This article discusses how to configure IPsec IKEv2 Site to a firewall/router with a dynamic IP address.
Cato's IKEv2 responder-only setting is a solution for edge appliances that have a dynamic IP address or are located behind a NAT device. (i.e. firewalls or routers) This solution works by allowing the edge appliance on the remote end to initiate and manage the IKEv2 connection.
For more about working with IPsec IKEv2 sites, see Configuring IPsec IKEv2 Sites.
A customer needs to connect an on-premise appliance behind a dynamic public IP address to the Cato Cloud. The customer environment is protected by a third-party firewall on-prem that is located behind the NAT device with dynamic IPs that use FQDN. Cato's PoPs, on the other end, are configured with static IPs only. (For dynamic IPs you may only configure FQDN, email or key ID)
This can be established by configuring an IKEv2 tunnel site with Dynamic NAT. The customer creates a site in the Cato Management Application with the following settings:
-
Connection Method - Responder only (with dynamic NAT, remote initiation from the firewall is required)
-
Authentication Identifier - FQDN (Matches the setting for the third-party device)
Note: For dynamic IPs the site can't use the IPv4 Authentication Identifier, because this setting only works with static IPs.
Below is an example of dynamic IP IKEv2 tunnels in between the Cato PoPs to a remote firewall over the internet in High Availability.
Allocate public IP addresses to your account that are used for the primary and secondary tunnels and then create a new IPsec IKEv2 site.
The number of unique IP addresses that you can obtain is determined by your license. For additional IPs, contact your reseller or sales@catonetworks.com.
To allocate IP addresses:
-
From the navigation menu, click Network > IP Allocation.
-
Select a location. A unique IP is allocated by Cato Networks.
-
Click Save.
-
From the navigation menu, click Network > Sites and click New.
The Add Site panel opens,
-
Configure the settings for the site:
-
Name: sample IKEv2
-
Type: Branch
-
Connection Type: IPsec IKEv2
-
Country: The country in which the site is located.
-
State: State where the site is located (where applicable)
-
License: Select the appropriate bandwidth license for the site
-
Native Range: LAN subnet for the IPSec site
-
After you create a new site that uses IPsec IKEv2 to connect to the Cato Cloud, edit the site and configure the IPsec settings.
Use the Connection Method settings to define if the Cato PoP only responds to connections from the remote site (Responder Only), or also initiates connections (Bidirectional).
For sites that are working with dynamic IPs, the Cato Management Application generates a Local ID for the site, which is used for the Authentication Identifier that you select. Use the Authentication Identifier that is required by the third-party device: FQDN, email, or KEY_ID and enter the Local ID in the IKE settings of your third-party device.
Alongside the Local ID, configure a pre-shared key (PSK) for authentication. You can also define primary and secondary IPsec tunnels with BGP over the device which provides high availability. By doing so, the Cato Cloud automatically adjusts the BGP route metrics to prioritize the primary tunnel, and if it becomes disconnected, the site automatically moves to the secondary tunnel.
Note
IMPORTANT: We strongly recommend that you configure a secondary tunnel (with different Cato public IPs) for high availability. Otherwise, there is a risk that the site can lose connectivity to the Cato Cloud.
For IPsec sites with bandwidth greater than 100Mbps, use only the AES 128 GCM-16 or AES 256 GCM-16 algorithms. AES CBC algorithms are only used on sites with bandwidth less than 100Mbps.
Cato IPsec IKEv2 sites support nonce length of up to 256 bits.
You may set the IPSec shared secret (PSK) up to 64 characters.
To configure the settings for the IKEv2 site:
-
From the navigation menu, click Network > Sites and select the site.
-
From the navigation menu, click Site Settings > IPsec.
-
Expand the General section and define how the site connects and authenticates to the PoP:
-
Select the Connection Mode for the site:
-
Responder Only - The Cato PoP only responds to negotiations for incoming connections. It doesn’t initiate outgoing negotiations.
-
Bidirectional - The Cato PoP responds to negotiations for incoming connections and initiates outgoing negotiations.
-
-
Choose one of these options as the Authentication Identifier.
The Bidirectional mode only supports IPv4 for the Authentication Identifier.
-
IPv4 - use the static IP address from Primary and Secondary sections for the site
-
FQDN, Email, KEY_ID - generates the Local ID in one of these formats
Note: IPv6 is not currently supported with IPSec over the Cato PoP.
-
-
-
Expand the Primary section, and configure the following settings for the primary IPsec tunnel:
-
In Public IP > Cato IP (Egress), select the Cato PoP and IP address that initiates the IPsec tunnel.
If you need a different IP address allocated to your account, click IP Allocation Settings and select the PoP location and IP address.
