The purpose of this document is to provide an understanding of IPSEC Site-to-Site VPN functionality on the Ecessa appliance and how it should be configured to connect to a remote Cisco ASA device.
Through the use of an example network, this article will highlight various options commonly used when configuring the VPN feature of Ecessa products.
Below is a diagram illustrating the example network used for our example. The goal is to connect the Ecessa LAN to the remote network's LAN via an IPSEC VPN tunnel.
Click on “VPN” under “Advanced Setup” in the menu of the web interface.
To create a new VPN Security Association, click the Add IPsec button.
The Ecessa™ VPN Security Association Configuration
This page allows you to add/edit a Security Association.
The top section of the page contains the basic information for the Security Association. This section contains the following fields:
- The Name field contains the name of the Security Association. If you are editing an existing SA then you will not be able to change the name. If you are adding a new SA then choose a unique descriptive name up to 24 characters long (alpha-numeric and hyphens). The name is arbitrary and only used locally, so both sides do not need to be similar.
- The Connection Type determines what kind of VPN this Security Association is.
The local WAN address from both WANs and the local LAN network are entered below.
- The WAN Address field has to contain either an IP address on a configured WAN interface, a configured WAN alias, or a Fully Qualified Domain Name (FQDN) resolvable by DNS to one or more WAN IP addresses. This defines the local end of the VPN connection. If an IP address is entered that is within one of your WAN subnets, and the address does not already exist, then the address will be added as a secondary IP address on the WAN port.
- The LAN Network field is an optional field which can contain a LAN network (given in xxx.xxx.xxx.xxx/MASK format – e.g. 192.168.10.0/24). This defines the local LAN subnet to which remote peers will have access. Both sides must agree on this parameter.
The remote addresses for the firewall in Minneapolis are entered below.
- The Remote address field is an optional field which can contain the remote VPN peer address or a FQDN. If left blank, then this defines a server-only configuration which will allow any remote address to connect (known as a road-warrior).
- The LAN Network field is an optional field which can contain a LAN network (given in xxx.xxx.xxx.xxx/MASK format – e.g. 192.168.10.0/24). This defines the remote LAN subnet to which the local system will have access.
The pre-shared secret key can be entered in this section. In this example, the shared secret chosen is “secret”. This same secret will have to be entered on the firewall in Minneapolis.
“ANY” is chosen for all encryption and authentication options below. This allows for flexibility when negotiating with the other side.
The Encryption section of the page contains fields which specify the different cryptographic options that you can choose for the Security Association. Choosing Any in the drop-down menus for these parameters will allow flexibility in negotiating with the other side which types will be used for the connection. Specifying particular options, on the other hand, will allow only the selected cryptographic types to be used.
- The Phase 1 Encryption field is used to select the cryptographic cipher algorithms that are allowed in Phase 1 of the Internet Key Exchange (IKE). IKE Phase 1 consists of authenticating the peers and setting up a secure channel for subsequent key exchange. If you do not care which encryption algorithm is used, then the default Any value will allow negotiation with the remote peer to determine the type. Otherwise, the 3DES or AES values can be selected to only allow those particular cipher algorithms to be used.
- The Phase 1 Authentication field is used to select the cryptographic hash functions used for authentication during IKE phase 1. The default value of Any will allow negotiation with the remote peer to determine the hash function. Otherwise, the SHA1 or MD5 hash functions can be selected with either the ESP Encapsulating Security Protocol or the AH Authentication Header protocol.
- The IKE Group field is used to select the Diffie-Hellman prime-modulus group used during the Main Mode of the IKE. The possible values are Any to allow any group, Group 2 to select the 1024 bit group, orGroup 5 to select the most secure 1536 bit group.
- The Phase 2 Encryption field is used to select the cryptographic cipher algorithms that are allowed in Phase 2 of the Internet Key Exchange (IKE). IKE Phase 2 consists of secure negotiation of Security Association parameters and setting up the IPsec tunnel. If you are not concerned which encryption algorithm is used, then the default Any value will allow negotiation with the remote peer to determine the type. Otherwise, the 3DES or AES values can be selected to only allow those particular cipher algorithms to be used.
- The Phase 2 Authentication field is used to select the cryptographic hash functions used for authentication during IKE phase 2. The default value of Any will allow negotiation with the remote peer to determine the hash function. Otherwise, the SHA1 or MD5 hash functions can be selected with either the ESP Encapsulating Security Protocol or the AH Authentication Header protocol.
- The Lifetime field is used to set the Phase 2 Lifetime of this VPN. This parameter determines how long the VPN will stay up before needing to rekey. This value is always entered in seconds. The default is 3600 seconds but should be set to match the lifetime used by the Cisco device.
- The Rekey setting determines if the device should initiate rekey tasks. It is enabled by default.
Dead Peer Detection Options
Set the Dead Peer Detection Mode as Dead Peer Clear. Dead Peer Detection keep-alives will be used for testing rather than ping testing. When no reply is received, the connection is cleared. No restart of the connection is attempted.
Set the Start Option as On Demand. This will cause any outbound traffic between the configured local to the remote LAN Networks defined in this Security Association to bring up the VPN connection automatically. Clicking 'Start' on the main VPN page will start the VPN as well.
The Advanced Options section is located in the bottom of the Advanced VPN configuration page. These are options that might be selected in some circumstances.
- The No Proxy checkbox, if checked, will prevent this VPN traffic from the LAN from being proxied by the Ecessa™. This should be checked if a service, such as VoIP for example, would otherwise proxy this traffic and cause it to not be sent out the VPN tunnel.
Once you are done entering all necessary fields for the Security Association, press the Activate button to apply the changes.
Start the VPN
When using On Demand, the VPN will not get established immediately. Instead it will be in the RUNNING state until the VPN LAN-to-LAN traffic is seen.
It is possible to bring up the VPN manually by selecting the VPN and clicking Start.
For our example, the remote Cisco ASA has already been configured so the VPN updates with an UP status.
Avoiding Conflicting Security Associations
Be careful not to create Security Associations that will conflict with existing Security Associations. The following scenarios should be avoided:
- Two or more SA’s using the same local and remote IP addresses
- Two or more SA’s using the same local and remote LAN subnets
*For additional details, please visit the help pages located within the web interface of the device.