Difference between revisions of "VPN Form"
From Tech-Wiki
| (4 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
Use this form to exchange VPN information | Use this form to exchange VPN information | ||
| + | |||
| + | One firewall (peer) will talk to the remote peer using their public IP, and exchange encrypted data (IPSec) in order to stablish the tunnel.<br> | ||
| + | Once the tunnel is Up, the traffic will flow using their internal private address range. | ||
| + | |||
| + | |||
| + | Example: | ||
| + | 10.1.50.x – 200.2.2.20 ------ (net) ----- 201.1.1.10 – 192.168.1.x:80 | ||
| + | |||
| Line 15: | Line 23: | ||
|colspan="2" align="center"|'''Tunnel Termination - Public Internet IP addresses''' | |colspan="2" align="center"|'''Tunnel Termination - Public Internet IP addresses''' | ||
|- | |- | ||
| − | |Internet IP address (peer) at | + | |Internet IP address (peer) at ACME |
|200.2.2.20 | |200.2.2.20 | ||
|- | |- | ||
| Line 21: | Line 29: | ||
|10.1.50.0/24 | |10.1.50.0/24 | ||
|- | |- | ||
| − | |Internet IP Address (remote peer) at | + | |Internet IP Address (remote peer) at BRANCH |
|''please fill'' | |''please fill'' | ||
|- | |- | ||
|Partner Internal Network | |Partner Internal Network | ||
| − | |''please fill'' (if | + | |''please fill'' (if internal network overlaps the other one, it should be nat'ed) |
|- | |- | ||
|colspan="2" align="center"|'''IKE Policy (Phase 1)''' | |colspan="2" align="center"|'''IKE Policy (Phase 1)''' | ||
|- | |- | ||
|IKE Version | |IKE Version | ||
| − | |( ) IKEv1 (x) IKEv2 | + | |( ) IKEv1 (x) IKEv2 |
|- | |- | ||
|IKE Encryption Policy | |IKE Encryption Policy | ||
| − | |(x) AES 256 | + | |(x) AES 256 ( ) 3DES (156-bit) |
| − | + | ||
|- | |- | ||
|IKE Authentication Policy | |IKE Authentication Policy | ||
| − | |(x) SHA1 | + | |(x) SHA1 ( ) MD5 |
|- | |- | ||
|IKE Lifetime (default 86400s = 1day) | |IKE Lifetime (default 86400s = 1day) | ||
| Line 43: | Line 50: | ||
|- | |- | ||
|Diffie-Hellman Group | |Diffie-Hellman Group | ||
| − | |( ) Group 1 (x) Group 2 ( ) Group 5 ( ) Group 14 | + | |( ) Group 1 (x) Group 2 ( ) Group 5 ( ) Group 14 |
|- | |- | ||
|Identity (IP address or hostname) | |Identity (IP address or hostname) | ||
| Line 49: | Line 56: | ||
|- | |- | ||
|Authentication | |Authentication | ||
| − | |(x) Pre-shared Key ( ) PKI | + | |(x) Pre-shared Key ( ) PKI |
|- | |- | ||
|Mode (Main recommended) | |Mode (Main recommended) | ||
| − | |(x) Main ( ) Aggressive | + | |(x) Main ( ) Aggressive |
|- | |- | ||
|Pre-Shared Key | |Pre-Shared Key | ||
| − | |Note: do not use unencrypted | + | |Note: do not use unencrypted email to exchange pre-shared keys |
|- | |- | ||
|Pre-shared Key exchange | |Pre-shared Key exchange | ||
| − | |( ) PGP ( ) Phone call (x) TXT/SMS ____________ | + | |( ) PGP ( ) Phone call (x) TXT/SMS ____________ |
|- | |- | ||
|colspan="2" align="center"|'''IPSEC Policy (Phase 2)''' | |colspan="2" align="center"|'''IPSEC Policy (Phase 2)''' | ||
|- | |- | ||
|IPSEC Encryption Algorithm | |IPSEC Encryption Algorithm | ||
| − | |( ) ESP-3DES (x) ESP-AES128 ( ) ESP-AES256 | + | |( ) ESP-3DES (x) ESP-AES128 ( ) ESP-AES256 |
|- | |- | ||
|IPSEC Data Integrity | |IPSEC Data Integrity | ||
| Line 69: | Line 76: | ||
|- | |- | ||
|Perfect Forward Secrecy (PFS) | |Perfect Forward Secrecy (PFS) | ||
| − | |( ) Off ( ) Group 1 (x) Group 2 ( ) Group 5 | + | |( ) Off ( ) Group 1 (x) Group 2 ( ) Group 5 |
|- | |- | ||
|IPSEC SA Lifetime - Seconds | |IPSEC SA Lifetime - Seconds | ||
| Line 75: | Line 82: | ||
|- | |- | ||
|IPSEC SA Lifetime - Kilobytes | |IPSEC SA Lifetime - Kilobytes | ||
| − | |_____KB (x) Disabled | + | |_____KB (x) Disabled |
|} | |} | ||
Latest revision as of 19:51, 26 July 2018
Use this form to exchange VPN information
One firewall (peer) will talk to the remote peer using their public IP, and exchange encrypted data (IPSec) in order to stablish the tunnel.
Once the tunnel is Up, the traffic will flow using their internal private address range.
Example:
10.1.50.x – 200.2.2.20 ------ (net) ----- 201.1.1.10 – 192.168.1.x:80
VPN Form
| Parameter | Value |
|---|---|
| Tunnel Termination - Public Internet IP addresses | |
| Internet IP address (peer) at ACME | 200.2.2.20 |
| Internal Network | 10.1.50.0/24 |
| Internet IP Address (remote peer) at BRANCH | please fill |
| Partner Internal Network | please fill (if internal network overlaps the other one, it should be nat'ed) |
| IKE Policy (Phase 1) | |
| IKE Version | ( ) IKEv1 (x) IKEv2 |
| IKE Encryption Policy | (x) AES 256 ( ) 3DES (156-bit) |
| IKE Authentication Policy | (x) SHA1 ( ) MD5 |
| IKE Lifetime (default 86400s = 1day) | 86400 sec |
| Diffie-Hellman Group | ( ) Group 1 (x) Group 2 ( ) Group 5 ( ) Group 14 |
| Identity (IP address or hostname) | N/A |
| Authentication | (x) Pre-shared Key ( ) PKI |
| Mode (Main recommended) | (x) Main ( ) Aggressive |
| Pre-Shared Key | Note: do not use unencrypted email to exchange pre-shared keys |
| Pre-shared Key exchange | ( ) PGP ( ) Phone call (x) TXT/SMS ____________ |
| IPSEC Policy (Phase 2) | |
| IPSEC Encryption Algorithm | ( ) ESP-3DES (x) ESP-AES128 ( ) ESP-AES256 |
| IPSEC Data Integrity | (x) SHA ( ) MD5 |
| Perfect Forward Secrecy (PFS) | ( ) Off ( ) Group 1 (x) Group 2 ( ) Group 5 |
| IPSEC SA Lifetime - Seconds | 3600 seconds |
| IPSEC SA Lifetime - Kilobytes | _____KB (x) Disabled |