IPSec tunnel - matching settings with remote gateway

We need to connect with a remote site (new temporary business partner) via IPSec. We already have 3 tunnels (with other partners) which were easy to configure but that new remote vpn gateway might use different naming for some options which is hard to translate to UTM9 since it could be just a missing feature)

They sent us list with their recommended settings for the tunnel but it's difficult to match them with the available IPSec Policy options in the UTM9.

I suppose they use a Palo Alto VPN solution and some settings may just have a different naming.

Phase 1 parameters:
Remote site local site
Peer IP: x.x.x.x y.y.y.y
Peer authentication method: preshared-key preshared-key
IKE version: IKEv2

Not explicitly selectable (does the UTM9 have IKEv2 ?)

Exchange mode: main Not selectable - probably "main"
Encryption: aes-256-cbc AES-256   (is the AES-256 in UTM9 the same as aes-256-cbc ?)
Authentication: sha512 SHA2-512
DH group: group20 (available: 1, 2, 5, 14, 19 or 20) group14
Lifetime: 8 hours 8 hours (28800 seconds)
Phase 2 parameters:
ESP or AH: ESP Not explicitly selectable in UTM9
Encryption: aes-256-cbc

Available on UTM9:
AES 128 CTR (128 bit)
AES 192 CTR (192 bit)
AES 256 CTR (256 bit)
AES 128 GCM (96 bit)
AES 192 GCM (96 bit)
AES 256 GCM (96 bit)
AES 128 GCM (128 bit)
AES 192 GCM (128 bit)
AES 256 GCM (128 bit)
...does any of them match aes-256-cbc ?

Authentication: sha512 SHA2 512
PFS DH group: group20 group14 (MODP 2048)
Lifetime: 1 hour 1 hour
compression off
Encryption domains: 10.159.0.0/16 172.28.92.128/25   (they want us to use that subnet)

Our main subnett with workstations is actually 192.168.91.0/24 . They say to have that subnet already occupied and want us to use the 172... subnet.

Do we have to create that subnet and move all affected workstations (currently just 2) into this subnet (open FW between our 192.168.91.0 subnet, etc.) or is there a method to do a 1:1 NAT traversal between the IPSec tunnel and our existing 192... subnet?


Every hint is highly appreciated!

  • Hallo Chris,

    You didn't say what hardware your UTM is running on.

    They should make some changes.

    • UTM won't do IKEv2.
    • AES 256 GCM is more secure than cbc.  I prefer AES 128 GCM (128 bit) since there are security flaws (don't remember the details) in AES 256.
    • Your subnet is 192.168.91.0/24, but they want you to fit that in a /25. If you can't easily do that and they can't give you a /24, you're stuck with using one or more SNATs depending on whether it's practical to connect to them using a single IP for all accesses.  If you can agree on a /24 or /25, you can use a 1-1 source NAT for traffic initiated by you.  I'm assuming they aren't going to initiate traffic to you, but you'd need another 1-1 destination NAT rule for that.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Assuming they give us some kind of 172.2.3.0/24 class (that could be mapped to our /24 class) and we would only need to connect to hosts on their side....I would create the tunnel like:

    Tunnel:
    - Create the tunnel in IPSec -> "New IPSec Connection" 
    - In that "Local Network" list create that Network 172.2.3.0/24
    - Automatic firewall rules: off

    NAT Mapping:
    - In Network Protection -> NAT -> Create rule "1:1 NAT" with...
    For traffic from: 192.168.91.0/24     (our real physical network)
    Using service: Any
    Going to: 10.159.0.0/16   (their real physical network)
    Action: 1:1 NAT mode: Map source ???
    Map to: 172.2.3.0/24
    Automatic firwall rules: off

    Firewall (since I didn't select automatic firewall rules):
    - In Firewall ... create a rule like:
    Sources: 192.168.91.0/24    (our physical network)
    Services: Any
    Destinations: 10.159.0.0/16   (their physical network)
    Automatic firwall rules: off

    ...or would I need 2 firewall entries like one from 192.xxx to 172.xxx and then the second from 172.xxx to 10.159.0.0/16 ?


    Anything else?


    Thank you in advance for your help!

  • If all traffic is originated on your side, then the connection tracker will pass the response traffic without another firewall rule.  I would just select Automatic rules in the NAT, though.

    Cheers - Bob 

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA