We need to connect with a remote site (new temporary business partner) via IPSec. We already have 3 tunnels (with other partners) which were easy to configure but that new remote vpn gateway might use different naming for some options which is hard to translate to UTM9 since it could be just a missing feature)
They sent us list with their recommended settings for the tunnel but it's difficult to match them with the available IPSec Policy options in the UTM9.
I suppose they use a Palo Alto VPN solution and some settings may just have a different naming.
Phase 1 parameters: | ||
Remote site | local site | |
Peer IP: | x.x.x.x | y.y.y.y |
Peer authentication method: | preshared-key | preshared-key |
IKE version: | IKEv2 |
Not explicitly selectable (does the UTM9 have IKEv2 ?) |
Exchange mode: | main | Not selectable - probably "main" |
Encryption: | aes-256-cbc | AES-256 (is the AES-256 in UTM9 the same as aes-256-cbc ?) |
Authentication: | sha512 | SHA2-512 |
DH group: | group20 (available: 1, 2, 5, 14, 19 or 20) | group14 |
Lifetime: | 8 hours | 8 hours (28800 seconds) |
Phase 2 parameters: | ||
ESP or AH: | ESP | Not explicitly selectable in UTM9 |
Encryption: | aes-256-cbc |
Available on UTM9: |
Authentication: | sha512 | SHA2 512 |
PFS DH group: | group20 | group14 (MODP 2048) |
Lifetime: | 1 hour | 1 hour |
compression off | ||
Encryption domains: | 10.159.0.0/16 | 172.28.92.128/25 (they want us to use that subnet) |
Our main subnett with workstations is actually 192.168.91.0/24 . They say to have that subnet already occupied and want us to use the 172... subnet.
Do we have to create that subnet and move all affected workstations (currently just 2) into this subnet (open FW between our 192.168.91.0 subnet, etc.) or is there a method to do a 1:1 NAT traversal between the IPSec tunnel and our existing 192... subnet?
Every hint is highly appreciated!
This thread was automatically locked due to age.