Define a custom Gateway Profile element

The Gateway Profile element introduces information about the features and options available so that the VPN configuration can be automatically validated.

The general settings directly affect the settings used in VPNs. The authentication and encryption settings defined in the Gateway Profile do not directly influence which of the displayed settings are used for any VPNs. The settings in the Gateway Profile help you make sure that the settings defined for the VPNs correspond to the options supported by the gateway devices involved.

For VPN Gateways that represent engines, the Gateway Profiles are automatically selected according to the software version, and you cannot change the selection. If you use an Secure SD-WAN Engine managed by a different Management Server or administrative Domain as an External VPN Gateway, select the Gateway Profile according to the software version. If you use a third-party device as an External VPN Gateway, you have the following options:
  • You can use the Default (all capabilities) profile, which allows any of the options to be selected for the External VPN Gateway.
  • You can define a custom Gateway Profile to restrict the options to a supported set to prevent configuration errors.

For the Forcepoint VPN Client, there are predefined Gateway Profiles.

The IKE Capabilities and IPsec Capabilities are not directly used in a VPN. The settings are selected for use in the VPN Profile element. The settings define a set of options that the gateway supports, so that the SMC can automatically check for misconfigured settings.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to Secure SD-WAN.
  2. Browse to Other Elements > Profiles.
  3. Right-click Gateway Profiles, then select New Gateway Profile.
  4. Configure the settings.
  5. Click OK.

Gateway Profile Properties dialog box

Use this dialog box to define the properties of a VPN Gateway Profile element.

Option Definition
General tab
Name The name of the element.
Comment

(Optional)

 A comment for your own reference.
Tunnel-to-Tunnel Forwarding Capabilities
Relay Site-to-Site Traffic When selected, specifies that the gateways using the profile can forward site-to-site VPN traffic to other site-to-site VPNs. This option reduces the number of tunnels created by default for VPNs involving this Gateway when you define forwarding from one VPN to another in the VPN element.
Relay Mobile VPN traffic This option is shown only because the setting is used in the default profiles for different versions of the Engine/VPN. This setting is not relevant to custom configurations.
IKE Settings Shows the selections from the IKE Capabilities tab.
IPsec Settings Shows the selections from the IPsec Capabilities tab.
IKE Capabilities tab
Versions Select the IKE version.
Note: If both versions are selected, IKEv2 is tried first in the negotiations, and IKEv1 is only used if the remote gateway does not support IKEv2.
  • IKEv1 — Internet Key Exchange version 1.
  • IKEv2 — Internet Key Exchange version 2.
Cipher Algorithms The VPN encryption method.
We recommend that you limit the selection to as few choices as possible, preferably only one. If you make multiple choices, multiple proposals are sent in IKE negotiations.
  • AES-128 — Advanced Encryption Standard cipher algorithm with a 128-bit key size.
  • AES-256 — Advanced Encryption Standard algorithm with a 256-bit key size.
  • DES — Data Encryption Standard algorithm. Do not select this option unless you are required to do so. DES is no longer considered secure because it is relatively easy to break DES encryption with modern computers.
  • Blowfish — Blowfish cipher algorithm.
  • 3DES — Triple DES algorithm. Applies the DES cipher algorithm three times to each data block. This option has a high overhead compared to other protocols with a comparable level of security. It is not a good choice when high throughput is required.
Message Digest Algorithms Used for integrity checking and key derivation. We recommend that you select just one of these options if you have no specific reason to select more.
  • SHA-1 — The SHA-1 hash function.
  • SHA-2 — The SHA-2 hash function.
  • MD5 — The MD5 message-digest algorithm.
Diffie-Hellman Group Select one or more groups for key exchange. We recommend that you select from groups 14-21 according to the security requirements for the VPN.
Note: Groups 1, 2, and 5 are not considered sufficiently secure in all cases, although they might be required for interoperability with legacy systems.
  • 1 (768 bits) — Diffie-Hellman key exchange with a 768-bit modulus.
  • 2 (1024 bits) — Diffie-Hellman key exchange with a 1024-bit modulus.
  • 5 (1536 bits) — Diffie-Hellman key exchange with a 1536-bit modulus.
  • 14 (2048 bits) — Diffie-Hellman key exchange with a 2048-bit modulus.
  • 15 (3072 bits) — Diffie-Hellman key exchange with a 3072-bit modulus.
  • 16 (4096 bits) — Diffie-Hellman key exchange with a 4096-bit modulus.
  • 17 (6144 bits) — Diffie-Hellman key exchange with a 6144-bit modulus.
  • 18 (8192 bits) — Diffie-Hellman key exchange with a 8192-bit modulus.
  • 19 (ECP 256 bits) — Diffie-Hellman key exchange with 256-bit elliptic curve.
  • 20 (ECP 384 bits) — Diffie-Hellman key exchange with 384-bit elliptic curve.
  • 21 (ECP 521 bits) — Diffie-Hellman key exchange with 521-bit elliptic curve.
Authentication Method The method that gateways in the VPN use to authenticate to each other.
  • Pre-Shared Key — Requires that you periodically change the pre-shared keys for each tunnel in the VPN elements to be secure.
  • RSA Signatures — Requires that each Gateway has a valid certificate.
  • DSS Signatures — Requires that each Gateway has a valid certificate.
  • ECDSA Signatures — Requires that each Gateway has a valid certificate.
IKEv1 Negotiation Mode (Only if IKEv1 is selected as the Version) The negotiation mode for IKEv1 key exchange.
  • Main — Main negotiation mode (recommended) protects the identity information of the Gateways so that malicious parties cannot gain information about the Gateway's identity by launching IKE negotiations with the gateway.
  • Aggressive — Aggressive negotiation mode skips some steps that are included in the main mode, resulting in quicker negotiations. For security reasons, we recommend that you do not use the aggressive negotiation mode if you use pre-shared keys for authentication.