-
In Public IP Enter the public Site IP address or Local ID where the IPsec tunnel is initiated for the remote site.
Note: Site IP is expected only when the Authentication Identifier is configured as IPv4.
-
For sites that use BGP dynamic routing, you can enter the Private IPs that are inside the VPN tunnel.
-
In Bandwidth, configure the maximum Downstream and Upstream (Mbps) available bandwidth for the site.
-
In Primary PSK, click Edit Password to enter the shared secret for the primary IPsec tunnel.
Note: You can optionally use the same allocated IP address for one or more IPsec sites as long as the Site IP is different for each site. Cato recommends using different allocated IPs per each site.
-
-
(Optional) Expand the Init Message Parameters section, and configure the settings.
This settings is only available for the IPv4 Authentication Type from step 3 above.
As most IPsec IKEv2-supporting solutions implement automatic negotiation of the following Init and Auth parameters, we recommend that you set them to Automatic, unless specifically instructed to by your firewall vendor.
-
In the Algorithms section, select the Encryption Algorithm: Automatic (default), AES-CBC-128, AES-CBC-256, AES-GCM-128 or AES-GCM-256
-
In the Algorithms section, select the Pseudo Random Function PRF Algorithm: Automatic (default), SHA1, SHA2 256, SHA2 384 or SHA2 512
-
In the Algorithms section, select the Integrity Algorithm: Automatic (default), SHA1, SHA2 256, SHA2 384 or SHA2 512
-
In Diffie-Hellman Group, select the key length that is used in the encryption: 2 (1024-bit), 5 (1536-bit), 14 (2048-bit), 15 (3072-bit) (default) or 16 (4096-bit)
-
-
(Optional) Expand the Auth Parameters section, and configure the settings.
-
In the Algorithms section, select the Encryption Algorithm: Automatic (default), AES-CBC-128, AES-CBC-256, AES-GCM-128 or AES-GCM-256
-
In the Algorithms section, select the Integrity Algorithm: Automatic (default), SHA1, SHA2 256, SHA2 384 or SHA2 512
-
In Diffie-Hellman Group, select the key length that is used in the encryption: 2 (1024-bit), 5 (1536-bit), 14 (2048-bit), 15 (3072-bit) (default) or 16 (4096-bit)
-
-
Expand the Routing section, and define the routing options for the site:
-
For IPsec connections with a remote side that has SAs (Security Associations) defined for this tunnel, in the Network Ranges section, enter the local IP ranges for the SAs in this format <label:IP range> and click Add.
The remote IP ranges for the SAs are configured in the Site Configuration > Networks screen for the IKEv2 site.
Note
Note: If no Network Ranges are configured for the site, it is considered as route-based VPN (implicit: 0.0.0.0 <> 0.0.0.0).
-
-
Click Save.
-
For sites that use a secondary IPsec tunnel, expand the Secondary section and configure the settings in the previous step and then click Save.
-
To show your connection details and status of the IPsec tunnel for this site, click Connection Status.
This is the list of the default values for the following IKEv2 parameters. If you need a custom value, please contact Support.
Parameter |
Value |
---|---|
Keep-alive check (sends empty information requests). Number of seconds after the site doesn't receive any data on the tunnel. |
10 seconds |
Retransmit interval (in seconds). It's not possible to configure a custom value for this parameter. |
10 seconds |
Maximum number of retransmissions. It's not possible to configure a custom value for this parameter. |
5 retransmissions |
Maximum time interval that the site doesn't receive any data or responses to the keep-alive checks. After this time the site tears down the tunnel and attempts to rebuild it. |
60 seconds |
Time interval that the site attempts to rebuild a tunnel that is down and fails to come up. |
every 90 seconds |
IKE SA lifetime (IPsec phase 1). |
19,800 seconds (approximately 5.5 hours) |
Child SA lifetime (IPsec phase 2). |
3,600 seconds (1 hour) |
Note
Important: For IPsec IKEv2 sites set to responder-only, the P1 lifetime window for the NAT device, must be smaller than 19800 (the value for the Cato Cloud).
When creating a child SA, Cato sends multiple traffic selectors (TS) in the same TS payload in accordance with RFC 7295. Some third-party solutions, such as Cisco ASAs, only support a single TS in each child SA. A Cisco ASA will send a TS_UNACCEPTABLE message in response to a Cato proposal to create a child SA with multiple TS.
You can configure your account or a specific IPsec IKEv2 site to send each TS in a separate packet to support interoperability with these third-party solutions by enabling This configuration under Site Configuration > Advanced Configuration.
0 comments
Please sign in to leave a comment.