End-of-Life (EoL)

Set Up an IKE Gateway

To set up a VPN tunnel, the VPN peers or gateways must authenticate each other using preshared keys or digital certificates and establish a secure channel in which to negotiate the IPSec security association (SA) that will be used to secure traffic between the hosts on each side.
  1. Define the IKE Gateway.
    1. Select
      Network
      Network Profiles
      IKE Gateways
      , click
      Add
      , and on the
      General
      tab, enter the
      Name
      of the gateway.
    2. For
      Version
      , select
      IKEv1 only mode
      ,
      IKEv2 only mode
      , or
      IKEv2 preferred mode
      . The IKE gateway begins its negotiation with its peer in the mode specified here. If you select
      IKEv2 preferred mode
      , the two peers will use IKEv2 if the remote peer supports it; otherwise they will use IKEv1.
      (The
      Version
      selection also determines which options are available on the
      Advanced Options
      tab.)
  2. Establish the local endpoint of the tunnel (gateway).
    1. For
      Address Type
      , click
      IPv4
      or
      IPv6
      .
    2. Select the physical, outgoing
      Interface
      on the firewall where the local gateway resides.
    3. From the
      Local IP Address
      drop-down, select the IP address that will be used as the endpoint for the VPN connection. This is the external-facing interface with a publicly routable IP address on the firewall.
  3. Establish the peer at the far end of the tunnel (gateway).
    1. Select the
      Peer IP Type
      to be a
      Static
      or
      Dynamic
      address assignment.
    2. If the
      Peer IP Address
      is static, enter the IP address of the peer.
  4. Specify how the peer is authenticated.
    Select the
    Authentication
    method:
    Pre-Shared Key
    or
    Certificate
    . If you choose Pre-Shared Key, proceed to the next step. If you choose Certificate, skip to Step 6
  5. Configure a pre-shared key.
    1. Enter a
      Pre-shared Key
      , which is the security key to use for authentication across the tunnel. Re-enter the value to
      Confirm Pre-shared Key
      . Use a maximum of 255 ASCII or non-ASCII characters.
      Generate a key that is difficult to crack with dictionary attacks; use a pre-shared key generator, if necessary.
    2. For
      Local Identification
      , choose from the following types and enter a value that you determine:
      FQDN (hostname)
      ,
      IP address
      ,
      KEYID (binary format ID string in HEX)
      ,
      User FQDN (email address)
      . Local identification defines the format and identification of the local gateway. If no value is specified, the local IP address will be used as the local identification value.
    3. For
      Peer Identification
      , choose from the following types and enter the value:
      FQDN (hostname)
      ,
      IP address
      ,
      KEYID (binary format ID string in HEX)
      ,
      User FQDN (email address)
      . Peer identification defines the format and identification of the peer gateway. If no value is specified, the peer IP address will be used as the peer identification value.
    4. Proceed to Step 7 and continue from there.
  6. Configure certificate-based authentication.
    Perform the remaining steps in this procedure if you selected
    Certificate
    as the method of authenticating the peer gateway at the opposite end of the tunnel.
    1. Select a
      Local Certificate
      that is already on the firewall from the drop-down, or
      Import
      a certificate, or
      Generate
      to create a new certificate.
    2. Click the
      HTTP Certificate Exchange
      check box if you want to configure Hash and URL (IKEv2 only). For an HTTP certificate exchange, enter the
      Certificate URL
      . For more information, see Hash and URL Certificate Exchange.
    3. Select the
      Local Identification
      type from the following:
      Distinguished Name (Subject), FQDN (hostname)
      ,
      IP address
      ,
      User FQDN (email address)
      , and enter the value. Local identification defines the format and identification of the local gateway.
    4. Select the
      Peer Identification
      type from the following:
      Distinguished Name (Subject), FQDN (hostname)
      ,
      IP address
      ,
      User FQDN (email address)
      , and enter the value. Peer identification defines the format and identification of the peer gateway.
    5. Select one type of
      Peer ID Check
      :
      • Exact
        —Check this to ensure that the local setting and peer IKE ID payload match exactly.
      • Wildcard
        —Check this to allow the peer identification to match as long as every character before the wildcard (*) matches. The characters after the wildcard need not match.
    6. Click
      Permit peer identification and certificate payload identification mismatch
      if you want to allow a successful IKE SA even when the peer identification does not match the peer identification in the certificate.
    7. Choose a
      Certificate Profile
      from the drop-down. A certificate profile contains information about how to authenticate the peer gateway.
    8. Click
      Enable strict validation of peer’s extended key use
      if you want to strictly control how the key can be used.
  7. Configure advanced options for the gateway.
    1. Select the
      Advanced Options
      tab.
    2. In the Common Options section,
      Enable Passive Mode
      if you want the firewall to only respond to IKE connection requests and never initiate them.
    3. Enable NAT Traversal
      if you have a device performing NAT between the gateways, to have UDP encapsulation used on IKE and UDP protocols, enabling them to pass through intermediate NAT devices.
    4. If you chose
      IKEv1 only mode
      earlier, on the IKEv1 tab:
      • Choose
        auto
        ,
        aggressive
        , or
        main
        for the
        Exchange Mode
        . When a device is set to use
        auto
        exchange mode, it can accept both
        main
        mode and
        aggressive
        mode negotiation requests; however, whenever possible, it initiates negotiation and allows exchanges in
        main
        mode.
      If the exchange mode is not set to
      auto
      , you must configure both peers with the same exchange mode to allow each peer to accept negotiation requests.
      • Select an existing profile or keep the default profile from
        IKE Crypto Profile
        drop-down. For details on defining an IKE Crypto profile, see Define IKE Crypto Profiles.
      • (Only if using certificate-based authentication and the exchange mode is not set to
        aggressive
        mode) Click
        Enable Fragmentation
        to enable the firewall to operate with IKE Fragmentation.
      • Click
        Dead Peer Detection
        and enter an
        Interval
        (range is 2-100 seconds). For
        Retry,
        define the time to delay (range is 2-100 seconds) before attempting to re-check availability. Dead peer detection identifies inactive or unavailable IKE peers by sending an IKE phase 1 notification payload to the peer and waiting for an acknowledgment.
    5. If you chose
      IKEv2 only mode
      or
      IKEv2 preferred mode
      in Step 1, on the IKEv2 tab:
      • Select an
        IKE Crypto Profile
        from the drop-down, which configures IKE Phase 1 options such as the DH group, hash algorithm, and ESP authentication. For information about IKE crypto profiles, see IKE Phase 1.
      • Enable
        Strict Cookie Validation
        if you want to always enforce cookie validation on IKEv2 SAs for this gateway. See Cookie Activation Threshold and Strict Cookie Validation.
      • Enable Liveness Check
        and enter an
        Interval (sec)
        (default is 5)
        if you want to have the gateway send a message request to its gateway peer, requesting a response. If necessary, the Initiator attempts the liveness check up to 10 times. If it doesn’t get a response, the Initiator closes and deletes the IKE_SA and CHILD_SA. The Initiator will start over by sending out another IKE_SA_INIT.
  8. Save the changes.
    Click
    OK
    and
    Commit
    .

Recommended For You