Create an IPsec Profile

Let us learn to create an IPsec profile.
To create and configure an IPsec VPN connection between a branch device and a cloud security service endpoint, you must configure both endpoints with the same crypto settings. Since crypto settings required to connect to the cloud security service are likely to be the same across all ION devices, an IPsec profile can be configured once and reused across all ION devices.
Before you configure the IPsec profile on Prisma SD-WAN, make sure you have the IPsec protocols and authentication details required to connect to the cloud security service endpoint or consult your cloud security service provider’s documentation for relevant details.
  1. Log in to Prisma SD-WAN web interface and navigate to
    Policies
    Policies (Original)
    or
    Stacked Policies
    and then select
    IPsec Profiles
    .
  2. To add a new IPsec Profile, click
    Add IPsec Profile
    .
    If there are previously created IPsec profiles, these will display.
  3. On the
    Info
    screen, enter a name for the IPsec Profile and
    (optional)
    enter a description and tags.
  4. Click
    Next
    and proceed to define the IKE Group.
    1. For the
      Key Exchange
      field, select
      IKEv1
      or
      IKEv2
      .
    2. Enter a life time for the IKE Group from the
      Lifetime
      drop-down if required.
      The default lifetime of an IKE Group is 24 hours. The tunnel will have to be re-established after the life time expires.
    3. Enter the port number of the communication port in the Port field.
      The default port is 500. The port number configured in the IKE group has to be the same as the port number configured in the standard VPN endpoint IKE group.
    4. Select the mode of operation from the Mode drop-down.
      The mode for IKEv1 can be Main or Aggressive. Choose the aggressive mode if the source interface or endpoint is behind NAT or there are multiple tunnels to the same remote endpoint.
      The mode for IKEv2 is ReAuth. If selected, then a new tunnel has to be re-negotiated when the lifetime is reached.
    5. On the
      Proposals
      screen, select a
      DH Group
      ,
      Encryption
      and
      Hash
      .
      Proposals is a list of crypto parameters to be used to secure the IKE and ESP sessions between the ION device and the endpoint.
      The set of parameters selected in the
      Proposals
      screen have to be identical to the set of parameters selected for the standard VPN endpoint. You can add a proposal by clicking
      Add Proposal
      . Up to 8 proposals can be added. While establishing the IPsec tunnel, the system checks for a proposal match with the standard VPN endpoint.
    6. Select if Dead Peer Detection (DPD) is to be enabled from the
      DPD
      tab.
      If enabled, enter the DPD delay and DPD timeout in seconds for IKEv1. If DPD fails within the configured timeout period, a new tunnel is attempted. For IKEv2, there is no DPD timeout; instead a series of 5 retransmissions is used.
  5. Click
    Next
    and proceed to define the
    ESP Group
    .
    1. Enter a life time for the ESP Group from the Lifetime drop-down if required.
      The default lifetime of an ESP Group is 24 hours.
    2. Choose the type of encapsulation from the Encapsulation drop-down.
      You can choose Auto or Force UDP. The type of encapsulation selected has to match the encapsulation configured at the standard VPN endpoint.
    3. Configure parameters in the
      Proposal
      tab, and then click
      Next
      .
  6. On the
    Authentication
    screen, select the authentication type as either
    PSK
    or
    Certificates
    from the
    Type
    drop-down.
    • For PSK authentication:
      1. Enter a secret in the
        Secret
        field.
        This field is mandatory.
      2. For the Local ID Type, choose between Interface IP Address, Hostname or Custom.
      3. Enter an optional ID for the standard VPN endpoint in the
        Remote ID
        field.
    • For Certificate authentication:
      1. For the
        Certificate
        field, upload the certificate by clicking
        Import File
        .
      2. Similarly upload a CA certificate in the
        Local CA Certificate
        field and a private key file in the
        Private Key
        field.
      3. (Optional)
        You can choose to upload the standard VPN endpoint CA certificate in the
        Remote CA Certificate
        field.
  7. Click
    Next
    to proceed to the
    Summary
    screen.
  8. Review the parameters selected and click
    Save and Exit
    .
    All new customer tenants should have the default IPsec profiles allocated which match the best practices of some of our cloud partners. These default profiles can be copied and manipulated to meet the needs specific to standard VPN services. If these default profiles are not present on your tenant, open a support case to have them allocated.

Recommended For You