You are on page 1of 5

UD

Site to Site VPN Setup


Site to Site VPN Setup Guide SimpliCloud Site to Site VPN Setup COE-VNC Operations Head-COE

USER MANUAL DOC. PROCESS NAME SUB-FUNCTION FUNCTION RESPONSIBLE

USER MANUAL DETAILS


Describes the User manual in detail

The purpose of the document is to help configure Site to Site VPN between Virtual Firewall Appliance (VFA) and Hardware Firewall Appliance at customer site using MyNetmagic provisioning portal. The steps mentioned in the document are only applicable to VFA and VPN options available with Simplicloud offerings. Login to MyNetmagic Dashboard at https://mynetmagic.netmagicsolutions.com using the MyNetmagic portal Login details provided to you along with the Welcome Mail.

1.

On login, click on Infrastructure page as shown below.

2.

3.

Click on Cloud on the Infrastructure page. You will get the snapshot of the your current setup on Netmagic Cloud.

Site to Site VPN Setup COE-VNC / Operations

UD-028 revision-01 / issue-01, Date of issue: 15 JUL 2011

PRIVATE 1

UD

Site to Site VPN Setup

To configure Site to Site VPN, right click Virtual Firewall Appliance (VFA) and select Manage.

4.

A pop-up window for Manager Firewall will appear as below. Select Site to Site Peer Tab and fill in the details as below.

5.

Remote Firewall IP Address: Mention the Remote Firewall IP Address on which you need to terminate the IPSec VPN.

Site to Site VPN Setup COE-VNC / Operations

UD-028 revision-01 / issue-01, Date of issue: 15 JUL 2011

PRIVATE 2

UD

Site to Site VPN Setup

Pre-shared Secret Key: Enter the pre-shared key which will be used while creation of IPSec tunnel. A pre-shared secret, or pre-shared key (PSK), is a method of authentication. The secret, or key, is a string agreed upon beforehand by both parties as key for authenticating the session. It is used to generate a hash such that each VPN endpoint can authenticate the other. Note: The pre-shared secret, although an ordinary string, is not a password. It is actually used to generate a hashed key to form a fingerprint proving the identity of each endpoint. Choose complex pre-shared secrets and avoid short ones, which can be more easily compromised by an attack. Click on (+) sign next to Group Name to configure IKE (Internet Key Exchange) group.

6.

Fill in the details as below: Group Name: Name of the IKE group to be created. Lifetime: Lifetime of the security association (SA) in seconds, default is 28800 seconds. SA is renegotiated on the expiry of the Lifetime defined. Proposal No: IKE proposals are set of parameters for Phase-I IPSec negotiations. We can have multiple proposal nos. inside a group and this number determines the order in which the parameter combination are used for establishing Phase-I negotiation. Note: Proposal No. can be from 1 to 65535. Group (Diffei Hellman Group): Diffie-Hellman key exchange is a cryptographic protocol for securely exchanging encryption keys over an insecure communications channel, such as the Internet. DiffieHellman key exchange uses a group of standardized global unique prime numbers and generators to provide secure asymmetric key exchange. Note: Default group is 2. Encryption: Select the encryption methods to be used for Phase-I negotiation. Encryption Ciphers are used to encrypt data, so that it cannot be read or monitored during transit Note: Supported Encryption Ciphers AES128 / AES256 / 3DES HASH: Select the Hashing Algorithm of Phase-I negotiation. A hash function is a cryptographic algorithm used for message authentication. A hash function takes a message of arbitrary length and produces an output of fixed length, called a message digest or fingerprint. Hash functions are used to verify that messages have not been tampered with.

Site to Site VPN Setup COE-VNC / Operations

UD-028 revision-01 / issue-01, Date of issue: 15 JUL 2011

PRIVATE 3

UD

Site to Site VPN Setup


Note: Supported Hash Functions MD5 / SHA-1

Click on Submit. Click on (+) sign next to ESP Group to configure ESP (Encapsulated Security Payload) group.

7.

Fill in the details as below: Group Name: Name of the ESP group to be created. Lifetime: Lifetime of the security association (SA) in seconds, default is 3600 seconds. SA is renegotiated on the expiry of the Lifetime defined.. PFS(Perfect Forward Secrecy): In Perfect Forward Secrecy (PFS), the private key is used to generate a temporary key (the session key) that is used for a short time and then discarded. Subsequent keys are independent of any previously created keys. Note: Supported values are as follows: enable: Enables Perfect Forward Secrecy using Diffie-Hellman group defined in the ike-group. (Selected by default) dh-group2: Enables Perfect Forward Secrecy using Diffie-Hellman group 2. dh-group5: Enables Perfect Forward Secrecy using Diffie-Hellman group 5. disable: Disables Perfect Forward Secrecy Proposal No: Proposals are set of parameters for Phase-II IPSec negotiations. We can have multiple proposal nos. inside a group and this number determines the order in which the parameter combinations are used for establishing Phase-II negotiation. Note: Proposal No. can be from 1 to 65535. Encryption: Select the encryption methods to be used for Phase-II negotiation. Encryption Ciphers are used to encrypt data, so that it cannot be read or monitored during transit

Site to Site VPN Setup COE-VNC / Operations

UD-028 revision-01 / issue-01, Date of issue: 15 JUL 2011

PRIVATE 4

UD

Site to Site VPN Setup


Note: Supported Encryption Ciphers AES128 / AES256 / 3DES HASH: Select the Hashing Algorithm of Phase-II negotiation. A hash function is a cryptographic algorithm used for message authentication. A hash function takes a message of arbitrary length and produces an output of fixed length, called a message digest or fingerprint. Hash functions are used to verify that messages have not been tampered with. Note: Supported Hash Functions MD5 / SHA-1

Click on Submit. Now Configure Local and Remote Subnets for Tunnel.

8.

Local Subnet: This is the LAN subnet used by Virtual Machines behind Virtual Firewall Appliance (VFA). Remote Subnet: LAN subnet used behind the Remote Location Firewall (customer end) to which the IPSec tunnel is established.

Click on Submit to finish the configuration LIST OF ADDITIONAL DOCUMENTS (if any)
List any additional documents that are referred directly at the functional level, these could be Policies, Guidelines, Workflows, SOP s, Business rules, User manuals, training manuals etc.

NUMBERING 1.

NAME OF DOCUMENT

OWNERSHIP OF THE USER MANUAL DOCUMENT


List the designation of the owner of this document

1.

Head Operations

DATES
Date of next review and the effective date of this document

1. 2. 3.

Last review of this document Effective date of this document Next review of this document, no later than

NA 15 JUL 2011 15 JUL 2012

REVISION MATRIX
Populate the revision matrix for each revision of this document

Revision #, Issue # Date of issue Changes

revision-01 issue-01 15 JUL 2011 New document

Issued by Reviewed by Approved by

Head COE-VNC Head COE Head Operations

Site to Site VPN Setup COE-VNC / Operations

UD-028 revision-01 / issue-01, Date of issue: 15 JUL 2011

PRIVATE 5