20.2. IPSec Phase 1

IPsec, also known as the Internet Protocol Security or IP Security protocol, defines the architecture for security services for IP network traffic.

It secures traffic between two entities, either by full encryption or by authentication only.

You can find the IPSec Settings at VPN → IPSec.

20.2.1. Phase 1

The IPSec Phase 1 negotiates the encryption and setting parameter. In VT AIR you have various options to configure a Phase 1.

Interfaces is the sender Interfaces. It also sets the source IP of the IPSec Tunnel on the VT AIR end. If the Interface is a VRRP virtual IP of a HA Setup, only the Master holding the IP has the tunnel activated. The Slave will be on standby for the IPSec. You can select multiple Interfaces here. Be aware that the default route of the system is used when the VT AIR is initializing the connection and therefore only the IP of the interface of the default Route is used. This is useful for Backup connections if you have multiple Gateways.

IP Type is either IPv4 or IPv6

IKE Type can be IKEv1 and IKEv2. It is highly recommended to use IKEv2 as it is saver, more robust and easier to setup.

Connection Type can be

  • Tunnel
  • Transport

Tunnel creates a tunnel between the two tunnel endpoints. Traffic is automatically encrypted if the source and destination match the IPSec Phase 2.

Transport mode causes the IPsec protocol to encrypt only the payload of an IP packet. The protocol then encloses the encrypted payload in a normal IP packet. Traffic sent in Transport mode is less secure than traffic sent in Tunnel mode, because the IP header in each packet is not encrypted. It encrypts all traffic between the two entities and only has a single IPSec Phase 2 to configure the transport parameter.

Encryption Type is either ESP or AH.

ESP (Encapsulating Security Payloads) provides confidentiality, data-origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic-flow confidentiality.

AH (Authentication Headers) provides connectionless data integrity and data origin authentication for IP datagrams and provides protection against replay attacks.

Init Type can either be Connect or On Demand. Connect will try to connect immediatly while demand only initiates a connection when the first package is flowing.

Interface will create a XFRM interface in the system for this IPSec Tunnel. The interface can be used like any other interface. You need to manually create routes Routes from the Phase 2 to enter the interface. You can also set an IP Address on the interface settings Interface.

Remote Endpoints one or more IP Addresses of the remote end. Hostnames are also supported but a working DNS is required for them to be resolvable. There is no DNS caching so if a connection is reestablished the name will be looked up again. This allows for DynDNS hostnames. A remote endpoint of 0.0.0.0 will create an any entry in case your remote IP is dynamic. Identification will be done via Identifier and PSK/Certificate in that case.

Phase 1 Authentication provides you with different options to authenticate the connection.

Authentication Method is either Pre Shared Key or a Certificate. You can either enter a pre shared key that must match on both ends or a certificate and the corresponding CA.

Local Identifier is the identifier of the VT AIR and it is one of

  • My IP Address
  • IP Address (Custom IP)
  • Distinguished Name (FQDN)
  • User Distinguished Name
  • ASN.1 Distinguished Name
  • Key ID Tag

Remote Identifier is the identifier of the remote side and it is one of

  • Any
  • Peer IP Address
  • IP Address (Custom IP)
  • Distinguished Name (FQDN)
  • User Distinguished Name
  • ASN.1 Distinguished Name
  • Key ID Tag

Phase 1 Algorithms can be a mix of any of the algorithms. You can add as many combinations as you like.

Lifetime must also match the remote sides lifetime.

Advanced Options give you some more control over the IPSec connection.

Associate Firewall Rule will generate a firewall rule for you and keeps it up to date with any changes you do.

Rekey will let the VT AIR start renegotiation if the connection is about to expire. If turned off, only the remote side can start the negotiation.

Responder Only if you don’t want VT AIR to start the connection but waits for the remote side to start it.

NAT-T should be set to automatic so IPSec can figure out the correct remote IP.

MOBIKE is for the IKEv2 Mobike protocol. Please have a look at Strongswan Mobike for a more detailed explanation.

Split Connection for IKEv2 creates a new connection for each IPSec Phase 2 entry. Usually they are grouped and sent through a single connection. Depending on the endpoint this is not supported and Split Connection needs to be enabled.

Dead Peer Detection lets IPSec check if the remote endpoint is still alive.

DPD Delay defines the time between checks.

DPD Timeout defines the time before a connection is restarted if the DPD check failed.

GRE over IPSec in transport mode you can select to only encrypt GRE packets between the two endpoints.