Configuring IPsec IKEv2 Sites

This article discusses how to create and configure sites that use the IPsec IKEv2 connection type. For more about creating a new site, see Using the Cato Management Application to Add Sites.

Overview of IPsec IKEv2 Connections

You can use IPsec tunnels to connect sites and internal networks to the Cato Cloud and remote networks. Sites with IPsec connections are used for:

  • Sites that are in a public cloud such as AWS or Azure

  • Sites for branches in different locations that sit behind a 3rd-party firewall

When configuring an IPsec IKEv2 site, you can initiate the connection using one of the following options:

  • Responder Only - Firewall init. The site’s device initiates the connection with the Cato PoP

  • Bidirectional – The connection can be initiated by your firewall or by Cato

Responder Only Connection Mode

Cato's IKEv2 Responder Only setting is a solution for edge appliances that have a dynamic IP address or are located behind a NAT device. (i.e. firewalls or routers) This solution allows the edge appliance on the remote end to initiate and manage the IKEv2 connection.

In addition, when using Responder Only, you can configure Cato to use an FQDN as the Cato identifier. When doing so, Cato generates a hashed value and translates that into an IP address and you can choose for Cato to assign the best PoP location for each tunnel. You can also manually configure the PoP location for each tunnel.

For example, you configure the Connection Mode as Responder Only and Destination Type as FQDN. Cato generates a hashed value of somevalue.ipsec.dev.catonetworks.org. This value is then configured in the remote site and acts as the resolver for the DNS request that is using the FQDN value. The PoP is automatically selected based on several parameters, such as geolocation, RTT, and more. In addition, if you follow the Cato best practices and define a primary and secondary tunnel when using FQDN, Cato automatically selects different PoP locations for ideal HA.

Alternatively, some firewall vendors do not support using the FQDN, in which case you can select IPv4 as the Destination Type. In this case, you must select a static PoP location and if that PoP is not available for any reason, the tunnel will not be available. For information about defining static IP addresses, see IP Allocation Policy.

Bidirectional Connection Mode

In Bidirectional connection mode, both your device or Cato can initiate and maintain IPsec tunnels from selected PoPs towards your sites and/or cloud data centers using the IPsec IKEv2 protocol.

If a tunnel is unavailable, Cato does not have to wait for your device to initiate the connection so the tunnel can be reestablished quickly.

Bandwidth Management

You can choose to manage the downstream and upstream bandwidth for an IPsec site. If you want the Cato Cloud to cap your downstream bandwidth, enter the required limits accordingly. Otherwise, enter the values as defined by your ISP link's actual connection speed. If you don't know the ISP connection speed, configure the downstream bandwidth according to this site's license. For the upstream bandwidth, the Cato Cloud doesn't control the upstream traffic, and it isn't possible to cap it with a hard limit. Instead, the upstream bandwidth setting is a best effort by the Cato Cloud.

Note

Note: If you enter upstream/downstream values greater than the actual connection speed of your ISP's link, the Socket QoS engine is ineffective.

For more about QoS in Cato, see What are the Cato Bandwidth Management Profiles.

Prerequisites

  • If you are sending only part of your network traffic over the Cato Cloud, configure your network equipment to include the following IP addresses in your routing table to the Cato Cloud:

    • 10.254.254.1

    • 10.254.254.5

    • 10.254.254.253

    • 10.41.0.0/16 unless you configured your network's own VPN Users' IP address range

  • For IPsec sites with bandwidth greater than 100Mbps, use only the AES 128 GCM-16 or AES 256 GCM-16 algorithms. AES CBC algorithms are only used on sites with bandwidth less than 100Mbps.

  • Cato IPsec IKEv2 sites support nonce length of up to 256 bits.

  • For FTP traffic, Cato recommends configuring the FTP server with a connection timeout of 30 seconds or higher.

  • You may set the IPSec shared secret (PSK) up to 64 characters.

  • For sites that connect to a Zscaler environment, an upgraded Zscaler license is required to enable encryption selection on Phase2.

Adding the IKEv2 Site

Create a new IPsec IKEv2 site, and then configure it for the IKEv2 settings and assign the Cato allocated IP addresses for the primary and secondary tunnels. For more information, see Allocating IP Addresses for the Account.

To create a new IPsec site:

  1. From the navigation menu, click Network > Sites and click New.

    The Add Site panel opens,

  2. Configure the settings for the site:

    • Name: Name for the site

    • Type: icon shown for the site in the Topology page

    • Connection Type: Select IPsec IKEv2

    • Country: The country in which the site is located.

