We recommend connecting to your VNS3 Controllers with tunnels using AES256 encryption and SHA authentication for both IKE and ESP.
IPsec Configuration: Extra Parameters
VNS3's IPSec subsystem is good at autodiscovery on IKE and ESP choices with a wide range of boxes. We recommend being as specific as possible when entering tunnel parameters. Match the algorithm, hash and DiffieH group for your gateway settings by specifying them in the "Extra Params" text field.
We support combinations algorithms:
- 3DES, AES128, or AES256
- hashes SHA1, MD5, SHA2-256, or SHA2-512
- DH groups 2, 5, 14, 15, 16, 17, 18
Example entries for IKE (Phase 1) and ESP (Phase 2) in the extra params box:
Extra params entry for PFS Group is technically required only when it must be different from pfs group in phase1. If that is the case, then use:
IKE and ESP Lifetime
NOTE: Both are default lifetime setting on VNS3
Dead Peer Detection
Disabled by default, to enable DPD to attempt to re-connect during periods of no response use the following:
Other DPD options are “hold” meaning just wait, or “clear” meaning drop the security association.
Other, less frequently used options available are:
Other options are “receive” meaning to not initiate connections, only receive them. This is the default:
Other options are “no” meaning no Phase1 or Phase2 re-key operations are done:
This option allows underlying parameters of the IPSec, BGP, Routing, Firewall, or SSL VPN subsystems to be passed straight into the environment with no parsing or validation.
NOTE: This option should only be used at the instruction of Cohesive. It is only used in a small fraction of interoperability situations.
Here is an example IPsec tunnel setup with extra parameters: