Creating a VPN Server Security Profile

To create a VPN server security profile, use the following command:

Admin@nodename# create vpn server-security-profiles <parameter>

VPN server security profile parameters:

Parameter

Description

name

VPN security profile name.

description

VPN security profile description.

ike-version

IKE (Internet Key Exchange) protocol version used to create a secure link channel between two networks. NGFW supports IKEv1 and IKEv2. The following configuration options are possible:

  • IKEv1: create a secure link using IKEv1

  • IKEv2: create a secure link using IKEv2

ike-mode

IKE mode:

  • main: the main mode. In the main mode, the devices exchange six messages. During the first exchange (messages 1 and 2), the encryption and authentication algorithms are negotiated. The second exchange (messages 3 and 4) implements the Diffie-Hellman (DH) key exchange. After the second exchange, the IKE service on each device creates a master key to use for authentication. The third exchange (messages 5 and 6) authenticates the reporter and responder of the connection (identity checking) and the information is secured using the encryption algorithm established earlier.

  • aggressive: the aggressive mode. In the aggressive mode, there are 2 exchanges, 3 messages in total. In the first message, the reporter transmits information corresponding to messages 1 and 3 of the main mode --- that is, the information on encryption and authentication algorithms as well as the DH key. The second message, transmitted by the responder, contains information corresponding to messages 2 and 4 of the main mode and also authenticates the responder. The third message authenticates the reporter and confirms the exchange.

local-id-type

IKE local ID parameter type. Required for peer node validation when establishing a VPN connection using hardware from some vendors. Enumerated parameter options:

  • none: field default value. Used when the IKE local ID parameter is not required for establishing a VPN connection. For example, when a VPN connection between two UserGate nodes is established.

  • IPv4: the host's IP address.

  • FQDN: the host's address in the fully-qualified domain name (FQDN) format.

  • CIDR: the host's address in the classless inter-domain routing (CIDR) format.

local-id-value

IKE local ID parameter value in selected format.

psk

Pre-shared key. Used to authenticate a remote node using pre-shared key. This string must match on the client and server for a successful connection.

certificate

VPN server certificate for authentication via certificate.

authentication-mode

Authentication method. It is possible to authenticate using login and password via RADIUS server (AAA) or certificates (PKI).

user-certificate-profile

When choosing PKI authentication method it is necessary to specify a previously configured client certificate profile.

phase1-key-lifetime

Key lifetime: the time period after which the parties re-authenticate and re-negotiate the first-phase settings.

dpd-state

Operating modes of the Dead Peer Detection mechanism, which checks the functionality of the VPN channel and promptly disconnects/reconnects it when the connection is lost. There are 3 possible operating modes of the mechanism:

  • off: the mechanism is disabled. ​ DPD requests are not sent.

  • always: DPD requests are always sent within the specified time interval. If no response is received, additional requests are sent sequentially at intervals of 5 seconds in the number specified in the dpd-max-failures parameter. If there is a response, the mechanism returns to the initial interval for sending DPD requests, and if there is no response, the connection is terminated.

  • idle: DPD requests are not sent while there is ESP traffic through the created SAs. If there are no packets within twice the specified time interval, then a DPD request is sent. If there is a response, a new DPD request will be sent again after a double interval of the specified time. If no response is received, additional requests are sent sequentially at intervals of 5 seconds in the number specified in the dpd-max-failures parameter. If there is no response, the connection is terminated.

dpd-interval

Dead Peer Detection interval checking mechanism. Minimum interval: 10 seconds.

The Dead Peer Detection (DPD) mechanism is used to perform a health check and availability check of neighbor devices. DPD periodically sends R-U-THERE messages to check the availability of the IPsec neighbor (default value: 60 seconds).

dpd-max-failures

Maximum number of unreachable IPsec neighbor detection requests to be sent before an IPsec neighbor is considered unreachable (default value: 5).

dh-groups

Diffie-Hellman groups to be used for key exchange. Instead of the key itself, certain general information is transmitted that the DH key generation algorithm needs to create the shared secret key. The larger the Diffie-Hellman group number, the more bits are used to make the key secure.

  • Group 1 Prime 768 bit

  • Group 2 Prime 1024 bit

  • Group 5 Prime 1536 bit

  • Group 14 Prime 2048 bit

  • Group 15 Prime 3072 bit

  • Group 16 Prime 4096 bit

  • Group 17 Prime 6144 bit

  • Group 18 Prime 8192 bit

phase1-security

Authentication and encryption algorithms.

To specify authentication and encryption algorithms, use the following command:

Admin@nodename# create vpn server-security-profiles ... phase1-security new auth-alg <auth-alg-name> encrypt-alg <encrypt-alg-name>

Available values:

  • auth-alg: select an authentication algorithm.

    • MD5

    • SHA1

    • SHA256

    • SHA384

    • SHA512

  • encrypt-alg: select an encryption algorithm.

    • DES

    • 3DES

    • AES128

    • AES192

    • AES256

phase2-key-lifetime

Key lifetime: the time period after which the nodes must rotate the encryption key. The lifetime for the second phase is shorter than for the first one, which entails a more frequent key rotation.

key-lifesize-enabled

Enable configuration mode with the maximum data size encrypted by one key.

key-lifesize

Maximum key lifesize (in kilobytes). If both values (phase2-key-lifetime and key-lifesize) are set, the counter that first reaches the limit will trigger re-creating the session keys. To disable the restriction, specify: off.

nat-keepalive

NAT keepalive packet sending period in seconds (can be set to 0 or to a value greater than 4). Used in scenarios when IPSec traffic goes through a NAT node. NAT table entries are active for a limited time. If there was no VPN traffic over the tunnel during that time span, NAT table entries on the NAT host will be deleted, preventing further passage of VPN traffic. The VPN server located behind the NAT gateway uses NAT keepalive function to periodically send keepalive packets to a peer node in order to keep the NAT session active.

phase2-security

Authentication and encryption algorithms.

To specify authentication and encryption algorithms, use the following command:

Admin@nodename# create vpn server-security-profiles ... phase2-security new auth-alg <auth-alg-name> encrypt-alg <encrypt-alg-name>

Available values:

  • auth-alg: select an authentication algorithm.

    • MD5

    • SHA1

    • SHA256

    • SHA384

    • SHA512

  • encrypt-alg: select an encryption algorithm.

    • DES

    • 3DES

    • AES128

    • AES192

    • AES256