Cato Networks Knowledge Base

Configuring IPsec IKEv2 Sites

This article discusses how to create and configure sites that use the IPsec IKEv2 connection type. For more about creating a new site, see Using the Cato Management Application to Add Sites.

Overview of IPsec IKEv2 Connections

Cato can initiate and maintain IPsec tunnels from selected PoPs towards your sites and/or cloud data centers using the IPsec IKEv2 protocol.

Note

Notes:

If you are sending only part of your network traffic over the Cato Cloud, configure your network equipment to include the following IP addresses in your routing table to Cato Cloud:

Connecting Two Tunnels to an AWS VPC for HA

Cato lets you connect your AWS VPC to the Cato Cloud using BGP over two IPsec tunnels for a high availability (HA) configuration. AWS dual tunnels are supported only when you define two customer gateways, and each one represents a different Cato public IP address. These are the requirements:

  • Two Cato public IP addresses

  • Configure two customer gateways in the same VPC and each one is assigned to a Cato public IP address

  • In AWS, configure two site-to-site connections

Configuring an IPsec IKEv2 Site

After you create a new site that uses IPsec IKEv2 to connect to the Cato Cloud, edit the site and configure the IPsec settings.

IMPORTANT! We strongly recommend that you configure a secondary tunnel (with different Cato public IPs) for high availability. Otherwise, there is a risk that the site can lose connectivity to the Cato Cloud.

You can choose to manage the downstream and upstream bandwidth for an IPsec site. If you want the Cato Cloud to cap your downstream bandwidth, enter the required limits accordingly. Otherwise, enter the values as defined by your ISP link's actual connection speed. If you don't know the ISP connection speed, configure the downstream bandwidth according to this site's license. For the upstream bandwidth, the Cato Cloud doesn't control the upstream traffic, and it isn't possible to cap it with a hard limit. Instead, the upstream bandwidth setting is a best-effort by the Cato Cloud.

For IPsec sites with bandwidth greater than 100Mbps, use only the AES 128 GCM-16 or AES 256 GCM-16 algorithms. AES CBC algorithms are only used on sites with bandwidth less than 100Mbps.

Cato IPsec IKEv2 sites support nonce length of up to 256 bits.

For FTP traffic, Cato recommends configuring the FTP server with a connection timeout of 30 seconds or higher.

Note

Note: If you enter upstream/downstream values that are greater than the actual connection speed of your ISP's link, the Socket QoS engine is ineffective.

For more about QoS in Cato, see What are the Cato Bandwidth Management Profiles.

To configure the settings for an IPsec IKEv2 site:

  1. From the navigation menu, click Network > Sites and select the site.

  2. From the navigation menu, click Site Settings > IPsec.

  3. Expand the Primary section, and configure the following settings for the primary IPsec tunnel:

    • In Public IP > Cato IP (Egress), select the Cato PoP and IP address that initiates the IPsec tunnel.

      If you need a different IP address allocated to your account, click IP Allocation Settings and select the PoP location and IP address.

    • In Public IP > Site IP, enter the public IP address where the IPsec tunnel is initiated.

    • For sites that use BGP dynamic routing, you can enter the Private IPs that are inside the VPN tunnel.

    • In Bandwidth, configure the maximum Downstream and Upstream (Mbps) available bandwidth for the site.

    • In Primary PSK, click Edit Password to enter the shared secret for the primary IPsec tunnel.

  4. (Optional) Expand the Init Message Parameters section, and configure the settings.
    As most IPsec IKEv2-supporting solutions implement automatic negotiation of the following Init and Auth parameters, Cato recommends setting them to Automatic unless specifically instructed to by your firewall vendor.

    • In the Algorithms section, select the Encryption Algorithm: Automatic (default), AES-CBC-128, AES-CBC-256, AES-GCM-128, or AES-GCM-256

    • In the Algorithms section, select the Pseudo Random Function, PRF Algorithm: Automatic (default), SHA1, SHA2 256, SHA2 384, or SHA2 512

    • In the Algorithms section, select the Integrity Algorithm: Automatic (default), SHA1, SHA2 256, SHA2 384, or SHA2 512

    • In Diffie-Hellman Group, select the key length that is used in the encryption: 2 (1024-bit), 5 (1536-bit), 14 (2048-bit), 15 (3072-bit) (default), or 16 (4096-bit)

  5. (Optional) Expand the Auth Parameters section, and configure the settings.

    • In the Algorithms section, select the Encryption Algorithm: Automatic (default), AES-CBC-128, AES-CBC-256, AES-GCM-128, or AES-GCM-256

    • In the Algorithms section, select the Integrity Algorithm: Automatic (default), SHA1, SHA2 256, SHA2 384, or SHA2 512

    • In Diffie-Hellman Group, select the key length that is used in the encryption: 2 (1024-bit), 5 (1536-bit), 14 (2048-bit), 15 (3072-bit) (default), or 16 (4096-bit)

  6. Expand the Routing section, and define the routing options for the site:

    ipsec_Ikev2_routing.png
    • For IPsec connections with a remote side that has SAs (Security Associations) defined for this tunnel, in the Network Ranges section, enter the local IP ranges for the SAs in this format <label:IP range> and click Add.

      The remote IP ranges for the SAs are configured in the Site Configuration > Networks screen.

    • To enable the Cato Cloud to proactively attempt to re-establish a connection that is down, without waiting for the other side, select Initiate connection by Cato. Otherwise, the firewall attempts to re-establish the connection.

      Note

      Note: If no Network Ranges are configured for the site, it is considered as route-based VPN (implicit: 0.0.0.0 <> 0.0.0.0).

  7. Click Save.

  8. For sites that use a secondary IPsec tunnel, expand the Secondary section and configure the settings in the previous step.
  9. To show your connection details and status of the IPsec tunnel for this site, click Connection Status.

Default IKEv2 Parameters for the Site

This is the list of the default values for the following IKEv2 parameters. If you need a custom value, please contact Support.

Parameter

Value

Keep-alive check (sends empty information requests). Number of seconds after the site doesn't receive any data on the tunnel.

10 seconds

Retransmit interval (in seconds).

It's not possible to configure a custom value for this parameter.

10 seconds

Maximum number of retransmissions.

It's not possible to configure a custom value for this parameter.

5 retransmissions

Maximum time interval that the site doesn't receive any data or responses to the keep-alive checks. After this time the site tears down the tunnel and attempts to rebuild it.

60 seconds

Time interval that the site attempts to rebuild a tunnel that is down and fails to come up.

every 90 seconds

IKE SA lifetime (IPsec phase 1).

19,800 seconds (approximately 5.5 hours)

Child SA lifetime (IPsec phase 2).

3,600 seconds (1 hour)

Known Incompatibilities for IKEv2 Sites

When creating a child SA, Cato sends multiple traffic selectors (TS) in the same TS payload in accordance with RFC 7295. Cisco ASAs, however, only support a single TS in each child SA. A Cisco ASA will send a TS_UNACCEPTABLE message in response to a Cato proposal to create a child SA with multiple TS.

If more than one TS is needed, the solution is to create an IKEv1 tunnel or else configure the ASA as a route-based VPN that uses only the 0.0.0.0-0.0.0.0 TS. Route-based VPNs are supported with Virtual Tunnel Interface (VTI) in Cisco IOS version 9.7 (see https://cloud.google.com/vpn/docs/how-to/interop-guides#vendor-specific-notes)

Was this article helpful?

1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.