Example VPN configuration 3: create a VPN Profile element
You must create a custom VPN Profile element to define the settings for VPN clients.
For more details about the product and how to configure features, click Help or press F1.
Steps
Next steps
SD-WAN Profile Properties dialog box
Use this dialog box to define the properties of a VPN Profile.
Option | Definition |
---|---|
General tab | |
Name | The name of the element. |
Comment (Optional) |
A comment for your own reference. |
Overview section | A preview of the selections made on the other tabs is shown. |
Option | Definition |
---|---|
IKE SA tab | |
Versions | Select the IKE version. Note: If both versions are selected, IKEv2 is tried first in the negotiations,
and IKEv1 is only used if the remote gateway does not support IKEv2.
|
Cipher Algorithms | Select encryption methods that are appropriate for the sensitivity of the transferred information and any regulations that you might have to follow. We recommend that you limit the selection if possible, preferably using only one. If you select several options, multiple proposals are sent in IKE negotiations.
Note: The restricted (-R) product version has no strong encryption algorithms.
|
Message Digest Algorithms | Used for integrity checking and key derivation. We recommend that you select just one of these options
if you have no specific reason to select more.
|
Diffie-Hellman Groups | Select one or more groups for key exchange. We recommend that you select from groups 14-21 according to the security requirements for the VPN. Note: Groups 1, 2, and 5 are
not considered sufficiently secure in all cases, although they might be required for interoperability with legacy systems.
|
Authentication Method | The method that gateways in the VPN use to authenticate to each other.
|
SA Lifetime in Minutes |
The time limit after which IKE SA negotiations are done again in a continuously used VPN. This setting also defines the authentication timeout for the Forcepoint VPN Client. Change this setting only if you have a specific reason to do so. The SA lifetime must match the settings of the external gateway device. This setting affects tunnels that carry traffic continuously. Tunnels that are not used are closed after a short delay regardless of the lifetime set. Re-negotiations improve security, but might require heavy processing. The default lifetime is 1440 minutes. |
IKEv1 Negotiation Mode (Only if the Version is IKEv1) | The negotiation mode for IKEv1 key exchange.
|
Always Keep Tunnels Established | When selected, the Secure SD-WAN Engine keeps the IPsec VPN tunnels established even when no traffic is sent through the VPN tunnel. When the value for the SA Lifetime in Minutes option (for IKE SA) or the value for the IPsec Tunnel Lifetime (for IPsec SA) option is exceeded, the tunnel is automatically renegotiated even if there is no traffic in the VPN tunnel. |
Option | Definition |
---|---|
IPsec SA tab | |
IPsec Type | Select one or more options to define integrity checking and data origin authentication for IP
datagrams.
|
Cipher Algorithms | The VPN encryption method. We recommend that you limit the selection to as few choices as possible, preferably only one.
Note: The restricted (-R) product version has no strong encryption algorithms.
|
Message Digest Algorithms | Used for integrity checking, except when authenticated encryption such as AES-GCM is used. We recommend that you select just one of these options if you have no specific
reason to select more.
|
Compression Algorithm | Options for compressing the data in the VPN to reduce the bandwidth use on congested links.
|
IPsec Tunnel Lifetime
(Optional) |
Limits after which IPsec SA negotiations are done again in a continuously used VPN. Reaching either the time or data amount limits triggers new IPsec SA negotiations, which must happen at regular intervals to guarantee security. This setting affects tunnels that carry traffic continuously. Tunnels that are not used are closed after a short delay regardless of the lifetime set here. IPsec SA negotiations are lighter on the processor than IKE SA negotiations, but still require some processing. Too frequent re-negotiations can reduce performance down to unacceptable levels. Note: There is a separate setting for the SA Lifetime on the IKE SA tab. The
SA Lifetime must be longer than the IPsec Tunnel Lifetime.
The default is 480 minutes with no limit on the amount of transferred data. |
Security Association Granularity | Defines the level at which security associations (SA) are created.
|
Use PFS with Diffie-Hellman Group
(Optional) |
Select one of the Diffie-Hellman groups. We recommend that you select from groups 14-21 according to the security requirements for the VPN.
Note: Groups 1, 2, and 5 are not considered
sufficiently secure in all cases, although they might be required for interoperability with legacy systems.
When you use this option, the gateways calculate
new values for key negotiations when renegotiating the SAs instead of deriving the values from previously negotiated keying material. This setting increases security if
a key is compromised. |
Disable Anti Replay Window
(Optional) |
The anti-replay window feature provides protection against attacks in which packets are replayed. When
enabled, the gateway keeps track of the sequence numbers of the arriving packets, and discards any packet whose number
matches the number of a packet that has already arrived. It is usually recommended to leave the anti-replay window enabled. However, if QoS is applied to ESP/AH traffic, some of the ESP packets (for the same SA) might be delayed due to the classification and arrive at the destination so late that the anti-replay window has moved too far. This behavior causes the packets to be dropped. In this case, it might be necessary to disable the anti-replay window. |
Disable Path MTU Discovery
(Optional) |
Prevents the gateway from sending ICMP "Fragmentation needed" messages to the originator when the packet size (including the headers added for IPsec) exceeds the Ethernet-standard 1500 bytes. If this option is selected, packets might be fragmented for transport across the VPN and reassembled at the receiving gateway. Selecting the option might be necessary if ICMP messages do not reach the other gateway or the other gateway does not react to them correctly. |
Option | Definition |
---|---|
IPsec Client tab If a VPN Profile that contains VPN client settings is used in a route-based VPN, the VPN Client settings are ignored. |
|
Authentication Method |
Enables certificate-based authentication. This option is always used for the Gateway certificates for the Gateways involved in mobile VPNs, and if certificate authentication is used, also for the client. Certificate authentication does not need separate activation. However, you must configure the issuing authority separately as trusted and you must create certificates for the VPN clients in a manual process.
|
Allow Hybrid / EAP Authentication
(Optional) (Forcepoint VPN Client only) |
Allows users of the Forcepoint VPN Client to authenticate by filling in a user name and password or a similar authentication scheme provided by an external authentication server. The gateway still authenticates itself to the VPN clients using a certificate. |
Allow CN Authentication
(Optional) (Certificate authentication only) |
Allows using the common name (CN) of the certificates for authentication. The CN is checked against a value entered in User elements. |
Allow Pre-Shared Key Authentication with IKEv1
(Optional) |
Select this option if you have third-party VPN clients that use a pre-shared key for authenticating the VPN clients and the gateway. The pre-shared key is defined in the
properties of User elements that have Pre-Shared Key Method as an authentication method. The Forcepoint VPN Client does not support this method. CAUTION: The pre-shared key option requires aggressive mode IKE negotiations in the mobile VPN. In aggressive mode, user information is not protected, so we
recommend that you take precautions, such as not using the same user name for the users as they have when they access other services in your internal network.
|
IPsec Security Association Granularity for Tunnel Mode | Defines the level at which security associations (SA) are created in Tunnel Mode. The Forcepoint VPN Client supports only SA per
Net.
|
Option | Definition |
---|---|
Certificate Authorities tab | |
Trust All | The gateway trusts all certificate authorities, unless restricted in the VPN element. This option is the default setting. |
Trust only selected | The gateway trusts only the certificate authorities that you select in the table. You can also restrict trusted CAs in VPN Gateway and External VPN Gateway elements. If you restrict trusted CAs in both the gateway and the VPN Profile, make sure that any two gateways that form a VPN tunnel trust the same CA after all defined restrictions are applied. |