Difference between revisions of "VPN Form"
From Tech-Wiki
| (15 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
Use this form to exchange VPN information | Use this form to exchange VPN information | ||
| + | |||
| + | One firewall (peer) will talk to the remote peer using their public IP, and exchange encrypted data (IPSec) in order to stablish the tunnel.<br> | ||
| + | Once the tunnel is Up, the traffic will flow using their internal private address range. | ||
| + | |||
| + | |||
| + | Example: | ||
| + | 10.1.50.x – 200.2.2.20 ------ (net) ----- 201.1.1.10 – 192.168.1.x:80 | ||
| + | |||
| Line 13: | Line 21: | ||
!scope="col" style="background:#97CAFF;" |Value | !scope="col" style="background:#97CAFF;" |Value | ||
|- | |- | ||
| − | |Internet IP address (peer) at | + | |colspan="2" align="center"|'''Tunnel Termination - Public Internet IP addresses''' |
| + | |- | ||
| + | |Internet IP address (peer) at ACME | ||
|200.2.2.20 | |200.2.2.20 | ||
|- | |- | ||
| Line 19: | Line 29: | ||
|10.1.50.0/24 | |10.1.50.0/24 | ||
|- | |- | ||
| − | |Internet IP Address (remote peer) at | + | |Internet IP Address (remote peer) at BRANCH |
|''please fill'' | |''please fill'' | ||
|- | |- | ||
|Partner Internal Network | |Partner Internal Network | ||
| − | |''please fill'' (if | + | |''please fill'' (if internal network overlaps the other one, it should be nat'ed) |
| + | |- | ||
| + | |colspan="2" align="center"|'''IKE Policy (Phase 1)''' | ||
|- | |- | ||
|IKE Version | |IKE Version | ||
| − | |()IKEv1 (x)IKEv2 | + | |( ) IKEv1 (x) IKEv2 |
|- | |- | ||
|IKE Encryption Policy | |IKE Encryption Policy | ||
| − | |(x) AES 256 ()3DES (156-bit) | + | |(x) AES 256 ( ) 3DES (156-bit) |
|- | |- | ||
|IKE Authentication Policy | |IKE Authentication Policy | ||
| − | |(x) SHA1 | + | |(x) SHA1 ( ) MD5 |
|- | |- | ||
|IKE Lifetime (default 86400s = 1day) | |IKE Lifetime (default 86400s = 1day) | ||
| Line 38: | Line 50: | ||
|- | |- | ||
|Diffie-Hellman Group | |Diffie-Hellman Group | ||
| − | |()Group 1 (x)Group 2 ()Group 5 ()Group 14 | + | |( ) Group 1 (x) Group 2 ( ) Group 5 ( ) Group 14 |
|- | |- | ||
|Identity (IP address or hostname) | |Identity (IP address or hostname) | ||
| Line 44: | Line 56: | ||
|- | |- | ||
|Authentication | |Authentication | ||
| − | |(x)Pre-shared Key () PKI | + | |(x) Pre-shared Key ( ) PKI |
|- | |- | ||
|Mode (Main recommended) | |Mode (Main recommended) | ||
| − | |(x) Main ()Aggressive | + | |(x) Main ( ) Aggressive |
|- | |- | ||
|Pre-Shared Key | |Pre-Shared Key | ||
| − | |Note: do not use unencrypted | + | |Note: do not use unencrypted email to exchange pre-shared keys |
|- | |- | ||
|Pre-shared Key exchange | |Pre-shared Key exchange | ||
| − | |()PGP ()Phone call (x) TXT/SMS | + | |( ) PGP ( ) Phone call (x) TXT/SMS ____________ |
| + | |- | ||
| + | |colspan="2" align="center"|'''IPSEC Policy (Phase 2)''' | ||
|- | |- | ||
|IPSEC Encryption Algorithm | |IPSEC Encryption Algorithm | ||
| − | |()ESP-3DES (x)ESP-AES128 ()ESP-AES256 | + | |( ) ESP-3DES (x) ESP-AES128 ( ) ESP-AES256 |
|- | |- | ||
|IPSEC Data Integrity | |IPSEC Data Integrity | ||
| − | |(x)SHA ()MD5 | + | |(x) SHA ( ) MD5 |
|- | |- | ||
|Perfect Forward Secrecy (PFS) | |Perfect Forward Secrecy (PFS) | ||
| − | |()Off ()Group 1 (x)Group 2 ()Group 5 | + | |( ) Off ( ) Group 1 (x) Group 2 ( ) Group 5 |
|- | |- | ||
|IPSEC SA Lifetime - Seconds | |IPSEC SA Lifetime - Seconds | ||
| Line 68: | Line 82: | ||
|- | |- | ||
|IPSEC SA Lifetime - Kilobytes | |IPSEC SA Lifetime - Kilobytes | ||
| − | | | + | |_____KB (x) Disabled |
|} | |} | ||
Latest revision as of 18:51, 26 July 2018
Use this form to exchange VPN information
One firewall (peer) will talk to the remote peer using their public IP, and exchange encrypted data (IPSec) in order to stablish the tunnel.
Once the tunnel is Up, the traffic will flow using their internal private address range.
Example:
10.1.50.x – 200.2.2.20 ------ (net) ----- 201.1.1.10 – 192.168.1.x:80
VPN Form
| Parameter | Value |
|---|---|
| Tunnel Termination - Public Internet IP addresses | |
| Internet IP address (peer) at ACME | 200.2.2.20 |
| Internal Network | 10.1.50.0/24 |
| Internet IP Address (remote peer) at BRANCH | please fill |
| Partner Internal Network | please fill (if internal network overlaps the other one, it should be nat'ed) |
| IKE Policy (Phase 1) | |
| IKE Version | ( ) IKEv1 (x) IKEv2 |
| IKE Encryption Policy | (x) AES 256 ( ) 3DES (156-bit) |
| IKE Authentication Policy | (x) SHA1 ( ) MD5 |
| IKE Lifetime (default 86400s = 1day) | 86400 sec |
| Diffie-Hellman Group | ( ) Group 1 (x) Group 2 ( ) Group 5 ( ) Group 14 |
| Identity (IP address or hostname) | N/A |
| Authentication | (x) Pre-shared Key ( ) PKI |
| Mode (Main recommended) | (x) Main ( ) Aggressive |
| Pre-Shared Key | Note: do not use unencrypted email to exchange pre-shared keys |
| Pre-shared Key exchange | ( ) PGP ( ) Phone call (x) TXT/SMS ____________ |
| IPSEC Policy (Phase 2) | |
| IPSEC Encryption Algorithm | ( ) ESP-3DES (x) ESP-AES128 ( ) ESP-AES256 |
| IPSEC Data Integrity | (x) SHA ( ) MD5 |
| Perfect Forward Secrecy (PFS) | ( ) Off ( ) Group 1 (x) Group 2 ( ) Group 5 |
| IPSEC SA Lifetime - Seconds | 3600 seconds |
| IPSEC SA Lifetime - Kilobytes | _____KB (x) Disabled |