This article discusses how to create and configure sites that use the IPsec IKEv2 connection type. For more about creating a new site, see Using the Cato Management Application to Add Sites.
Cato can initiate and maintain IPsec tunnels from selected PoPs towards your sites and/or cloud data centers using the IPsec IKEv2 protocol.
Note
Notes:
If you are sending only part of your network traffic over the Cato Cloud, configure your network equipment to include the following IP addresses in your routing table to Cato Cloud:
-
10.254.254.1
-
10.254.254.5
-
10.254.254.253
-
10.41.0.0/16 unless you configured your network's own VPN Users' IP address range (as described in Configuring VPN Client Settings for the Account).
Cato lets you connect your AWS VPC to the Cato Cloud using BGP over two IPsec tunnels for a high availability (HA) configuration. AWS dual tunnels are supported only when you define two customer gateways, and each one represents a different Cato public IP address. These are the requirements:
-
Two Cato public IP addresses
-
Configure two customer gateways in the same VPC and each one is assigned to a Cato public IP address
-
In AWS, configure two site-to-site connections
After you create a new site that uses IPsec IKEv2 to connect to the Cato Cloud, edit the site and configure the IPsec settings.
IMPORTANT! We strongly recommend that you configure a secondary tunnel (with different Cato public IPs) for high availability. Otherwise, there is a risk that the site can lose connectivity to the Cato Cloud.
You can choose to manage the downstream and upstream bandwidth for an IPsec site. If you want the Cato Cloud to cap your downstream bandwidth, enter the required limits accordingly. Otherwise, enter the values as defined by your ISP link's actual connection speed. If you don't know the ISP connection speed, configure the downstream bandwidth according to this site's license. For the upstream bandwidth, the Cato Cloud doesn't control the upstream traffic, and it isn't possible to cap it with a hard limit. Instead, the upstream bandwidth setting is a best-effort by the Cato Cloud.
For IPsec sites with bandwidth greater than 100Mbps, use only the AES 128 GCM-16 or AES 256 GCM-16 algorithms. AES CBC algorithms are only used on sites with bandwidth less than 100Mbps.
Cato IPsec IKEv2 sites support nonce length of up to 256 bits.
For FTP traffic, Cato recommends configuring the FTP server with a connection timeout of 30 seconds or higher.
You may set the IPSec shared secret (PSK) up to 64 characters.
Note
Note: If you enter upstream/downstream values that are greater than the actual connection speed of your ISP's link, the Socket QoS engine is ineffective.
For more about QoS in Cato, see What are the Cato Bandwidth Management Profiles.
To configure the settings for an IPsec IKEv2 site:
-
From the navigation menu, click Network > Sites and select the site.
-
From the navigation menu, click Site Settings > IPsec.
-
Expand the Primary section, and configure the following settings for the primary IPsec tunnel:
-
In Public IP > Cato IP (Egress), select the Cato PoP and IP address that initiates the IPsec tunnel.
If you need a different IP address allocated to your account, click IP Allocation Settings and select the PoP location and IP address.
-
In Public IP > Site IP, enter the public IP address where the IPsec tunnel is initiated.
-
For sites that use BGP dynamic routing, you can enter the Private IPs that are inside the VPN tunnel.
-
In Bandwidth, configure the maximum Downstream and Upstream (Mbps) available bandwidth for the site.
-
In Primary PSK, click Edit Password to enter the shared secret for the primary IPsec tunnel.
Note: You can optionally use the same allocated IP address for one or more IPsec sites as long as the Site IP is different for each site. Cato recommends using different allocated IPs per each site.
-
-
(Optional) Expand the Init Message Parameters section, and configure the settings.
As most IPsec IKEv2-supporting solutions implement automatic negotiation of the following Init and Auth parameters, Cato recommends setting them to Automatic unless specifically instructed to by your firewall vendor.-
In the Algorithms section, select the Encryption Algorithm: Automatic (default), AES-CBC-128, AES-CBC-256, AES-GCM-128, or AES-GCM-256
-
In the Algorithms section, select the Pseudo Random Function, PRF Algorithm: Automatic (default), SHA1, SHA2 256, SHA2 384, or SHA2 512
-
In the Algorithms section, select the Integrity Algorithm: Automatic (default), SHA1, SHA2 256, SHA2 384, or SHA2 512
-
In Diffie-Hellman Group, select the key length that is used in the encryption: 2 (1024-bit), 5 (1536-bit), 14 (2048-bit), 15 (3072-bit) (default), or 16 (4096-bit)
-
-
(Optional) Expand the Auth Parameters section, and configure the settings.
-
In the Algorithms section, select the Encryption Algorithm: Automatic (default), AES-CBC-128, AES-CBC-256, AES-GCM-128, or AES-GCM-256
-
In the Algorithms section, select the Integrity Algorithm: Automatic (default), SHA1, SHA2 256, SHA2 384, or SHA2 512
-
In Diffie-Hellman Group, select the key length that is used in the encryption: 2 (1024-bit), 5 (1536-bit), 14 (2048-bit), 15 (3072-bit) (default), or 16 (4096-bit)
-
-
Expand the Routing section, and define the routing options for the site:
-
For IPsec connections with a remote side that has SAs (Security Associations) defined for this tunnel, in the Network Ranges section, enter the local IP ranges for the SAs in this format <label:IP range> and click Add.
The remote IP ranges for the SAs are configured in the Site Configuration > Networks screen.
-
To enable the Cato Cloud to proactively attempt to re-establish a connection that is down, without waiting for the other side, select Initiate connection by Cato. Otherwise, the firewall attempts to re-establish the connection.
Note
Note: If no Network Ranges are configured for the site, it is considered as route-based VPN (implicit: 0.0.0.0 <> 0.0.0.0).
-
-
Click Save.
- For sites that use a secondary IPsec tunnel, expand the Secondary section and configure the settings in the previous step.
-
To show your connection details and status of the IPsec tunnel for this site, click Connection Status.
This is the list of the default values for the following IKEv2 parameters. If you need a custom value, please contact Support.
|
Parameter |
Value |
|---|---|
|
Keep-alive check (sends empty information requests). Number of seconds after the site doesn't receive any data on the tunnel. |
10 seconds |
|
Retransmit interval (in seconds). It's not possible to configure a custom value for this parameter.
|
10 seconds |
|
Maximum number of retransmissions. It's not possible to configure a custom value for this parameter.
|
5 retransmissions |
|
Maximum time interval that the site doesn't receive any data or responses to the keep-alive checks. After this time the site tears down the tunnel and attempts to rebuild it. |
60 seconds |
|
Time interval that the site attempts to rebuild a tunnel that is down and fails to come up. |
every 90 seconds |
|
IKE SA lifetime (IPsec phase 1). |
19,800 seconds (approximately 5.5 hours) |
|
Child SA lifetime (IPsec phase 2). |
3,600 seconds (1 hour) |
When creating a child SA, Cato sends multiple traffic selectors (TS) in the same TS payload in accordance with RFC 7295. Some third-party solutions, such as Cisco ASAs, only support a single TS in each child SA. A Cisco ASA will send a TS_UNACCEPTABLE message in response to a Cato proposal to create a child SA with multiple TS.
You can configure your account or a specific IPsec IKEv2 site to send each TS in a separate packet to support interoperability with these third-party solutions by enabling This configuration under Site Configuration > Advanced Configuration.
1 comment
Missing information is what the maximum throughput is of a Cato IPsec connection at the PoP, given that the other site has no limitations.
Please sign in to leave a comment.