    • State: State where the site is located (where applicable)

    • License: Select the appropriate bandwidth license for the site

    • Native Range: LAN subnet for the IPSec site

  3. Click Save.

Configuring the IPsec IKEv2 Settings

After you create a new site that uses IPsec IKEv2 to connect to the Cato Cloud, edit the site and configure the IPsec settings.

Note

IMPORTANT: We strongly recommend that you configure a secondary tunnel (with different Cato public IPs) for high availability. Otherwise, there is a risk that the site can lose connectivity to the Cato Cloud.

Use the Connection Method settings to define if the Cato PoP only responds to connections from the remote site, fw init (Responder Only), or can also initiate connections (Bidirectional).

For sites that are working with dynamic IPs, the Cato Management Application generates a Local ID for the site, which is used for the Authentication Identifier that you select. Use the Authentication Identifier that is required by the third-party device: FQDN, email, or KEY_ID and enter the Local ID in the IKE settings of your third-party device.

In addition to the Local ID, configure a pre-shared key (PSK) for authentication. You can also define primary and secondary IPsec tunnels with BGP over the device which provides high availability. By doing so, the Cato Cloud automatically adjusts the BGP route metrics to prioritize the primary tunnel, and if it becomes disconnected, the site automatically moves to the secondary tunnel.

To configure the settings for an IPsec IKEv2 site:

  1. From the navigation menu, click Network > Sites and select the site.

  2. From the navigation menu, click Site Settings > IPsec.

  3. Expand the General section and define how the site connects and authenticates to the PoP:

    1. Select the Connection Mode for the site:

      • Responder Only – Firewall init. The site’s firewall initiates the connection and Cato responds

      • Bidirectional - The Cato PoP responds to negotiations for incoming connections and initiates outgoing negotiations.

    2. Select the Authentication Identifier.

      Bidirectional mode only supports IPv4 for the Authentication Identifier.

      • IPv4 - use the static IP address you configured in the Primary and Secondary sections for the site

        IPv6 is currently not supported with IPSec over the Cato PoP.

      • FQDN, Email, KEY_ID - generates the Local ID in one of these formats

  4. Expand the Primary section, and configure the following settings for the primary IPsec tunnel:

    • In Destination Type, select either FQDN or IPv4.

      • FQDN - A Cato-generated hashed FQDN value is generated. This value is unique to the specific tunnel. This is the value you will provide to your firewall or BGP peer.

        When selected, you must also define the PoP Location. Cato recommends you use Automatic so that the best PoP is selected for you. If you select a specific location and are also configuring a secondary site, make sure you select different locations.

      • IPv4 - select a static IP address from Cato IP (Egress) drop-down.

    • In Public Site Identifier, enter the public Site IP address or Local ID where the IPsec tunnel is initiated for the remote site.

    • In Private IPs:

      • Cato - enter the Cato PoP and IP address that initiates the IPsec tunnel

      • Site - enter the private IP address of the BGP peer

    • In Last-mile Bandwidth, configure the maximum Downstream and Upstream bandwidth (Mbps) available to the site

    • In Primary PSK, click Edit Password to enter the shared secret for the primary IPsec tunnel.

      Note: You can optionally use the same allocated IP address for one or more IPsec sites as long as the Site IP is different for each site. Cato recommends using different allocated IPs per each site.

  5. For sites that use a secondary IPsec tunnel, expand the Secondary section and configure the settings in the previous step and then click Save.

  6. (Optional) Expand the Init Message Parameters section, and configure the settings. See Init and Auth Parameters below for valid parameters.

    As most IPsec IKEv2-supporting solutions implement automatic negotiation of the following Init and Auth parameters, we recommend that you set them to Automatic, unless specifically instructed to by your firewall vendor.

  7. (Optional) Expand the Auth Parameters section, and configure the settings. See Init and Auth Parameters below for valid parameters.

  8. Expand the Routing section, and define the routing options for the site:

    IPsec_IKEv2_Routing.png
    • For IPsec connections with a remote side that has SAs (Security Associations) defined for this tunnel, in the Network Ranges section, enter the local IP ranges for the SAs in this format <label:IP range> and click Add.

      The remote IP ranges for the SAs are configured in the Site Configuration > Networks screen.

