Not applicable to SBC SWe Edge.
To create or modify an existing IPsec Tunnel:
Enabling/Disabling Tunnel entries
To enable all selected tunnel entries
- Click the Enable all selected tunnels ( ) icon on the IPsec Tunnel Table page. All tunnel entries selected are enabled.
To disable all selected tunnel entries
- Click the Disable all selected tunnels () icon on the IPsec Tunnel Table page. All tunnel entries selected are disabled.
Restart Service for Tunnel entries
The Restart Service button on the IPsec Tunnel Table page enables you to restart the services in order for any changes to the system certificates to become effective. For more information about system certificates, refer to Managing IPsec Tunnels.
- Click on Restart Services on the IPsec Tunnel Table page. A confirmation window is displayed.
- Click OK.
Creating an IPsec Tunnel
To create an IPsec Tunnel
Click the Create IPsec Tunnel Entry ( ) icon on the IPsec Connection Table page.
Network Properties - Field Definitions
Operating Mode
Specifies the operating mode for communication with the remote VPN peer for IKE negotiations and IPsec connections.
Initiator: Enables the branch office SBC gateway to initiate the IKE Security Association (SA) and IPsec tunnel negotiation request.
Responder: Enables the corporate SBC gateway to receive the request to establish an IKE/IPsec tunnel connection.
Tunnel Activation
Specifies the how SBC communications with the remote VPN peer is initiated. The IKE and IPsec phase negotiations are initiated as either permanent or on-demand depending on the type of activation selected. This field is only visible when "Initiator" is selected in the Operating Mode list box.
Always: Initiates the IKE Security Association(SA) and IPsec phase negotiations permanently with the remote VPN peer.
Link Monitor Action: Initiates the IKE and IPsec phase negotiations with the remote VPN peer as on-demand upon request from the link monitor switch-over action.
Allow Any Local Address
Enabled: The local address is acquired during negotiation by automatic keying. Overrides any assigned local address.
Disabled: The value in the Local Address field is used.
Local Address
Specifies the IP address or fully-qualified domain name of the local network interface. If Allow Any Local Address is enabled, then the SBC allows any outgoing address during negotiations.
Allow Any Remote Address
Enabled: The remote address is acquired during negotiation by automatic keying. Overrides any assigned remote address.
Disabled: The value in the Remote Address field is used.
This field is only visible when Responder is selected in the Operator Mode select list.
Remote Address
Specifies the IP address or fully-qualified domain name of the remote network interface. If Allow any remote address is enabled, the SBC allows any incoming address during negotiations.
Local Subnet Address
Specifies the IP address of the private subnet behind the local network interface. This can be expressed as network/netmask. Maximum of 10 subnets can be specified. Allow traffic on any address is represented as 0.0.0.0/0. Setting both the Local Subnet Address and the Remote Subnet Address to all traffic 0.0.0.0/0 is not a valid configuration for security concerns.
Remote Subnet Address
Specifies the IP address of the private subnet behind the remote network interface. This can be expressed as network/netmask. A maximum of 10 subnets can be specified. Allow traffic on any address is represented as 0.0.0.0/0. Setting both the Local Subnet Address and the Remote Subnet Address to all traffic 0.0.0.0/0 is not a valid configuration for security concerns.
Allow Policy Rules
Enabled: Specifies that the local VPN gateway performs forwarding and firewalling using IP tables for traffic from Local Subnet Address and Remote Subnet Address fields.
Disabled: Specifies that IP tables policy rules are not created for traffic to and from the peer endpoint.
SA Expiry and Security Settings - Field Definitions
SA Expiry
Specifies whether or not the SBC requests a renegotiation when the connection expires.
Enabled: Initiate SA Negotiation upon connection expiry. Applies to both IKE SA and IPsec SA.
Disabled: SA Negotiation is not initiated upon connection expiry.
Keying Retries
Specifies the number of times the SBC will attempt to negotiate a connection. Applies to both IKE SA and IPsec SA.
If the number of number of retries value is exceeded, the SBC issues a Tunnel Link Lost alarm."
IKE Lifetime
Specifies the duration, in seconds, of an IKE SA connection keying channel.
IPsec Lifetime
Specifies the duration, in seconds, of the IPsec SA connection, from successful negotiation to expiry.
Margin Time
Specifies the length of time, in seconds, before SA expiry that the rekeying should start. Applies to both IKE SA and IPsec SA.
Perfect Forward Secrecy
When enabled, a new ISAKMP SA is created for each IPsec SA negotiation and a Diffie-Hellman exchange is performed for each IPsec SA negotiation.
Reauthentication
Specifies whether or not the SBC reauthenticates when a re-key is accomplished.
Enabled: IKE SA Rekeying also initiates Peer Authentication. IKE and IPsec SA's are uninstalled then recreated.
Disabled: IKE SA Rekeying performed without the Peer Authentication.
Authentication Parameters - Field Definitions
Use SAN Identifier
Specifies whether or not the Subject Alternative Name (SAN) Identifier is used for peer authentication. This field is only visible when Certificate is selected from the "Authentication Mode* select list.
Enabled: The SAN Identifier is sent to the remote gateway for an authentication match. The SAN identifier must be configured in the Local SAN Identifier attribute when this option is Enabled.
Disabled: By default, the Ribbon SBC Certificate's Subject Distinguished Name (Subject DN) identifier is automatically extracted from the certificate and sent to the remote gateway for an authentication config match.
SAN Identifier
Specifies the SAN identifier to be sent to the remote gateway for a peer authentication config match. This field is only available if Enabled is selected in the Use SAN Identifier select list.
If the Peer Authentication Identifier on the remote gateway is configured to authenticate a SAN identifier from the peer's certificate, it will attempt to match its configured SAN identifier with the expected SAN identifier retrieved from the peer authentication config.
If Use SAN Identifier is enabled, the SAN identifier must be picked from a list of DNS names displayed under the local attributes for the Ribbon SBC Certificate.
Authentication Mode
Specifies the authentication method required from the remote side.
Certificate: Specifies the use of public key signature when authenticating the peer VPN gateway. The SBC must contain a valid server certificate/private key, the Certificate Authority (CA) that signed the SBC server certificate, and the CA that signed the peer's Server Certificate.
Preshared Key: Specifies the key to be shared with the peer. This key must match the same key configured on the peer system.
Peer Identifier
Specifies an identifier for a peer.
When Preshared Key is selected from the Peer Authentication Mode list box, the identifier may be an IP address, fully qualified domain name, or any.
When Certificate is selected from the Peer Authentication Mode list box, the identifier may be the peer certificate's Subject Alternative Name (SAN) or Subject Distinguished Name (DN). If the SAN or DN are unknown a vaalue of any may be used allowing any peer with a trusted and non-revoked certificate.
Remote Identifier
Specifies how the peer is identified for IKE preshared key authentication.
The identifier selector can be an all host address(0.0.0.0), a specific IP address or a fully-qualified domain name of the remote LAN network interface. This option is available when "Allow any address" is set to "True" and the "Peer Authentication Mode" is set to "Preshared Key".'
Preshared Secret
A strong passphrase used for authentication.
IKE/IPsec Cipher Suites - Field Definitions
Encryption
Specifies the Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) encryption algorithm.
Integrity
Specifies the IKE ESP and hash algorithm.
DH Group
Specifies which Diffie-Hellman group to use for exchanging keys (IKE and ESP).