Configuring Sites with IPsec Connections

Configuring Sites with IPsec Connections

You can use IPsec tunnels to connect sites and the internal networks to the Cato Cloud and remote networks. Generally sites with IPsec connections are used for:

  • Sites that are in a public cloud such as AWS and Azure

  • Sites for offices that use a 3rd party firewall

The Cato Cloud supports IPsec connections for IKEv1 and IKEv2. We recommend that you use IKEv2, however some technologies only support IKEv1.

For Cisco ASA appliances, there is a known incompatibility with Cato IKEv2 sites, see Configuring IPsec IKEv2 Sites.

For FTP traffic, Cato recommends configuring the FTP server with a connection timeout of 30 seconds or higher.

Selecting the IPsec IKEv1 Connection Type

The IPsec IKEv1 Connection Type for IPsec IKEv1 is Cato-Initiated. The Cato Cloud is responsible for creating the IPsec connection to the site. If the connection goes down, then the Cato Cloud attempts to re-establish it

Configuring the Native Range

The native range for a site is the IPv4 address (and CIDR) for the primary LAN network that is behind the firewall or router device.

You can configure the native range settings in Network > <site> > Site Configuration > Networks. You can also use this section to configure additional network ranges for the site.

Configuring the VPN Tunnels

IPsec sites support a primary and an optional secondary VPN tunnel. You can configure each tunnel to connect to a different PoP to provide resiliency. However, unlike Cato Sockets, IPsec connections do not automatically connect to different PoPs if there is a problem. They can only connect to the Destination IP address that is configured for each tunnel.


IMPORTANT: We strongly recommend that you configure a secondary tunnel (with different Cato public IPs) for high availability. Otherwise, there is a risk that the site can lose connectivity to the Cato Cloud.

For sites that use IKEv1, there are pre-configured Service Types for AWS and Azure.

  • Cato IP (Egress) for the Primary and Secondary tunnels - The source IP addresses are the PoP IP addresses that initiates the IPsec tunnel. Select the available IP address for the PoP. If you need more IP addresses, use the IP Allocation Settings option to define other IP addresses.

  • Site IP for the Primary and Secondary tunnels - The IP addresses for the site that are used for the VPN tunnels.

  • Bandwidth - You can use the Cato Management Application to control the maximum upstream and downstream bandwidth from the Cato Cloud to each site. If you do not want to configure a specific bandwidth value for a site, we recommend that you use the actual bandwidth from the ISP or according to your Cato Networks license.

  • Private IPs - The IP addresses that are inside the VPN tunnel that are used to configure BGP dynamic routing for a site.

  • Primary and Secondary PSK - The public pre-shared keys (PSKs) for the VPN tunnels.

Configuring Routing for IKEv1

IPsec IKEv1 sites have the option to select the Routing options for Phase II VPN tunnel:

  • Implicit - A single tunnel is used to route all internal LAN traffic for the site to the remote IP addresses.

  • Specific - In the Network Ranges field, define the source IP ranges for the WAN traffic that is transmitted over the IPsec connection in a Phase II tunnel. Define the remote IP ranges on the other side of the IPsec tunnel. Then there is a full mesh between the local and remote IP ranges.

Configuring IKEv2 Settings

IPsec IKEv2 sites have these additional settings that you can configure:

  • Initiate Connection by Cato - You can configure who initiates the connection of the VPN tunnel, the Cato Cloud or the firewall. By default, this feature is enabled so that the Cato Cloud initiates the IPsec connection and minimizes downtime.

  • Network Ranges - For deployments where there are SAs (Security Associations) that are defined for the remote network, enter the range of IP addresses for these SAs.


Note: We strongly recommend that you use the default setting and enable the Initiate Connection by Cato feature.

Was this article helpful?

2 out of 5 found this helpful


  • Comment author
    Roy Phillips

    Where it states in configuring  Routing for IKEv1

    "Specific - In the Network Ranges field, define the specific range of internal and remote IP addresses for each VPN tunnel."

    do you mean you define the IP addreses of the source and destination?

    Could do with a picture to confirm this

  • Comment author
    Yaakov Simon


    Excellent feedback. The description was imprecise and I updated it.

    In the Network Ranges field you can create SAs for the site, enter the specific local IP ranges for that site that are sent through the IPsec tunnel. Then on the firewall on the other side of the tunnel, define the remote destination IP ranges for the encrypted traffic.



Add your comment