Configuring IPsec IKEv1 Sites

This article discusses how to configure sites that use the IPsec IKEv1 connection type. For more about creating a new site, see Using the Cato Management Application to Add Sites.

Overview of IPsec IKEv1 Connections

Cato can initiate and maintain IPsec IKEv1 tunnels from selected PoPs towards your sites and/or cloud data centers.

Note

Note: If you are sending only part of your network traffic via the Cato Cloud, configure your network equipment to include the following IP ranges in your routing table to the Cato Cloud:

Connecting Two Tunnels to an AWS VPC for HA

Cato lets you connect your AWS VPC to the Cato Cloud using BGP over two IPsec tunnels for a high availability (HA) configuration. AWS dual tunnels are supported only when you define two customer gateways, and each one represents a different Cato public IP address. These are the requirements:

  • Two Cato public IP addresses

  • Configure two customer gateways in the same VPC and each one is assigned to a Cato public IP address

  • In AWS, configure two site-to-site connections

Configuring an IPsec IKEv1 Site

After you create a new site that uses IPsec IKEv1 to connect to the Cato Cloud, edit the site and configure the IPsec settings.

For more information on unique IP addresses, see Allocating IP Addresses for the Account.

Note

IMPORTANT: We strongly recommend that you configure a secondary tunnel (with different Cato public IPs) for high availability. Otherwise, there is a risk that the site can lose connectivity to the Cato Cloud.

You can choose to manage the downstream and upstream bandwidth for an IPsec site. If you want the Cato Cloud to cap your downstream bandwidth, enter the required limits accordingly. Otherwise, enter the values as defined by your ISP link's actual connection speed. If you don't know the ISP connection speed, configure the downstream bandwidth according to this site's license. For the upstream bandwidth, the Cato Cloud doesn't control the upstream traffic, and it isn't possible to cap it with a hard limit. Instead, the upstream bandwidth setting is a best-effort by the Cato Cloud.

Best Practice: Configure the Dead Peer Detection (DPD) settings for IKE v1 Phase II to automatically restart the connection if there is no DPD reply. You can also define how often the Cato Cloud sends a DPD packet and monitors the tunnel status (the maximum interval between DPD packets is 35 seconds).

  • For IPsec sites with bandwidth greater than 100Mbps, use only the AES 128 GCM-16 or AES 256 GCM-16 algorithms. AES CBC algorithms are only used on sites with bandwidth less than 100Mbps.

  • For FTP traffic, Cato recommends configuring the FTP server with a connection timeout of 30 seconds or higher.

  • Cato IPsec IKEv1 sites support nonce length of up to 48 bits.

  • You may set the IPSec shared secret (PSK) up to 64 characters.

The SA Lifetime is the period that the encryption key is valid before it expires and a new key is required. You can't configure the SA Lifetime for the IKEv1 Phase 1 and Phase 2 parameters, the settings are:

  • Phase 1 - 86,400 seconds (24 hours)

  • Phase 2 - 3,600 seconds (1 hour)

Note

Note: If you enter upstream/downstream values that are greater than the actual connection speed of your ISP's link, the Socket QoS engine is ineffective.

For more about QoS in Cato, see What are the Cato Bandwidth Management Profiles.

ikev1_site.png

To configure the settings for an IPsec IKEv1 site:

  1. From the navigation menu, click Network > Sites and select the site.

  2. From the navigation menu, click Site Settings > IPsec.

  3. Expand the General section and select a preconfigured IPsec peer type (such as AWS or Azure), or select Generic.

  4. Expand the Primary section, and configure the following settings for the primary IPsec tunnel:

    • In Public IP > Cato IP (Egress), select the Cato PoP and IP address that initiates the IPsec tunnel.

      If you need a different IP address allocated to your account, click IP Allocation Settings and select the PoP location and IP address.

    • In Public IP > Site IP, enter the public IP address where the IPsec tunnel is initiated.

    • For sites that use BGP dynamic routing, you can enter the Private IPs that are inside the VPN tunnel.

    • In Bandwidth, configure the maximum Downstream and Upstream (Mbps) available bandwidth for the site.

    • In Primary PSK, click Edit Password to enter the shared secret for the primary IPsec tunnel.

    Note: You can optionally use the same allocated IP address for one or more IPsec sites as long as the Site IP is different for each site. Cato recommends using different allocated IPs per each site.

  5. (Optional) Expand the IKEv1 Phase I Parameters section, and configure the settings.

    1. In the Algorithm section, select the Encryption Algorithm: AES-CBC-128 or AES-CBC-256

    2. In the Algorithm section, select the Hash Algorithm: MD5, SHA1, or SHA256

    3. In Diffie-Hellman Group, select the key length that is used in the encryption: 2 (1024-bit), 5 (1536-bit), 14 (2048-bit), 15 (3072-bit), 16 (4096-bit)

  6. (Optional) Expand the IKEv1 Phase II Parameters section, and configure the settings.

