Before you can create an IPsec Tunnel Entry you must have done the one of the following:
- A Sonus SBC Certificate and Trusted CA Certificate must be obtained and imported to the SBC when Certificate is selected Authentication Mode list box in the Authentication Parameters panel. Refer to Working with Certificates for information about configuring certificates on the SBC.
- An IPsec license is required to manage IPsec tunnels.
|Important Information for Previous SIP-TLS Users:|
- When upgrading to version 3.0 existing Sonus SBC Certificates will fail authentication due to key integrity verification errors when used to bring up the IPsec tunnel in the Certificate authentication mode.
- Before beginning to manage an IPsec tunnel for Certificate authentication, you must generate a new Certificate Signing Request (CSR), re-sign, and re-import a new Sonus SBC Certificate.
To create or modify an existing IPsec Tunnel:
- In the WebUI, click the Settings tab.
In the left navigation pane, go to Protocols > IPsec > Connection Tables.
Enabling/Disabling Tunnel entries
To enable all selected tunnel entries
- Click the Enable all selected tunnels ( ) icon on the IPsec Tunnel Table page. All tunnel entries selected are enabled.
To disable all selected tunnel entries
- Click the Disable all selected tunnels ( ) icon on the IPsec Tunnel Table page. All tunnel entries selected are disabled.
Restart Service for Tunnel entries
The Restart Service button on the IPsec Tunnel Table page enables you to restart the services in order for any changes to the system certificates to become effective. For more information about system certificates, see Managing IPsec Tunnels.
- Click on Restart Services on the IPsec Tunnel Table page. A confirmation window is displayed.
- Click OK.
Creating an IPsec Tunnel
To create an IPsec Tunnel
Click the Create IPsec Tunnel Entry ( ) icon on the IPsec Connection Table page.
Network Properties - Field Definitions
Specifies the operating mode for communication with the remote VPN peer for IKE negotiations and IPsec connections.
Initiator: Enables the branch office SBC gateway to initiate the IKE Security Association(SA) and IPsec tunnel negotiation request.
Responder: Enables the corporate SBC gateway to receive the request to establish an IKE/IPsec tunnel connection.
Specifies the how SBC communications with the remote VPN peer is initiated. The IKE and IPsec phase negotiations are initiated as either permanent or on-demand depending on the type of activation selected. This field is only visible when "Initiator" is selected in the Operating Mode list box.
Always: Initiates the IKE Security Association(SA) and IPsec phase negotiations permanently with the remote VPN peer.
Link Monitor Action: Initiates the IKE and IPsec phase negotiations with the remote VPN peer as on-demand upon request from the link monitor switch-over action.
Allow Any Local Address
Enabled: The local address is acquired during negotiation by automatic keying. Overrides any assigned local address.
Disabled: The value in the Local Address field is used.
Specifies the IP address or fully-qualified domain name of the local network interface. If Allow Any Local Address is enabled, then the SBC allows any outgoing address during negotiations.
Allow Any Remote Address
Enabled: The remote address is acquired during negotiation by automatic keying. Overrides any assigned remote address.
Disabled: The value in the Remote Address field is used.
This field is only visible when Responder is selected in the Operator Mode select list.
Specifies the IP address or fully-qualified domain name of the remote network interface. If Allow any remote address is enabled, the SBC allows any incoming address during negotiations.
Local Subnet Address
Specifies the IP address of the private subnet behind the local network interface. This can be expressed as network/netmask. Maximum of 10 subnets can be specified. Allow traffic on any address is represented as 0.0.0.0/0. Setting both the Local Subnet Address and the Remote Subnet Address to all traffic 0.0.0.0/0 is not a valid configuration for security concerns.
Remote Subnet Address
Specifies the IP address of the private subnet behind the remote network interface. This can be expressed as network/netmask. A maximum of 10 subnets can be specified. Allow traffic on any address is represented as 0.0.0.0/0. Setting both the Local Subnet Address and the Remote Subnet Address to all traffic 0.0.0.0/0 is not a valid configuration for security concerns.