    Select Aggressive mode for VPNs that involve a gateway with a dynamic IP address. In this case, we recommend that you use certificates for authentication rather than pre-shared keys.

Option Definition
IPsec Capabilities tab
IPsec Type Select one or more options to define integrity checking and data origin authentication for IP datagrams.
  • ESP — (Recommended) Encapsulating Security Payload. The communications are encrypted.
  • AH — Authentication Header. Usually, AH alone is not a valid option. The AH setting disables encryption for the VPN, fully exposing all traffic that uses the VPN to anyone who intercepts it in transit. You can use AH to authenticate and check the integrity of communications without encrypting them.
Cipher Algorithms The VPN encryption method. We recommend that you limit the selection to as few choices as possible, preferably only one.
  • AES-128 — Advanced Encryption Standard cipher algorithm with a 128-bit key size.
  • AES-256 — Advanced Encryption Standard algorithm with a 256-bit key size.
  • AES-GCM-128 — Advanced Encryption Standard Galois/Counter Mode encryption algorithm with a 128-bit key size. Recommended for high-speed networks.
  • AES-GCM-256 — Advanced Encryption Standard Galois/Counter Mode encryption algorithm with a 256-bit key size. Recommended for high-speed networks.
  • DES — Data Encryption Standard algorithm. Do not select this option unless you are required to do so. DES is no longer considered secure because it is relatively easy to break DES encryption with modern computers.
  • Blowfish — Blowfish cipher algorithm.
  • 3DES — Triple DES algorithm. Applies the DES cipher algorithm three times to each data block. This option has a relatively high overhead compared to other protocols with a comparable level of security and is therefore not a good choice when high throughput is required.
  • Null — Do not select this option unless you want to disable encryption. This option fully exposes all traffic that uses the VPN to anyone who intercepts it in transit. You can use Null encryption to authenticate and check the integrity of communications without encrypting them.
Message Digest Algorithms Used for integrity checking, except when authenticated encryption such as AES-GCM is used.
  • SHA-1 — The SHA-1 hash function.
  • SHA-2 — The SHA-2 hash function.
  • AES-XCBC-MAC — The AES-XCBC-MAC Message Authentication Code hash function.
  • MD5 — The MD5 message-digest algorithm.
Compression Algorithm Options for compressing the data in the VPN to reduce the bandwidth use on congested links.
  • Deflate — Compresses the data. This compression requires processing and memory resources, which increases latency. Latency might increase also for non-VPN traffic. Do not select this option if the resource utilization is high. Gateways at both ends of each tunnel involved must support the option.
  • None — (Recommended for most environments) Sends the data without compressing it. Provides better performance when bandwidth congestion for VPN traffic is not a constant issue or if there is significant processor load.
Security Association Granularity Defines the level at which security associations (SA) are created.
  • SA per Net — Creates an SA for each network from which connections are made through the VPN. This setting reduces the overhead when there are many hosts making connections through the VPN.
  • SA per Host — Creates an SA for each host that makes connections through the VPN. This setting might provide more even load balancing in clusters than the Per Net setting, but increases the overhead, as Per Host usually requires that more SAs are negotiated.
PFS Diffie-Hellman Group Select one or more Diffie-Hellman groups for perfect forward secrecy (PFS) key negotiations. We recommend that you select from groups 14-21 according to the security requirements for the VPN.
Note: Groups 1, 2, and 5 are not considered sufficiently secure in all cases, although they might be required for interoperability with legacy systems.
  • 1 (768 bits) — Diffie-Hellman key exchange with a 768-bit modulus.
  • 2 (1024 bits) — Diffie-Hellman key exchange with a 1024-bit modulus.
  • 5 (1536 bits) — Diffie-Hellman key exchange with a 1536-bit modulus.
  • 14 (2048 bits) — Diffie-Hellman key exchange with a 2048-bit modulus.
  • 15 (3072 bits) — Diffie-Hellman key exchange with a 3072-bit modulus.
  • 16 (4096 bits) — Diffie-Hellman key exchange with a 4096-bit modulus.
  • 17 (6144 bits) — Diffie-Hellman key exchange with a 6144-bit modulus.
  • 19 (ECP 256 bits) — Diffie-Hellman key exchange with 256-bit elliptic curve.
  • 20 (ECP 384 bits) — Diffie-Hellman key exchange with 384-bit elliptic curve.
  • 21 (ECP 521 bits) — Diffie-Hellman key exchange with 521-bit elliptic curve.