Internet Protocol Security (IPSec) is a suite of protocols that provide network-layer security to a Virtual Private Network (VPN). A VPN is a virtual network connection that provides a secure communication path between two peers in a public network. The peers can be two hosts, a remote host and a network gateway, or the gateways of two networks, such as the gateway of your guest network and a Cloudi-Fi Node.

IPSec provides the following types of protection:

  • Confidentiality: Ensures that data cannot be read by unauthorized parties.

  • Integrity: Verifies that data was not modified during transit.

  • Authentication: Verifies the identity of the peers.

IPSec provides a number of options for applying each type of protection. The peers in the IPSec VPN use a negotiation process called Internet Key Exchange (IKE) to define the security mechanisms they will use to protect their communications. There are two versions of IKE: Internet Key Exchange Version 1 (IKEv1) and Internet Key Exchange Version 2 (IKEv2). We recommend using IKEv2 because it's faster than IKEv1 and fixes IKEv1 vulnerabilities.

Supported IPSec VPN Parameters

Following are the supported IPSec VPN parameters for IKEv2 and IKEv1:

IKEv2 Supported Parameters

We support NAT-Traversal if the device initiating the IPSec VPN is behind another firewall or router performing NAT. Cloudi-Fi recommends disabling Perfect Forward Secrecy (PFS) for Phase 2. This option enables each Child or IPSec SA to generate a new shared secret in a Diffie-Hellman exchange.

If you use SHA-384 or SHA-512 for Phase 1 data integrity, you must use Diffie-Hellman group 14. If you use 3DES encryption for Phase 1, you must use Diffie-Hellman group 2 and SHA-1 or SHA-256 for data integrity. If you want to use AES encryption for Phase 2, you must purchase a separate subscription.

Phase1: 

Encryption: AES-256/SHA1 - AES-256/SHA256 - 3DES/SHA1
Authentification: Pre-shared Key ( IP or FQDN based )
Secure Association ( SA ) lifetime: 24h
Diffie-Hellman Group: 2 / 5 / 14

Phase2:

Encryption: NULL/MD5 - AES128/MD5
Secure Association ( SA ) lifetime: 8h
Encapsulation mode: Tunnel Mode
NAT-Traversal: Enabled
Dead Peer Detection (DPD): Enabled
Perfect Forward Secrecy (PFS): Disabled
Maximum Transmission Unit (MTU): 1460 Bytes
Maximum Segment Size (MSS): 1360 Bytes
VPN Type: Route-Based VPN

IKEv1 Supported Parameters

If you use a pre-shared key (PSK) for authentication and a FQDN for the peer, you must use Aggressive mode. If you use a PSK for authentication and a static IP address for the peer, you must use Main mode.

IKE Mode: Main ( with IP ) / Aggressive ( with FQDN )

Phase1: 

Encryption: AES-128/SHA1 - 3DES/SHA1
Authentification: Pre-shared Key ( IP or FQDN based )
Secure Association ( SA ) lifetime: 24h
Diffie-Hellman Group: 2

Phase2:

Encryption: NULL/MD5 - AES128/MD5
Secure Association ( SA ) lifetime: 8h
Encapsulation mode: Tunnel Mode
NAT-Traversal: Enabled
Dead Peer Detection (DPD): Enabled
Perfect Forward Secrecy (PFS): Disabled
Maximum Transmission Unit (MTU): 1460 Bytes
Maximum Segment Size (MSS): 1360 Bytes
VPN Type: Route-Based VPN

Did this answer your question?