Allow Policy Rules
Enabled: Speicifes that the local VPN gateway performs forwarding and firewalling using IP tables for traffic from Local Subnet Address and Remote Subnet Address fields.
Disabled: Specifies that IP tables policy rules are not created for traffic to and from the peer endpoint.
SA Expiry and Security Settings - Field Definitions
Specifies whether or not the SBC requests a renegotiation when the connection expires.
Enabled: Initiate SA Negotiation upon connection expiry. Applies to both IKE SA and IPsec SA.
Disabled: SA Negotiation is not initiated upon connection expiry.
Specifies the number of times the SBC will attempt to negotiate a connection. Applies to both IKE SA and IPsec SA.
If the number of number of retries value is exceeded, the SBC issues a Tunnel Link Lost alarm."
Specifies the duration, in seconds, of an IKE SA connection keying channel.
Specifies the duration, in seconds, of the IPsec SA connection, from successful negotiation to expiry.
Specifies the length of time, in seconds, before SA expiry that the rekeying should start. Applies to both IKE SA and IPsec SA.
Perfect Forward Secrecy
When enabled, a new ISAKMP SA is created for each IPsec SA negotiation and a Diffie-Hellman exchange is performed for each IPsec SA negotiation.
Specifies whether or not the SBC reauthenticates when a re-key is accomplished.
Enabled: IKE SA Rekeying also initiates Peer Authentication. IKE and IPsec SA's are uninstalled then recreated.
Disabled: IKE SA Rekeying performed without the Peer Authentication.
Authentication Parameters - Field Definitions
Use SAN Identifier
Specifies whether or not the Subject Alternative Name (SAN) Identifier is used for peer authentication. This field is only visible when Certificate is selected from the "Authentication Mode* select list.
Enabled: The SAN Identifier is sent to the remote gateway for an authentication match. The SAN identifier must be configured in the Local SAN Identifier attribute when this option is Enabled.
Disabled: By default, the Sonus SBC Certificate's Subject Distinguished Name(Subject DN) identifier is automatically extracted from the certificate and sent to the remote gateway for an authentication config match.
Specifies the SAN identifier to be sent to the remote gateway for a peer authentication config match. This field is only available if Enabled is selected in the Use SAN Identifier select list.
If the Peer Authentication Identifier on the remote gateway is configured to authenticate a SAN identifier from the peer's certificate, it will attempt to match its configured SAN identifier with the expected SAN identifier retrieved from the peer authentication config.
If Use SAN Identifier is enabled, the SAN identifier must be picked from a list of DNS names displayed under the local attributes for the Sonus SBC Certificate.
Specifies the authentication method required from the remote side.
Certificate: Specifies the use of public key signature when authenticating the peer VPN gateway. The SBC must contain a valid server certificate/private key, the Certificate Authority(CA) that signed the SBC server certificate, and the CA that signed the peer's Server Certificate.
Preshared Key: Specifies the key to be shared with the peer. This key must match the same key configured on the peer system.
Specifies an identifier for a peer.
When Preshared Key is selected from the Peer Authentication Mode list box, the identifier may be an IP address, fully qualified domain name, or any.
When Certificate is selected from the Peer Authentication Mode list box, the identifier may be the peer certificate's Subject Alternative Name (SAN) or Subject Distinguished Name (DN). If the SAN or DN are unknown a vaalue of any may be used allowing any peer with a trusted and non-revoked certificate.
Specifies how the peer is identified for IKE preshared key authentication.
The identifier selector can be an all host address(0.0.0.0), a specific IP address or a fully-qualified domain name of the remote LAN network interface. This option is available when "Allow any address" is set to "True" and the "Peer Authentication Mode" is set to "Preshared Key".'
A strong passphrase used for authentication.
IKE/IPsec Cipher Suites - Field Definitions
Specifies the Internet Key Exchange(IKE)and Encapsulating Security Payload (ESP) encryption algorithm.
Specifies Internet Key Exchange(IKE) Encapsulating Security Payload (ESP) and hash algorithm.
Specifies which Diffie-Hellman group to use for exchanging keys (IKE and ESP).