Create an IPsec Profile
Let us learn to create an IPsec profile.
To create and configure an IPsec VPN connection between a branch device and a cloud security service endpoint, you must configure both endpoints with the same crypto settings. Since crypto settings required to connect to the cloud security service are likely to be the same across all ION devices, an IPsec profile can be configured once and reused across all ION devices.
Before you configure the IPsec profile on Prisma SD-WAN, make sure you have the IPsec protocols and authentication details required to connect to the cloud security service endpoint or consult your cloud security service provider’s documentation for relevant details.
- Log in to Prisma SD-WAN web interface and navigate toorPoliciesPolicies (Original)Stacked Policiesand then selectIPsec Profiles.
- To add a new IPsec Profile, clickAdd IPsec Profile.If there are previously created IPsec profiles, these will display.
- On theInfoscreen, enter a name for the IPsec Profile andenter a description and tags.(optional)
- ClickNextand proceed to define the IKE Group.
- For theKey Exchangefield, selectIKEv1orIKEv2.
- Enter a life time for the IKE Group from theLifetimedrop-down if required.The default lifetime of an IKE Group is 24 hours. The tunnel will have to be re-established after the life time expires.
- Enter the port number of the communication port in the Port field.The default port is 500. The port number configured in the IKE group has to be the same as the port number configured in the standard VPN endpoint IKE group.
- Select the mode of operation from the Mode drop-down.The mode for IKEv1 can be Main or Aggressive. Choose the aggressive mode if the source interface or endpoint is behind NAT or there are multiple tunnels to the same remote endpoint.The mode for IKEv2 is ReAuth. If selected, then a new tunnel has to be re-negotiated when the lifetime is reached.
- On theProposalsscreen, select aDH Group,EncryptionandHash.Proposals is a list of crypto parameters to be used to secure the IKE and ESP sessions between the ION device and the endpoint.The set of parameters selected in theProposalsscreen have to be identical to the set of parameters selected for the standard VPN endpoint. You can add a proposal by clickingAdd Proposal. Up to 8 proposals can be added. While establishing the IPsec tunnel, the system checks for a proposal match with the standard VPN endpoint.
- Select if Dead Peer Detection (DPD) is to be enabled from theDPDtab.If enabled, enter the DPD delay and DPD timeout in seconds for IKEv1. If DPD fails within the configured timeout period, a new tunnel is attempted. For IKEv2, there is no DPD timeout; instead a series of 5 retransmissions is used.
- ClickNextand proceed to define theESP Group.
- Enter a life time for the ESP Group from the Lifetime drop-down if required.The default lifetime of an ESP Group is 24 hours.
- Choose the type of encapsulation from the Encapsulation drop-down.You can choose Auto or Force UDP. The type of encapsulation selected has to match the encapsulation configured at the standard VPN endpoint.
- Configure parameters in theProposaltab, and then clickNext.
- On theAuthenticationscreen, select the authentication type as eitherPSKorCertificatesfrom theTypedrop-down.
- For PSK authentication:
- Enter a secret in theSecretfield.This field is mandatory.
- For the Local ID Type, choose between Interface IP Address, Hostname or Custom.
- Enter an optional ID for the standard VPN endpoint in theRemote IDfield.
- For Certificate authentication:
- For theCertificatefield, upload the certificate by clickingImport File.
- Similarly upload a CA certificate in theLocal CA Certificatefield and a private key file in thePrivate Keyfield.
- (Optional)You can choose to upload the standard VPN endpoint CA certificate in theRemote CA Certificatefield.
- ClickNextto proceed to theSummaryscreen.
- Review the parameters selected and clickSave and Exit.All new customer tenants should have the default IPsec profiles allocated which match the best practices of some of our cloud partners. These default profiles can be copied and manipulated to meet the needs specific to standard VPN services. If these default profiles are not present on your tenant, open a support case to have them allocated.
Recommended For You
Recommended videos not found.