Professional Documents
Culture Documents
The purpose of the document is to help configure Site to Site VPN between Virtual Firewall Appliance (VFA) and Hardware Firewall Appliance at customer site using MyNetmagic provisioning portal. The steps mentioned in the document are only applicable to VFA and VPN options available with Simplicloud offerings. Login to MyNetmagic Dashboard at https://mynetmagic.netmagicsolutions.com using the MyNetmagic portal Login details provided to you along with the Welcome Mail.
1.
2.
3.
Click on Cloud on the Infrastructure page. You will get the snapshot of the your current setup on Netmagic Cloud.
PRIVATE 1
UD
To configure Site to Site VPN, right click Virtual Firewall Appliance (VFA) and select Manage.
4.
A pop-up window for Manager Firewall will appear as below. Select Site to Site Peer Tab and fill in the details as below.
5.
Remote Firewall IP Address: Mention the Remote Firewall IP Address on which you need to terminate the IPSec VPN.
PRIVATE 2
UD
Pre-shared Secret Key: Enter the pre-shared key which will be used while creation of IPSec tunnel. A pre-shared secret, or pre-shared key (PSK), is a method of authentication. The secret, or key, is a string agreed upon beforehand by both parties as key for authenticating the session. It is used to generate a hash such that each VPN endpoint can authenticate the other. Note: The pre-shared secret, although an ordinary string, is not a password. It is actually used to generate a hashed key to form a fingerprint proving the identity of each endpoint. Choose complex pre-shared secrets and avoid short ones, which can be more easily compromised by an attack. Click on (+) sign next to Group Name to configure IKE (Internet Key Exchange) group.
6.
Fill in the details as below: Group Name: Name of the IKE group to be created. Lifetime: Lifetime of the security association (SA) in seconds, default is 28800 seconds. SA is renegotiated on the expiry of the Lifetime defined. Proposal No: IKE proposals are set of parameters for Phase-I IPSec negotiations. We can have multiple proposal nos. inside a group and this number determines the order in which the parameter combination are used for establishing Phase-I negotiation. Note: Proposal No. can be from 1 to 65535. Group (Diffei Hellman Group): Diffie-Hellman key exchange is a cryptographic protocol for securely exchanging encryption keys over an insecure communications channel, such as the Internet. DiffieHellman key exchange uses a group of standardized global unique prime numbers and generators to provide secure asymmetric key exchange. Note: Default group is 2. Encryption: Select the encryption methods to be used for Phase-I negotiation. Encryption Ciphers are used to encrypt data, so that it cannot be read or monitored during transit Note: Supported Encryption Ciphers AES128 / AES256 / 3DES HASH: Select the Hashing Algorithm of Phase-I negotiation. A hash function is a cryptographic algorithm used for message authentication. A hash function takes a message of arbitrary length and produces an output of fixed length, called a message digest or fingerprint. Hash functions are used to verify that messages have not been tampered with.
PRIVATE 3
UD
Click on Submit. Click on (+) sign next to ESP Group to configure ESP (Encapsulated Security Payload) group.
7.
Fill in the details as below: Group Name: Name of the ESP group to be created. Lifetime: Lifetime of the security association (SA) in seconds, default is 3600 seconds. SA is renegotiated on the expiry of the Lifetime defined.. PFS(Perfect Forward Secrecy): In Perfect Forward Secrecy (PFS), the private key is used to generate a temporary key (the session key) that is used for a short time and then discarded. Subsequent keys are independent of any previously created keys. Note: Supported values are as follows: enable: Enables Perfect Forward Secrecy using Diffie-Hellman group defined in the ike-group. (Selected by default) dh-group2: Enables Perfect Forward Secrecy using Diffie-Hellman group 2. dh-group5: Enables Perfect Forward Secrecy using Diffie-Hellman group 5. disable: Disables Perfect Forward Secrecy Proposal No: Proposals are set of parameters for Phase-II IPSec negotiations. We can have multiple proposal nos. inside a group and this number determines the order in which the parameter combinations are used for establishing Phase-II negotiation. Note: Proposal No. can be from 1 to 65535. Encryption: Select the encryption methods to be used for Phase-II negotiation. Encryption Ciphers are used to encrypt data, so that it cannot be read or monitored during transit
PRIVATE 4
UD
Click on Submit. Now Configure Local and Remote Subnets for Tunnel.
8.
Local Subnet: This is the LAN subnet used by Virtual Machines behind Virtual Firewall Appliance (VFA). Remote Subnet: LAN subnet used behind the Remote Location Firewall (customer end) to which the IPSec tunnel is established.
Click on Submit to finish the configuration LIST OF ADDITIONAL DOCUMENTS (if any)
List any additional documents that are referred directly at the functional level, these could be Policies, Guidelines, Workflows, SOP s, Business rules, User manuals, training manuals etc.
NUMBERING 1.
NAME OF DOCUMENT
1.
Head Operations
DATES
Date of next review and the effective date of this document
1. 2. 3.
Last review of this document Effective date of this document Next review of this document, no later than
REVISION MATRIX
Populate the revision matrix for each revision of this document
PRIVATE 5