Connectivity: VPN Pre-Shared Key with Static IP

This method is configuring a VPN tunnel to connect to the Web Security Service using IKEv1 and a pre-shared key (PSK) for site-to-site authentication. The method requires that your organization have a static public IP address. That IP address is used to identify your site when it connects to the WSS.

Symantec uses industry standard strong encryption algorithms, including AES-256, to ensure all traffic is kept private as it passes to the WSS. During configuration, you specify a pre-shared key for the VPN tunnel. This enables more control of the security of the IPsec tunnel, as you can change the key as needed to fit any company or compliance requirement.

Technical Requirements

This section provides a high-level set of technical requirements for this perform this configuration.

  • Your organization has been provisioned with an account in the WSS.

    To confirm this, browse to and log in. If you are unable to log in, verify your account details with Symantec support.

  • If you are not certain what type of connection is appropriate for your organization, see Connectivity—About Virtual Private Network (IPsec).
  • An understanding of how much user traffic will route to the Web Security Service.

    The WSS is limited to 500mbit/s of bandwidth per IPSec tunnel. If you expect traffic to exceed that, you must plan your architecture to use an additional tunnel from an additional public IP address for each 500mbit/s block of bandwidth you expect to consume. For example, if one of your sites consumes 900mbit/s of traffic, it must connect to the WSS using at least two IPSec tunnels, each connecting from a unique public IP address. If you are not sure how to configure your VPN device to split traffic in this way, please contact Symantec support.

  • The following information is required to ensure a successful configuration.
    • Your site's public IP address.

    • Your closest two data center addresses configured for failover to your site.

      All VPN configurations must include a primary and secondary tunnel to the WSS. If one data center connection becomes unavailable, your site's traffic can be routed to a secondary tunnel to another data center. See Reference: Web Security Service Data Center Ingress IPs for geographical IP address information.

    • A list of intranet destinations to exclude from the IPsec VPN tunnel(s).
    • Ensure that your IPsec VPN device supports Dead Peer Detection.
      This feature ensures that if a connection fails, that failure is detected and the secondary tunnel is used.
      • In the event that your VPN device supports IPSLA (Internet protocol service level agreement) and DPD, Symantec suggests that you configure both to ensure maximum up-time.
    • Your network's edge firewall is configured to permit the necessary traffic outbound for IPsec connections: ports 80/443; UDP port 500; and UDP port 4500.

      For additional ports and URLs used in a connection between your network and the WSS, see Reference: Required Locations, Ports, and Protocols.

    • Each VPN device vendor manages this differently, but the focus is to define what traffic on your internal network will be encrypted and sent through the tunnel. In most cases, this is done with an Access Control List (ACL) that includes the data ports (typically, TCP ports 80 and 443) and your user subnets, and excludes intranet servers and services.

Procedure—Establish a VPN Connection

A complete VPN configuration requires some configuration both in the portal and your on-premises VPN device.

Next Selection