IPSec compatibility is available to provide a VPN tunnel between a VergeIO network and a third-party IPSec Peer.
Notes:
--None-- to create a separate VPN network, where connections to other VergeIO networks are all handled with layer 3 routing. (Recommended method)
-OR-
Select an existing network to attach the VPN network directly to that network via layer 2.
Note: if an existing network is selected for the Interface Network and VPN connectivity is needed
to additional VergeIO networks, further routing rules will be needed and additional unnecessary network hops will be introduced; therefore, if the VPN will need to connect to multiple networks and will be utilizing a public IP address (recommended), it is best to select --None-- for interface network and handle connections to all networks via layer 3 routing.
Common general IPSec settings are set by default; these settings can be modified if needed: From the VPN Network Dashboard, click Edit IPSec from the left menu.
Configuration Mode
default = normal normal - typically used, includes common IPSec configuration fields advanced - allows for advanced/extensive/out-of-the-ordinary IPSec configuration contained within conf files - contact Verge.io Support for assistance.
Unique IDs
Propose IPComp Compression (default disabled)
Exclude My Network
Cisco Extensions Unencrypted ID and HASH payloads in IKEv1 Main Mode (default=disabled)
MSS Clamp (default=0/disabled)
Strict CRL Policy (default=No)
Make Before Break (default disabled)
An initial phase 1 is automatically created (named "phase-I") with default settings; if necessary, these settings can be modified:
From the VPN Network Dashboard, click IPSec Tunnels on the left menu; click to select phase-I in the listing; Click Edit on the left menu.
Key Exchange Version
Remote Gateway address (required); the WAN address at the other IPSec peer.
(Encryption) Algorithm.(default AES)
Key Length, Hash, and DH Group settings (options will vary depending upon Algorithm selected).
Note: Some algorithms do not provide strong security and are therefore not recommended, such as Blowfish, 3DES, CAST128, MD5, SHA1, DH groups 1,2,22,23,24
Auto-expiration setting for SAs: Lifetime/Units. (Default: 3 Hours)
Pre-Shared Key - can be manually entered or the Generate button can be used to create a random, secure value for a pre-shared key.
Negotiation Mode
Identifier address (leave blank to use current IP).
Peer Identifier (can be left blank to use the address currently specified as the VPN Remote Gateway).
Connection Behavior defines the behavior to occur at IPSec startup:
Force UDP Encapsulation (default=disabled) - when enabled, UDP encapsulation is forced even when NAT is not detected.
Keying Tries - the number of attempts to negotiate a connection, or a replacement for one, before giving up. The value 0 means to never give up; this setting is only relevant locally so the other end does not need to have the same setting.
Rekey (default=enabled) - option can be disabled/turned off to prevent local initiation of renegotiating a connection about to expire; however, it does not affect renegotiation requests that come from the other peer.
Margintime - defines the length of time to elapse before a replacement negotiation for expired keying-channel/connection; this setting is only relevant locally so the other end does not need to have the same setting.
Dead Peer Detection - defines the default action to perform on a timeout:
DPD Delay (default=30 seconds) - defines time interval R_U_There messages/INFORMATIONAL exchanges sent to the peer, which are only sent when there is no other traffic.
DPD Failures - defines the maximum number of failures in which to automatically delete peer connections after inactivity (This setting does not apply to IKEv2.)
If necessary, additional Phase I definitions can be added, if needed: From the VPN Network Dashboard, click IPSec Tunnels on the left menu; click New on the left menu.
A Phase 2 must be created in order to create a working IPSec connection.
Networking configuration will be necessary for IPSec traffic. The following network rules are auto-created for a new VPN Network:
Additional network configuration (e.g. firewall rules, routing) may be required depending upon specific network and IPSec design. The configuration will be significantly more complex if NAT is involved. Consult Verge.io support if further networking assistance is required.
From the VPN Network Dashboard, click Power On on the left menu.
Need more Help? Email support@verge.io or call us at (855) 855-8300