Create a VPN with IPsec

Although each IPsec VPN must be defined by a minimum set of parameters, each vendors' VPN gateway and/or VPN client provides a different step-by-step process to configure the parameters, and they often use different terminology than the Threat Management Services (TMS) zl Module. (See terminology comparison.)

To configure an IPsec VPN on the TMS zl Module, you must first decide if you will use manual keying or IKEv1 to negotiate the IPsec SA Security Association encryption key. Consult the figure below to see which steps to follow for each key-exchange method. Click on a step in the figure to see how to configure the parameters for that step.

 

 

Click on a step below to see a short description of what each step includes.

IKEv1 Key Negotiation

  1. Create an IKEv1 policy.

    In the IKEv1 policy, you specify the following parameters:

    • Site-to-Site or Client-to-Site

    • Local and Remote Gateway IPs

    • Local and Remote Identities

    • Main or Aggressive Key Exchange Mode

    • Preshared Key or Certificate Authentication Method

    • Security Parameters Proposal

    • Diffie-Hellman Group

    • Encryption Algorithm

    • Authentication Algorithm

    • IKE SA Lifetime

    • XAUTH (eXtended AUTHentication) (not for Microsoft L2TP clients)

    Configure IKEv1 policies on VPN > IPsec > IKEv1 Policies.

     

  2. If you are using certificates for IKE authentication, install the certificates.

    You must install

    • A root certificate for the CA that authenticates the local gateway

    • A root certificate for the CA that authenticates the remote endpoint

    • A self certificate

     

    See instructions here.

     

  3. Create named objects.

    It is best practice to create named objects for the firewall and VPN configuration, such as:

    • IP or domain name address objects for the VPN gateways

    • IP range or network address objects for remote clients

    • IP range or network address objects for IKE mode config addresses, if used

    • Network or domain name address objects for VLANs

    • Service objects for the VPN protocols

    See instructions here.

     

  4. Create an IPsec proposal.

    For the IPsec proposal, you configure the following parameters:

    • Tunnel or Transport Encapsulation Mode

    • ESP or AH

    • Encryption Algorithm for ESP

    • Authentication Algorithm

    Configure IPsec proposals on VPN > IPsec > IPsec Proposals.

     

  5. Create an IPsec policy.

    For the IPsec policy, you must configure the following parameters:

    • Apply, Bypass, or Ignore Action

    • Policy Priority

    • Traffic Selector

    • IKE Key Exchange Method

    • SA Lifetime in Seconds and/or KB

    • IKE Mode Config (Client-to-Site, HP ProCurve VPN clients only)

    • Optional Settings

    • IP Compression

    • Anti-Replay Window Size

    • Extended Sequence Number

    • Re-Key on Sequence Number Overflow

    • Persistent Tunnel

    • Fragment Before IPsec

    • Copy DSCP Value from Clear Packet

    • DF Bit Handling

    Configure IPsec policies on VPN > IPsec > IPsec Policies.

  6. Create firewall access policies for the VPN traffic.

    To permit VPN traffic, you must configure the firewall to do some or all of the following:

    • permit VPN traffic from the local endpoints to the remote endpoints

    • permit VPN traffic from the remote endpoints to the local endpoints

    • permit IKE messages from the remote gateway or client to SELF

    • permit IKE messages from SELF to the remote gateway (site-to-site)

    • (IKE mode config) permit VPN traffic from the local endpoints to the IKE mode config addresses

    See instructions here.

  7. Create static routes.

    If the module's default gateway leads to the Internet, that is usually sufficient.

    In some cases, you will need to configure a static route to the remote clients.

    See instructions here.

Manual Keying

  1. Create named objects.

    It is best practice to create named objects for the firewall and VPN configuration, such as:

    • IP or domain name address objects for the VPN gateways

    • IP, range, or network address objects for remote clients

    • IP range or network address objects for IKE mode config addresses, if used

    • Network address objects for VLANs

    • Service objects for the VPN protocols

    See instructions here.

     

  2. Create an IPsec proposal.

    For the IPsec proposal, you configure the following parameters:

    • Tunnel or Transport Encapsulation Mode

    • ESP or AH

    • Encryption Algorithm for ESP

    • Authentication Algorithm

    Configure IPsec proposals on VPN > IPsec > IPsec Proposals.

     

  3. Create an IPsec policy.

    For the IPsec policy, you must configure the following parameters:

    • Apply, Bypass, or Ignore Action

    • Policy Priority

    • Traffic Selector

    • SA Lifetime in Seconds and/or KB

    • Local and Remote Gateway

    • SPI

    • Encryption keys for ESP

    • Authentication keys

    • Optional Settings

    • IP Compression

    • Anti-Replay Window Size

    • Extended Sequence Number

    • Re-Key on Sequence Number Overflow

    • Persistent Tunnel

    • Fragment Before IPsec

    • Copy DSCP Value from Clear Packet

    • DF Bit Handling

    Configure IPsec policies on VPN > IPsec > IPsec Policies.

    See instructions for manual keying here.

  4. Create firewall access policies for the VPN traffic.

    To permit VPN traffic, you must configure the firewall to:

    • permit VPN traffic from the local endpoints to the remote endpoints

    • permit VPN traffic from the remote endpoints to the local endpoints

    To permit VPN traffic, you must configure the firewall to:

    • permit VPN traffic from the local endpoints to the remote endpoints

    • permit VPN traffic from the remote endpoints to the local endpoints

    See instructions here.

     

  5. Create static routes.

    If the module's default gateway leads to the Internet, that is usually sufficient.

    In some cases, you will need to configure a static route to the remote clients.

    See instructions here.