BRC - How to Configure IPSec Site to Site VPN

The Internet Protocol Security (IPSec) Site to Site VPN feature allows you to establish IPSec VPN tunnels from the Virtual Office in the Axcient Cloud to any standard compliant IKEv2 IPSec VPN gateway on your local network. Specially, you can use this feature during a site disaster to:

• Recreate the network in an organization with two or more sites linked together in a corporate network
• Temporarily replace a connection while a machine room is rebuilt after a disaster

Caution: IPSec Site-to-Site VPN is not recommended in a test environment.

To set up an IPSec Site-to-Site VPN connection, you must turn on the feature in your Virtual Office and also configure settings on your gateway.

Step 1: Configure IPSec Site to Site VPN Settings in the Virtual Office

Step 1 – With the Virtual Office running, navigate to the Virtual Office page and click the Configure Office button. The Configure: Virtual Office page displays.
Step 2 – On the Configure: Virtual Office page,  navigate to the Port Forwarding section and click the Edit button. Configure Port Forwarding settings as needed.
Step 3 – After Port Forwarding settings have been configured, navigate to the Site to Site IPSec VPN section and click the Edit button to configure settings. You can configure the following options:   Click the S2S IPSec option to enable Site to Site IPSec VPN settings. In the Site Public IP field, enter the  public IP address of the remote machine or hardware with IPSec software (for example, Cisco ASA). In the Site Local Subnets section, enter the remote subnets and associated netmasks for sharing with the Virtual Office subnets. Please note that these subnets do not need to intersect with the Virtual Office subnets. Click the Save button when you are finished. For more information on configuring gateway settings, please reference the section below.

Step 2: Configure Gateway Settings

You can connect with any standard compliant IKEv2 IPSec VPN gateway.

Example 1: Configure IPSec on Debian Using strongSwan

When you configure IPSec Site to Site VPN settings using strongSwan, we recommend using strongSwan version 5.2.1 or later. Please reference the official strongSwan documentation for more information and additional configuration options.

1. Install strongSwan on Debian 8+.

   $ sudo apt-get update
   $ sudo apt-get install strongswan

2. Alternatively, install strongSwan on Debian 7, ensuring /etc/apt/sources.list contains following lines:

   deb http://deb.debian.org/debian wheezy main
   deb http://deb.debian.org/debian wheezy-backports main
   

   Install strongSwan on Debian 7:

   $ sudo apt-get update
   $ sudo apt-get install libstrongswan=5.2.1-6+deb8u2~bpo70+1 strongswan-starter=5.2.1-6+deb8u2~bpo70+1 strongswan=5.2.1-6+deb8u2~bpo70+1

3. Insert the secret key into the /etc/ipsec.secrets file.

   : PSK <Secret Key>

4. Insert settings into the /etc/ipsec.conf file, where left IP refers to the local IP address where IPSec traffic is listened and right IP refers to the Virtual Office public IP.

   conn %default
       ikelifetime=60m
       keylife=20m
       rekeymargin=3m
       keyingtries=1
       keyexchange=ikev2
       authby=secret
       ike=aes256-sha1-modp1536,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha384-modp2048!
       esp=aes256-sha1-modp1536
       mobike=no
       left=<left IP>
       leftsubnet=172.20.17.0/24,172.20.19.0/24
       leftid=@office
       leftfirewall=yes
       auto=start
       type=tunnel
   
   conn 9192aff1-a4ee-4d92-a03a-f63757be083c
       right=<right IP>
       rightsubnet=172.18.7.0/24
   
   conn 131c97ba-745b-4e3b-8347-2ef4aea245dd
       right=<right IP>
       rightsubnet=172.18.8.0/24

5. Enable IP forwarding.

   $ sysctl net.ipv4.ip_forward=1

6. Apply IPSec settings.

   $ ipsec restart

7. Test your configuration settings by trying to access the Virtual Office subnets.

Example 2: Configure IPSec on Cisco ASA

When you configure IPSec Site to Site VPN settings using Cisco ASA, please reference Cisco configuration examples 1 and configuration example 2 for additional information and instructions.

In this example, please note the following:

• 10.16.16.0/24 refers to the the network behind Cisco ASA
• 172.20.32.0/24 refers to the remote network (e.g. inside of Virtual Office)
• 162.22.33.44 refers to the public IP of remote gateway (the Virtual Office gateway)
• port1 refers to the outside port of Cisco ASA

Configuring through Cisco Adaptive Security Device Manager (ASDM)

Step 1 – On the Cisco ASDM, configure the encryption algorithms:   Click the Configuration tab, and then click the Site-to-Site VPN navigation button. In the Site-to-Site VPN menu bar, click to expand the Advanced node and then click the IKE Policies item. In the IKEv2 Policies section, configure policies as needed.
Step 2 – Set the IPSec proposal settings:   In the Site-to-Site VPN menu bar, click to expand the Advanced node and then click the IPsec Proposals item. In the IKE v2 IPsec Proposals section, configure proposals as needed.
Step 3 – Launch the Site-to-Site VPN Wizard wizard.   In the top navigation menu, click the Wizards menu item, point to VPN Wizards, and then click Site-to-Site VPN Wizard. In the Site-to-Site VPN Wizard, Click the Next button to start.
Step 4 – On the Configure: Virtual Office page,  scroll to view the Site to Site IPSec VPN section. Record information in the Virtual Office Public IP field and enter this information in Step 2 of the Site-to-Site VPN Connection Setup Wizard.
Step 5 – Record information in the Virtual Office Subnet field and the Subnet IP field and enter this information in Step 3 of the Site-to-Site VPN Connection Setup Wizard.
Step 6 –  Record information in the Secret Key field and enter this information in Step 4 of the Site-to-Site VPN Connection Setup Wizard.When you are finished, skip Step 5 and click the Finish button. You can now use the Site to Site IPSec VPN feature.

Configuring through Cisco Console

object network local
 subnet 10.16.16.0 255.255.255.0
object network virtual_office
 subnet 172.20.32.0 255.255.255.0

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 2
 encryption aes-256
 integrity sha384
 group 5 2
 prf md5
 lifetime seconds 86400
crypto ikev2 policy 3
 encryption aes-256
 integrity sha256
 group 5 2
 prf md5
 lifetime seconds 86400

crypto ikev2 enable port1

crypto ipsec ikev2 ipsec-proposal aes256-sha256
 protocol esp encryption aes-256
 protocol esp integrity sha-256 sha-1
crypto ipsec ikev2 ipsec-proposal aes256-sha384
 protocol esp encryption aes-256
 protocol esp integrity sha-384 sha-1


crypto map port1_map 1 match address port1_cryptomap
crypto map port1_map 1 set peer 162.22.33.44
crypto map port1_map 1 set ikev2 ipsec-proposal aes256-sha256 aes256-sha384
crypto map port1_map interface port1

access-list port1_cryptomap extended permit ip 10.16.16.0 255.255.255.0 172.20.32.0 255.255.255.0



group-policy GroupPolicy_162.22.33.44 internal
group-policy GroupPolicy_162.22.33.44 attributes
 vpn-tunnel-protocol ikev2


tunnel-group 162.22.33.44 type ipsec-l2l
tunnel-group 162.22.33.44 general-attributes
 default-group-policy GroupPolicy_162.22.33.44
tunnel-group 162.22.33.44 ipsec-attributes
 ikev2 remote-authentication pre-shared-key <Secret key>
 ikev2 local-authentication pre-shared-key <Secret key>