Cato Networks Knowledge Base

Configuring IPsec IKEv1 Sites

This article discusses how to create and configure sites that use the IPsec IKEv1 connection type. For more about creating a new site, see Using the Cato Management Application to Add Sites.

Overview of IPsec IKEv1 Connections

Cato can initiate and maintain IPsec IKEv1 tunnels from selected PoPs towards your sites and/or cloud data centers.

Note

Note: If you are sending only part of your network traffic via the Cato Cloud, configure your network equipment to include the following IP ranges in your routing table to the Cato Cloud:

  • 10.254.254.0/24 - default subnet reserved for traffic over the Cato Cloud (for accounts with a custom range, use the custom subnet)

  • 10.41.0.0/16 - unless you configured your network's own VPN Users' IP address range (see Configuring SDP Client Settings for the Account)

Connecting Two Tunnels to an AWS VPC for HA

Cato lets you connect your AWS VPC to the Cato Cloud using BGP over two IPsec tunnels for a high availability (HA) configuration. AWS dual tunnels are supported only when you define two customer gateways, and each one represents a different Cato public IP address. These are the requirements:

  • Two Cato public IP addresses

  • Configure two customer gateways in the same VPC and each one is assigned to a Cato public IP address

  • In AWS, configure two site-to-site connections

Configuring an IPsec IKEv1 Site

After you create a new site that uses IPsec IKEv1 to connect to the Cato Cloud, edit the site and configure the IPsec settings.

For more information on unique IP addresses, see Allocating IP Addresses for the Account.

Important

IMPORTANT: We strongly recommend that you configure a secondary tunnel (with different Cato public IPs) for high availability. Otherwise, there is a risk that the site can lose connectivity to the Cato Cloud.

You can choose to manage the downstream and upstream bandwidth for an IPsec site. If you want the Cato Cloud to cap your downstream bandwidth, enter the required limits accordingly. Otherwise, enter the values as defined by your ISP link's actual connection speed. If you don't know the ISP connection speed, configure the downstream bandwidth according to this site's license. For the upstream bandwidth, the Cato Cloud doesn't control the upstream traffic, and it isn't possible to cap it with a hard limit. Instead, the upstream bandwidth setting is a best-effort by the Cato Cloud.

For IPsec sites with bandwidth greater than 100Mbps, use only the AES 128 GCM-16 or AES 256 GCM-16 algorithms. AES CBC algorithms are only used on sites with bandwidth less than 100Mbps.

For FTP traffic, Cato recommends configuring the FTP server with a connection timeout of 30 seconds or higher.

Note

Note: If you enter upstream/downstream values that are greater than the actual connection speed of your ISP's link, the Socket QoS engine is ineffective.

For more about QoS in Cato, see What are the Cato Bandwidth Management Profiles.

You can configure the Dead Peer Detection (DPD) settings for IKE v1 Phase II. These settings define how often the Cato Cloud sends a DPD packet and monitors the tunnel status (the maximum interval between DPD packets is 35 seconds).

Cato IPsec IKEv1 sites support nonce length of up to 48 bits.

The SA Lifetime is the period that the encryption key is valid before it expires and a new key is required. You can't configure the SA Lifetime for the IKEv1 Phase 1 and Phase 2 parameters, the settings are:

  • Phase 1 - 86,400 seconds (24 hours)
  • Phase 2 - 3,600 seconds (1 hour)

To configure the settings for an IPsec IKEv1 site:

  1. From the navigation menu, click Network > Sites and select the site.

  2. From the navigation menu, click Site Settings > IPsec.

  3. Expand the General section and select a preconfigured IPsec peer type (such as AWS or Azure), or select Generic.

  4. Expand the Primary section, and configure the following settings for the primary IPsec tunnel:

    • In Public IP > Cato IP (Egress), select the Cato PoP and IP address that initiates the IPsec tunnel.

      If you need a different IP address allocated to your account, click IP Allocation Settings and select the PoP location and IP address.

    • In Public IP > Site IP, enter the public IP address where the IPsec tunnel is initiated.

    • For sites that use BGP dynamic routing, you can enter the Private IPs that are inside the VPN tunnel.

    • In Bandwidth, configure the maximum Downstream and Upstream (Mbps) available bandwidth for the site.

    • In Primary PSK, click Edit Password to enter the shared secret for the primary IPsec tunnel.

  5. (Optional) Expand the IKEv1 Phase I Parameters section, and configure the settings.