    • To enable the Cato Cloud to proactively attempt to re-establish a connection that is down, without waiting for the other side, select Initiate connection by Cato. Otherwise, the firewall attempts to re-establish the connection.

    Note: If no Network Ranges are configured for the site, it is considered as route-based VPN (implicit: 0.0.0.0 <> 0.0.0.0).

  9. Click Save.

    Wait at least 3 minutes before entering the primary and secondary FQDN values in your firewall to allow for the optimal PoP locations for these settings to be determined.

  10. To show your connection details and status of the IPsec tunnel for this site, click Connection Status.

Init and Auth Parameters

The following parameters are available when defining Init and Auth parameters. Cato recommends that you set these parameters to Automatic unless instructed otherwise by your firewall vendor.

Parameter

Valid Values

Encryption Algorithm

  • Automatic

  • AES-CBC-128

  • AES-CBC-256

  • AES-GCM-128

  • AES-GCM-256

Pseudo Random

  • Automatic

  • SHA1

  • SHA2 256

  • SHA2 384

  • SHA2 512

Integrity Algorithm

  • Automatic

  • SHA1

  • SHA2 256

  • SHA2 384

  • SHA2 512

Diffie-Hellman Group

  • 2 (1024-bit)

  • 5 (1536-bit)

  • 14 (2048-bit)

  • 15 (3072-bit)

  • 16 (4096-bit)

  • 19 (256-bit random)

  • 20 (384-bit random)

Default IKEv2 Parameters for the Site

This is the list of the default values for the following IKEv2 parameters. If you need a custom value, please contact Support.

Parameter

Value

Keep-alive check (sends empty information requests). Number of seconds after the site doesn't receive any data on the tunnel.

10 seconds

Retransmit interval (in seconds).

It's not possible to configure a custom value for this parameter.

10 seconds

Maximum number of retransmissions.

It's not possible to configure a custom value for this parameter.

5 retransmissions

Maximum time interval that the site doesn't receive any data or responses to the keep-alive checks. After this time the site tears down the tunnel and attempts to rebuild it.

60 seconds

Time interval that the site attempts to rebuild a tunnel that is down and fails to come up.

every 90 seconds

IKE SA lifetime (IPsec phase 1). You can configure the value for this parameter using advanced configurations for a site.

19,800 seconds (approximately 5.5 hours)

Child SA lifetime (IPsec phase 2).

3,600 seconds (1 hour)

Sending a Single Traffic Selector for IKEv2 Sites

When creating a child SA, Cato sends multiple traffic selectors (TS) in the same TS payload in accordance with RFC 7295. Some third-party solutions, such as Cisco ASAs, only support a single TS in each child SA. A Cisco ASA will send a TS_UNACCEPTABLE message in response to a Cato proposal to create a child SA with multiple TS.

You can configure your account or a specific IPsec IKEv2 site to send each TS in a separate packet to support interoperability with these third-party solutions by enabling This configuration under Site Configuration > Advanced Configuration.

Connecting Two Tunnels to an AWS VPC for HA

Cato lets you connect your AWS VPC to the Cato Cloud using BGP over two IPsec tunnels for a high availability (HA) configuration. AWS dual tunnels are supported only when you define two customer gateways, and each one represents a different Cato public IP address. These are the requirements:

  • Two Cato public IP addresses

  • Two customer gateways in the same VPC and each one is assigned to a Cato public IP address

  • In AWS, two site-to-site connections

Was this article helpful?

2 out of 3 found this helpful

5 comments

  • Comment author
    Bert-Jan Kamp

    Missing information is what the maximum throughput is of a Cato IPsec connection at the PoP, given that the other site has no limitations.

  • Comment author
    mark condeza

    Up!

  • Comment author
    Yaron Libman

    Updated to include information about FQDN configuration for Cato Responder mode connections.

  • Comment author
    Yaron Libman

    Hi Bert-Jan,

    Sorry for the delay - I missed your comment, but better late than never. 

    For IPsec sites, supported throughput is up to 3Gbps. You can see the throughputs and limits for Cato sites at

    https://support.catonetworks.com/hc/en-us/articles/4412241907345-Cato-Cloud-Thresholds-and-Limits

  • Comment author
    Yoshihiro Toyomasu

    Hi Cato team,

    When creating a child SA, Cato sends multiple traffic selectors (TS) in the same TS payload in accordance with RFC 7295. 

    Do you mention RFC7296?
     

Add your comment