    1. In the Algorithms section, select the Encryption Algorithm: AES-CBC-128, AES-CBC-256, AES-GCM-128, or AES-GCM-256

    2. In the Algorithm section, select the Hash Algorithm: MD5, SHA1, or SHA256

    3. To configure the phase II Diffie-Hellman Group settings, first enable Perfect Forward Secrecy.

      1. In Perfect Forward Secrecy, select Enable "protection" of past transmissions against future compromises of secret keys to enable this feature for the site.

      2. In Diffie-Hellman Group, select the key length that is used in the encryption: 2 (1024-bit), 5 (1536-bit), 14 (2048-bit), 15 (3072-bit), 16 (4096-bit)

  7. Configure the DPD settings for the IKEv1 Phase II parameters:

    1. Select Keepalive interval (sec) and enter the number of seconds between keepalive packets (maximum value is 35).

    2. (Best Practice) Select Restart connection on no DPD reply to enable restarting an IPsec connection when no reply is received for the DPD packets within 35 seconds.
      To disable DPD for the site, clear Keepalive interval (sec).

  8. Expand the Routing section, and select the routing option for the site:

    • Implicit: 0.0.0.0/0<-->0.0.0.0/0 (A single tunnel from all local ranges to all remote ranges) - all WAN traffic is transmitted over the IPsec connection in a single Phase II tunnel with one encryption key (one for each pair of ESP SAs).

    • Explicit: x.x.x.x/y<-->0.0.0.0/0 (A tunnel from each local range to all remote ranges) - all WAN traffic is transmitted over the IPsec connection in a single Phase II tunnel for the local IP ranges for the site to all remote IP ranges with one encryption key (one ESP SA for each local range).

    • Specific: x.x.x.x/y<-->a.a.a.a/b (A tunnel from each local range to specific remote ranges) - all WAN traffic is transmitted over the IPsec connection in a Phase II tunnel using a full mesh between the local and remote IP ranges.

      Define the remote IP ranges on the other side of the IPsec tunnel. Then there is a full mesh between the local and remote IP ranges.

      • The local IP ranges are defined below in the Network Ranges section, click Add to enter the IP ranges

      • The remote ranges are defined in the Site Settings > Networks screen

      IPsec_IKEv1_Routing.png

  9. Click Save.

  10. For sites that use a secondary IPsec tunnel, expand the Secondary section and configure the settings in the previous step and then click Save.

  11. To show your connection details and status of the IPsec tunnel for this site, click Connection Status.

Was this article helpful?

0 out of 0 found this helpful

9 comments

Date Votes
  • Comment author
    Akei Hsu

    p2 default timer is 3600 sec, not 24hr?

  • Comment author
    Yaakov Simon

    Akei,

    Thanks for your comment. I will work with RnD to fix this bug.

    Yaakov

  • Comment author
    Nirmalkumar Chandrasekaran

    What's the phase2 default SA lifetime 3600 or 86400 sec? Please confirm

  • Comment author
    Yaakov Simon

    Nirmal,

    Thanks for the comment. The article was not up-to-date with the behavior of the Cato Management Application.

    You can't configure the SA Lifetime settings for an IKEv1 site, the settings are:

    • Phase 1 - 86,400 seconds (24 hours)
    • Phase 2 - 3,600 seconds (1 hour)

    The article is now updated and states that the above SA Lifetime settings apply to all IKEv1 sites.

  • Comment author
    Chris Foote

    It may be helpful to have a KB article or section that discusses the role of the Native Range on an IPsec site, as this has led to confusion with a few deployments so far. The usual assumption is that the native range for an IPsec site would be a local range used to route traffic between the peer and other local networks, but if I understand correctly it seems that the native range should actually be a network on the remote/peer side of the connection. It would be pretty useful to see some clarification on this point. Overall a very helpful KB writeup though!

  • Comment author
    Dermot - Community Manager Only 42 of these badges will be awarded. They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer The chief of community conversations. Community manager

    Thank you for your feedback, Chris.

    Our documentation team has informed me that they ware working on providing the information you think would be useful.  It should be available in the next few weeks.

    Kind Regards,

    Dermot Doran (Cato Networks Community Manager)

  • Comment author
    kevinl

    I have a few questions.

    Am I required to have a site license for each of my site-to-site VPN tunnels?

    The “Cato IP (Egress)” IP address is used as the peer IP address by the remote site, correct?

    The “Public Site” IP address is the remote peer IP address, correct?

    I feel that the definitions in the Cato GUI could be better clearer.

    Cato could use obvious terms like “Remote Peer IP” and “Local Peer IP”, for example.

    kev

     

  • Comment author
    Yaakov Simon

    Updated the article to include the best practice of configuring DPD for the IKEv1 site 

  • Comment author
    Naoki Kimura

    It was previously mentioned that "You can't configure the SA Lifetime for the IKEv1 Phase 1 and Phase 2 parameters," but currently it's possible to modify the SA Lifetime values for IKEv1 Phase 1 and Phase 2, correct?