IPsec

IPSec (Internet Protocol Security) is a widely used technology that protects data as it travels across IP networks. It works by encrypting and authenticating network traffic, ensuring that information remains private and unaltered while moving between devices. IPSec is commonly used to create secure connections for virtual private networks (VPNs), providing safe remote access to sensitive information over the internet or other untrusted networks.

To ensure secure communication, IPSec uses a two-phase process to establish a connection between devices:

Phase 1: Establishing the Secure Channel In this phase, the two devices authenticate each other and negotiate how they’ll protect their communication. This creates a secure, encrypted channel called the IKE Security Association (IKE SA). All future key negotiations and exchanges happen within this protected channel.

Phase 2: Negotiating Security for Data Transfer Once the secure channel is in place, the devices agree on specific methods to protect actual data traffic. This includes finalizing the encryption and authentication settings, resulting in one or more IPSec Security Associations (IPSec SAs). These SAs are then used to securely transfer data between the devices.

IPSec supports two main modes of operation: Transport Mode and Tunnel Mode.

The mode used determines how your data is protected as it travels across the network. In Transport mode, only the data part (payload) of each packet is encrypted and protected. The original IP header—the address information for the sender and receiver—remains unchanged and visible. It is typically used to secure end-to-end communication between two devices on the same trusted network.

In Tunnel Mode, the entire original IP packet (header and data) is encrypted. Then, a new IP header is added to direct the packet to its destination. It is typically used to secure end-to-end communication between two devices over the internet.

IPsec tunnel configuration items

  • A name for the tunnel.

If the tunnel name is more than eight characters, the name will be truncated in the underlying network interface to the first six characters followed by three digits, incrementing from 000. This affects any custom scripts or firewall rules that may be trying to adjust the tunnel’s interface or routing table entries.

  • The mode: either tunnel or transport.

  • Enable the IPsec tunnel (enabled by default).

  • The firewall zone of the IPsec tunnel (IPsec by default).

  • The routing metric for routes associated with this IPsec tunnel.

  • The authentication type and pre-shared key or other applicable keys and certificates.

  • The local endpoint type and ID values, and the remote endpoint host and ID values.

IKE configuration items

The Internet Key Exchange (IKE) is a protocol used to set up a secure and authenticated communication over an IP network. The following configuration items will need to be set according to the configurations of the remote IPsec host.

  • The IKE version, either IKEv1 or IKEv2.

  • Whether to initiate a key exchange or wait for an incoming request.

  • The IKE mode, either main or aggressive.

  • The IKE authentication protocol to use for the IPsec tunnel negotiation during phase 1 and phase 2.

  • The IKE encryption protocol to use for the IPsec tunnel negotiation during phase 1 and phase 2.

  • The IKE Diffie-Hellman group to use for the IPsec tunnel negotiation during phase 1 and phase 2.

  • Enable dead peer detection and configure the delay and timeout.

  • Destination networks that require source Network Address Translation (NAT).

Additional configuration items

The following additional configuration settings are not typically configured to get an IPsec tunnel working, but can be configured as needed:

  • Determine whether the device should use User Datagram Protocol (UDP) encapsulation even when it does not detect that NAT is being used.

  • If using IPsec failover, identify the primary tunnel during configuration of the backup tunnel.

  • The NAT keep alive time.

  • The protocol, either Encapsulating Security Payload (ESP) or Authentication Header (AH).

  • The management priority for the IPsec tunnel interface. The active interface with the highest management priority will have its address reported as the preferred contact address for central management and direct device access.

  • Enable XAUTH client authentication, including the username and password to be used to authenticate with the remote peer.

  • Enable Mode-configuration (MODECFG) to receive configuration information, such as the private IP address, from the remote peer.

  • Disable the padding of IKE packets. This should normally not be done except for compatibility purposes.

  • Destination networks that require source NAT.

  • Depending on your network and firewall configuration, you may need to add a packet filtering rule to allow incoming IPsec traffic.

Tunnel and key renegotiating

The following configuration items give advance control of the tunnel and key negotiation/renegotiation.

  • The lifetime of the IPsec tunnel before it is renegotiated.

  • The amount of time before the IKE phase 1 lifetime expires.

  • The amount of time before the IKE phase 2 lifetime expires.

  • The lifetime margin, a randomizing amount of time before the IPsec tunnel is renegotiated.

Setting up for Wi-SUN

Make sure under VPNIPsecTunnels<tunnel name> the traffic selectors are properly configured. Within the Policy section, the remote traffic selector will need to be set to the IPv6 network assigned by your remote IPsec service. This policy ensures traffic routes across the tunnel.

For the traffic across the tunnel to reach the Wi-SUN network, the IPsec firewall zone should be set to internal. It can be left as the default firewall zone "IPsec", but proper firewall/routing rules will need to be put in place.