    • In the Algorithm section, select the Encryption Algorithm: AES-CBC-128 or AES-CBC-256

    • In the Algorithm section, select the Hash Algorithm: MD5, SHA1, or SHA256

    • In Diffie-Hellman Group, select the key length that is used in the encryption: 2 (1024-bit), 5 (1536-bit), 14 (2048-bit), 15 (3072-bit), 16 (4096-bit), or 21 (521-bit)

    • In SA Lifetime, enter the time period (in seconds) that the encryption key is valid before it expires and a new key is required. The default setting is 86400 seconds (24 hours).

  6. (Optional) Expand the IKEv1 Phase II Parameters section, and configure the settings.

    • In the Algorithms section, select the Encryption Algorithm: AES-CBC-128, AES-CBC-256, AES-GCM-128, or AES-GCM-256

    • In the Algorithm section, select the Hash Algorithm: MD5, SHA1, or SHA256

    • In Diffie-Hellman Group, select the key length that is used in the encryption: 2 (1024-bit), 5 (1536-bit), 14 (2048-bit), 15 (3072-bit), 16 (4096-bit), or 21 (521-bit)

      To configure the phase II Diffie-Hellman Group settings, first enable Perfect Forward Secrecy.

    • In SA Lifetime, enter the time period (in seconds) that the encryption key is valid before it expires and a new key is required. The default setting is 86400 seconds (24 hours).

    • In Perfect Forward Secrecy, select Enable "protection" of past transmissions against future compromises of secret keys to enable this feature for the site.

    • To enable DPD for the site, select Keepalive interval (sec) and enter the number of seconds between keepalive packets (maximum value is 35).

      To disable DPD for the site, clear Keepalive interval (sec).

    • For sites with DPD enabled, you can select Restart connection on no DPD reply to enable restarting an IPsec connection when no reply is received for the DPD packets within 35 seconds.

  7. Expand the Routing section, and select the routing option for the site:

    • Implicit: 0.0.0.0/0<-->0.0.0.0/0 (a single tunnel from all local ranges to all remote ranges) - all WAN traffic is transmitted over the IPsec connection in a single Phase II tunnel with one encryption key.

    • Specific: x.x.x.x/y<-->a.a.a.a/b (a tunnel from each local range to specific remote ranges) - all WAN traffic is transmitted over the IPsec connection in a Phase II tunnel using a full mesh between the local and remote IP ranges.

      Define the remote IP ranges on the other side of the IPsec tunnel. Then there is a full mesh between the local and remote IP ranges.

      • The local IP ranges are defined below in the Network Ranges section below, click Add to enter the IP ranges

      • The remote ranges are defined in the Site Settings > Networks screen

      ipsec_Ikev1_routing.png
  8. Click Save.

  9. For sites that use a secondary IPsec tunnel, expand the Secondary section and configure the settings in the previous step and then click Save.
  10. To show your connection details and status of the IPsec tunnel for this site, click Connection Status.

Was this article helpful?

0 out of 0 found this helpful

Comments

6 comments

  • Comment author
    akei hsu

    p2 default timer is 3600 sec, not 24hr?

    0
  • Comment author
    Yaakov Simon

    Akei,

    Thanks for your comment. I will work with RnD to fix this bug.

    Yaakov

    0
  • Comment author
    Nirmalkumar Chandrasekaran

    What's the phase2 default SA lifetime 3600 or 86400 sec? Please confirm

    0
  • Comment author
    Yaakov Simon

    Nirmal,

    Thanks for the comment. The article was not up-to-date with the behavior of the Cato Management Application.

    You can't configure the SA Lifetime settings for an IKEv1 site, the settings are:

    • Phase 1 - 86,400 seconds (24 hours)
    • Phase 2 - 3,600 seconds (1 hour)

    The article is now updated and states that the above SA Lifetime settings apply to all IKEv1 sites.

    1
  • Comment author
    Chris Foote

    It may be helpful to have a KB article or section that discusses the role of the Native Range on an IPsec site, as this has led to confusion with a few deployments so far. The usual assumption is that the native range for an IPsec site would be a local range used to route traffic between the peer and other local networks, but if I understand correctly it seems that the native range should actually be a network on the remote/peer side of the connection. It would be pretty useful to see some clarification on this point. Overall a very helpful KB writeup though!

    0
  • Comment author
    Community Manager The chief of community conversations. Community manager

    Thank you for your feedback, Chris.

    Our documentation team has informed me that they ware working on providing the information you think would be useful.  It should be available in the next few weeks.

    Kind Regards,

    Dermot Doran (Cato Networks Community Manager)

    0

Please sign in to leave a comment.