12.12.4. Configuring VPN security profiles

You configure VPN security profiles at the vpn security-profile level.

To create a VPN security profile, use the following command:

Admin@UGOS# create vpn security-profile

Provide the following parameters:

Parameter

Description

name

VPN security profile name.

description

VPN security profile description.

ike-version

IKE (Internet Key Exchange) protocol version used to create a secure link channel between two networks. UserGate uses IKEv1 (IKEv1).

ike-mode

IKE mode:

  • main: main mode. In the main mode, the devices exchange six messages. During the first exchange (messages 1 and 2), the encryption and authentication algorithms are negotiated. The second exchange (messages 3 and 4) implements the Diffie-Hellman (DH) key exchange. After the second exchange, the IKE service on each device creates a master key to use for authentication. The third exchange (messages 5 and 6) authenticates the reporter and responder of the connection (identity checking) and the information is secured using the encryption algorithm established earlier.

  • aggressive: aggressive mode. In the aggressive mode, there are 2 exchanges, 3 messages in total. In the first message, the reporter transmits information corresponding to messages 1 and 3 of the main mode --- that is, the information on encryption and authentication algorithms as well as the DH key. The second message, transmitted by the responder, contains information corresponding to messages 2 and 4 of the main mode and also authenticates the responder. The third message authenticates the reporter and confirms the exchange.

peer-auth

Peer authentication:

  • psk: authenticate devices using a pre-shared key.

psk

Pre-shared key. To establish a connection successfully, it should be identical on the server and the client.

phase1-key-lifetime

Key lifetime. The time period after which the parties re-authenticate and re-negotiate the first-phase settings.

dpd-interval

Dead Peer Detection interval checking mechanism. Minimum interval: 10 seconds.

The Dead Peer Detection (DPD) mechanism is used to perform a health check and availability check of neighbor devices. DPD periodically sends R-U-THERE messages to check the availability of the IPsec neighbor (default value: 60 seconds).

dpd-max-failures

Maximum number of unreachable IPsec neighbor detection requests to be sent before an IPsec neighbor is considered unreachable (default value: 5).

dh-groups

Diffie-Hellman groups to be used for key exchange. Instead of the key itself, certain general information is transmitted that the DH key generation algorithm needs to create the shared secret key. The larger the Diffie-Hellman group number, the more bits are used to make the key secure.

  • Group 1 Prime 768 bit.

  • Group 2 Prime 1024 bit.

  • Group 5 Prime 1536 bit.

  • Group 14 Prime 2048 bit.

  • Group 15 Prime 3072 bit.

  • Group 16 Prime 4096 bit.

  • Group 17 Prime 6144 bit.

  • Group 18 Prime 8192 bit.

phase1-security

Authentication and encryption algorithms.

To specify authentication and encryption algorithms, use the following command:

Admin@UGOS# create vpn security-profile ... phase1-security new auth-alg <auth-alg-name> encrypt-alg <encrypt-alg-name>

Available values:

  • auth-alg: select an authentication algorithm.

    • MD5

    • SHA1

    • SHA256

    • SHA384

    • SHA512

  • encrypt-alg: select an encryption algorithm.

    • DES

    • 3DES

    • AES128

    • AES192

    • AES256

phase2-key-lifetime

Key lifetime. The time period after which the nodes must rotate the encryption key. The lifetime for the second phase is shorter than for the first one, which entails a more frequent key rotation.

key-lifesize

Maximum key lifesize (in kilobytes). The key lifetime can also be expressed in bytes. If both values (phase2-key-lifetime and key-lifesize) are set, the counter that first reaches the limit will trigger re-creating the session keys. To disable the limit: off.

phase2-security

Authentication and encryption algorithms.

To specify authentication and encryption algorithms, use the following command:

Admin@UGOS# create vpn security-profile ... phase2-security new auth-alg <auth-alg-name> encrypt-alg <encrypt-alg-name>

Available values:

  • auth-alg: select an authentication algorithm.

    • MD5

    • SHA1

    • SHA256

    • SHA384

    • SHA512

  • encrypt-alg: select an encryption algorithm.

    • DES

    • 3DES

    • AES128

    • AES192

    • AES256

To set security profile values, use the following command:

Admin@UGOS# set vpn security-profile <profile-name>

The parameters available to update are identical to those used when creating a security profile. To add a new pair of authentication and encryption algorithms or a Diffie-Hellman group to the security profile, use the following commands:

Admin@UGOS# set vpn security-profiles <profile-name> phase1-security new auth-alg <auth-alg-name> encrypt-alg <encrypt-alg-name> 

Admin@UGOS# set vpn security-profiles <profile-name> phase2-security new auth-alg <auth-alg-name> encrypt-alg <encrypt-alg-name> 

Admin@UGOS# set vpn security-profiles <profile-name> dh-groups + [ <dh-group1> <dh-group2> ... ]

To delete a security profile, use the following command:

Admin@UGOS# delete vpn security-profile <profile-name>

You can also delete individual VPN security profile parameters:

  • dh-groups.

  • phase1-security.

  • phase2-security.

To display information about a VPN security profile, use the following command:

Admin@UGOS# show vpn security-profile <profile-name>