IPsec Tunnel
  • 07 Dec 2022
  • 5 Minutes to read
  • Contributors

    IPsec Tunnel


      Article Summary

      This article describes the Perimeter 81 IPSec Site-2-Site tunnel feature.

      IPSec Tunneling is a security feature that allows you to create a secure communication link between two different networks located at different locations using the IKE VPN protocol. By creating an IPSec Tunnel, you can connect your Perimeter 81 gateway to your local network or cloud services, for remote access.

      To create a tunnel, begin by navigating to the Networks screen, and clicking on the ellipsis next to the gateway ("...") -> Add Tunnel -> IPSec Site-2-Site Tunnel.


      IPSec handshake

      The IPSec tunnel employs a two-phase handshake. The handshake interval is determined by the tunnel's lifetime values

      Phase I (Also known as IKE or Gateway): This Security Association is in charge of the external IP communication between the Perimeter 81 network and the remote IP using port 500/4500.  

      Phase I Values
      To establish Phase I successfully, the following fields need to match on both Perimeter 81 and the remote side of the tunnel:
      • Shared Secret
      • Public IP
      • Remote ID
      • IKE Version
      • IKE Lifetime
      • Encryption (Phase I)
      • Integrity (Phase I)
      • Diffie-Hellman Groups (Phase I)

      Phase II (Also known as ESP or Tunnel): This Security Association is in charge of internal LAN range or subnet handshake after IKE SA has already been established. 

      Phase II ValueToto establish Phase II successfully, the following fields need to match on both Perimeter 81 and the remote side of the tunnel:\
      • Perimeter 81 Gateway Proposal Subnets
      • Remote Gateway Proposal Subnets
      • Tunnel Lifetime
      • Dead Peer Detection (DPD)
      • Encryption (Phase II)
      • Integrity (Phase II)
      • Diffie-Hellman Groups (Phase II)
      Phase II Diffie-Hellman Groups are also known as Perfect Forward Secrecy (PFS) groups. 

      Policy-based vs. Route-based IPSec

      This is an example of a Policy-based connection:

      • This kind of connection is easier to set up but is more vulnerable to IPSec tunnel value mismatch.
      • Depending on your router's vendor, a single subnet that's missing from the Policy-based IPSEC handshake may cause the entire Phase II negotiation to fail.


      On the other hand, this is what a Route-based (also known as a Tunnel Interface or VTI) connection looks like:

      • It is a more modern and stable method of IPSec tunneling. 
      • Once established, it uses one subnet (0.0.0.0/0) for the handshake, so there is less room for error upon renegotiation. 
      • After this, you must input the route for this tunnel. 
        1. To add a route, click the "..." button at the top right corner of the network -> then select Routes Table.
        2. Click on Add Route.
        3. Input all of the Subnets on the Remote Side of the tunnel, then click "Add Route"
        4. After you are done, click Apply Configuration.

      Single tunnel

      A single tunnel serves as the minimum requirement option to create an IPsec tunnel into internal resources. A network can include one or more gateways, in case of multiplegateways, all tunnel traffic will be routed through this tunnel via a specificgateway.

      Creating a single tunnel

      image.png


      • Name: The name of the Tunnel you want to create.
      • Shared Secret: A pre-shared key that will be used by both of the tunnel parties.
      • Public IP: This is the public IP address of the second end of the tunnel,
      • Remote ID: In most cases, the ID of the remote tunnel is the public IP of the tunnel. However, it must be configured to the same value on both ends.
      • Perimeter 81 Gateway Proposed Subnets: The IPSec network selector must be configured to the same value at both ends of the tunnel.
      • Remote Gateway Proposed Subnets: The remote subnet selector must be configured to the same value on both tunnels ends. If you do not specify the subnets, you will need to do so manually using the Perimeter 81 Routes Table configuration.


      image.png 

      The fields for the advanced settings depend on the network configuration, such as the type of VPC (Virtual Private Cloud) or firewall.


      Redundant tunnels

      The Redundant Tunnels feature is designed to improve high network availability for customers that use IPSec tunnels from Perimeter 81 gateways to their cloud or on-premises resources.

      This feature adds the ability to create two IPSec tunnels between two different Perimeter 81 gateways and two different customer gateways. The feature utilized BGP and allows Active-Active architecture, achieving both redundancy and better performance by routing users to a tunnel that is closest to their location.



      Best practice
      For better redundancy, it's recommended to deploy the gateways in different Perimeter 81 regions. Users' location should be regarded in this matter.

      Creating a redundant tunnel

      Tunnel 1


      • Tunnel Name: The name of the Tunnel you wish to create.
      • Gateway: Perimeter 81 GW you wish to connect your tunnel to.
      • Shared Secret: A pre-shared key that will be used by both of the tunnel parties.
      • Perimeter 81 Gateway Internal IP: Set an IP on Perimeter 81's Gateway for internal communication. This IP should communicate in the same subnet with the next field - Remote Gateway Internal IP
      • Remote Gateway internal IP: This is the internal IP address of the second end of the tunnel.
      • Remote Public IP: This is the public IP address of the second end of the tunnel.
      • Remote ID: In most cases, the ID of the remote tunnel is the public IP of the tunnel. However, it must be configured to the same value on both ends.
      • Remote Gateway ASN: The ASN number provided on the second end of the tunnel

      Repeat the above configuration for the second tunnel (Tunnel 2).

      Shared Setting

      • Perimeter 81 Gateway Proposed Subnets: The IPSec network selector must be configured to the same value at both ends of the tunnel.
      • Remote Gateway Proposed Subnets: The remote subnet selector must be configured to the same value on both tunnels ends. If you do not specify the subnets, you will need to do so manually using the Perimeter 81 Routes Table configuration.
      • ASN number: Choose an ASN number that correlates with the ASN provided by your vendor. This can be only during the initial creation of the Redundant Tunnels

      Tunnel proposal subnets should be any/any to allow dynamic routing with BGP

      The subnets and subnet masks in the P81 routing table must match the subnets and subnet masks that are advertised on the remote site

      Advanced Settings

      image.png 

      The fields for the advanced settings depend on the network configuration, such as the type of VPC (Virtual Private Cloud) or firewall.



      Connecting a redundant tunnel to public cloud providers:


      Was this article helpful?