IPsec Parameters

This guide describes the IPsec parameters that must be defined for IPsec negotiation

Cryptographic Parameters

VNS3’s IPSec subsystem is good at autodiscovery on IKE and ESP choices with a wide range of boxes. We recommend being as specific as possible when entering tunnel parameters. Match the algorithm, hash and DiffieH group for your gateway settings by specifying them in the “Extra Configuration” text field.

We support the following:

  • combinations algorithms 3DES, AES128, AES256, AES256_GCM (AES256_CCM for phase2);
  • hashes SHA1, MD5, SHA2_256, or SHA2_512;
  • and DH groups 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 23.

Example entries for IKE (Phase 1) and ESP (Phase 2) in the extra params box:

phase1=aes128-sha1
phase1=aes256-sha2_256
phase1=3des-md5-dh2
phase1=aes256-sha2_512-dh5
phase2=aes256-sha1
phase2=3des-sha1

PFS Group Extra params entry for PFS Group is technically required only when it must be different from pfs group in phase1. If that is the case, then use

pfsgroup=dh2
pfsgroup=dh14

IKE and ESP Lifetimes

phase1-lifetime=3600s (default setting on VNS3)
phase2-lifetime=28800s (default setting on VNS3)

Dead Peer Detection - Disabled by default, to enable DPD to attempt to re-connect during periods of no response use the following:

dpdaction=restart (other options are “hold” meaning just wait, or “clear” meaning drop the security association)
dpddelay=30s
dpdtimeout=90s

Other, less frequently used options available are:

connection=bidirectional (default). Can also be “receive”, meaning to not initiate connections, only receive them.

connection-rekey=yes (default). Can also be “no” meaning no Phase1 or Phase2 re-key operations are done.

local-peer-id=<an address, a fully qualified domain name, a simple text string with no special characters> VNS3 default to Local Private IP for this value, it is common to set local-peer-id=

mtu=<an integer> - MTU stands for “maximum transmission unit” For policy-based VPNs this is usually not specifically set. For route-based VPNs, if the connection is NOT going over the Internet but via a VPC/VNET peering link or a Direct Connect that supports “Jumbo Frames”, then “mtu” might be used to increase the size of the MTU (allowing higher throughput).

compat:some-text - This option should only be used at the instruction of Cohesive. It allows underlying parameters of the IPSec, BGP, Routing, Firewall, or SSL VPN subsystems to be passed straight into the environment with no parsing or validation. It is only used in a small fraction of interoperability situations.

Phase 1 Parameters

  • Allowed Algorithms: 3des, aes128, aes256, aes256_gcm, aes256_ccm (phase2 only)
  • aes256_gcm and aes256_ccm only work with IKEv2
  • Allowed Hashings: md5, sha1, sha2_256, sha2_512
  • Allowed DH Groups: 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 23, 24
  • Phase 1 Combinations

VNS3 Config IPSec Params 1

Phase 2 Parameters

  • Allowed Algorithms: 3des, aes128, aes256, aes256_gcm, aes256_ccm (phase2 only)
  • Allowed Hashings: md5, sha1, sha2_256, sha2_512
  • Perfect Forward Secrecy (PFS) DH Groups: 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 23, 24
  • Phase 2 Combinations:
    • 3des-sha1
    • 3des-md5
    • 3des-sha2_256
    • 3des-sha2_512
    • aes128-sha1
    • aes128-md5
    • aes128-sha2_256
    • aes128-sha2_512
    • aes256-sha1
    • aes256-md5
    • aes256-sha2_256
    • aes256-sha2_512
    • aes256_gcm (Phase 2 does NOT have a hash/integrity function setting such as sha1, sha2_256, etc.)
    • aes256_ccm (Phase2 only and there is no associated hash/integrity function such as sha1, sha2_256, etc.)