vendor manages this differently, but the focus is to define what traffic on your internal network will be encrypted and sent through the tunnel. In most cases, this is done with an Access Control List (ACL) that includes the data ports (typically, TCP ports 80 and 443) and your user subnets, and excludes intranet servers and services.
Procedure—Establish a VPN Connection
A complete VPN configuration requires some configuration both in the portal and your on-premises VPN device.
First, you create a fixed Location in the WSS portal. A Location instructs the WSS to accept incoming connections from the VPN device's IP address.
- Log in to your WSS portal. In Service Mode, select Network > Locations.
- Click Add Location.
Enter the Location and security information. Show screen...
- The Name of the location. For example, the geo-physical location or office name.
- Select Firewall/VPN as the Access Method.
- Enter the Gateway IP address; the public IP address of your network.
- Define the Authentication Key (pre-shared key) used to authenticate communication from the router.
Enter resource and location information. Show screen...
- Select the Estimated User range that represents the number of users behind your VPN device accessing the internet through WSS.
- (Optional) Select a Time Zone, fill out location information, and enter comments (optional).
- (Optional) Complete location information.
- Click Save.
If the example configurations in the previous section do not closely match your VPN device, refer to the following required configurations.
Define interesting traffic.
Each VPN device vendor manages this differently, but the focus is to define what traffic on your internal network will be encrypted and sent through the tunnel. In most cases, this is done with an Access Control List (ACL) that includes the data ports (typically, TCP ports 80 and 443) and your user subnets, and excludes intranet servers and services.
Configure the IKE Phase 1 details.
The first phase of the Internet Key Exchange is to establish a connection through which your data will be tunneled. While Main and Aggressive mode options are present on most VPN devices, the WSS supports Main mode only. Aggressive mode is supported in certain circumstances, but only as directed by Symantec support personnel.
IKE Phase 1 includes the following parameters:
Set the VPN destination address as the closest WSS Data Center to your location. A list of Data Center addresses—
Internet Key Exchange (IKE) ID.
Set the public IP address (or FQDN, if your public IP address is not static) as its IKE ID.
The IPsec lifetime determines when the phase 2 tunnel expires. This can be specified both in terms of time and is terms of bytes or packets transferred. WSS recommends using time only. VPN devices should be configured to re-establish a new tunnel with new encryption keys before an existing phase 2 tunnel expires – this process is called rekeying.
The time configured should be more than 1 hour (3600 seconds) and less than the Phase 1 lifetime. Symantec recommends this value to be 4 hours.
- IKEv1 allows negotiation of a lifetime between the two sides. WSS will not expire a tunnel before the other side (your VPN device).
- IKEv2 does not allow negotiation of a lifetime and each side is free to choose its one time for expiring a tunnel. Currently, WSS uses 1 hour for its Phase 2 (IPSec) IKEv2 tunnel. To ensure maximum up-time, Symantec requires that you configure your VPN device to use a value slightly less than 1 hour and allow re-key of the tunnel before expiry of the tunnel.
Pre-Shared Key (PSK)
Define this as you did in the portal. If these values fail to match, the connection does not establish.
Diffie-Hellman (DH) Exchange.
This value is used by both ends to exchange matching shared secret keys, used to secure the tunnel between your VPN device and WSS for phase 2. The following table provides the DH groups supported by the WSS.
Encryption Algorithm—This is the type of encryption used to secure the data exchanged between your VPN device and WSS.
The following values are supported:
Dead Peer Detection (DPD)— Depending on your VPN device and network configuration, Symantec recommends that DPD is set to check every thirty seconds with five retries.
The following is known list of common vendor instructions for DPD:
- Cisco Router info for DPD- Cisco Routers DPD
- Cisco Community DPD Article- Cisco DPD Info
- Checkpoint DPD Info - Checkpoint KB on DPD
- Juniper DPD - Juniper DPD Info
- Palo Alto DPD - Palo Alto DPD KB
- Fortinet Fortigate DPD - Fortigate DPD
- If your manufacturer is not listed, consult their website or support team for assistance with this feature.
This option prevents a man-in-the-middle attack by detecting if any packets have been sent or received already. If there have been, the connection is broken and re-established. Some amount of retransmitted traffic is expected; therefore, it is important to set this has a value that provides the best security and flexibility. Symantec recommends setting the window to 32.
Configure the IKE Phase 2 details.
The second phase of the Internet Key Exchange is used to negotiate IPsec Security Associations (SAs) to set up the IPsec tunnel.
- For Phase 2, Symantec recommends the timeout be 4 hours or less to avoid split protocol and other connection issues.
- Associate your interesting traffic ACL with this configuration.
- Enable Perfect Forward Secrecy (PFS).
Network Address Translation.
Disable this option. This ensures that all traffic from your users reaches the WSS with its original source IP address. Failing to observe this can lead to users not being authenticated, or to policy rules not applying to traffic as expected.
- Save the VPN configuration, and repeat this process with the data center that is the next closest to your geographic location.
The following knowledge base articles cover information that can be useful in troubleshooting issues once the VPN tunnel is established.
- Data to collect before opening a support case with Symantec support: https://knowledge.broadcom.com/external/article?legacyId=TECH203533
Data Center Egress IP Addresses. The following articles list the public IP addresses used to reach Internet resources from Web Security Service service worldwide.
The following links provide example vendor device configuration examples. Use these as guidelines only. Symantec cannot guarantee the validity of third-party products and procedures. If you encounter configuration discrepancies, you must default to the best practices and configuration parameters provided by Symantec in this topic. Per the SLA, Technical Support might not be able to provide guidance if you perform configurations outside of the requirements outlined in this guide.
Note: VPN device vendors routinely change user interfaces; however, the required VPN-to-VPN settings rarely change.