ControlOne offers the ability for IPSec tunnels to remote services such as AWS and Azure. This guide will go over the basic setup for ControlOne Connectors.
Start by logging into the ControlOne portal and navigating to "Connectors".
At the bottom right of the screen select the blue plus sign to add a new connector. Name the connector and attach it to the desired gateway.
You will see the screen update and show the newly created connector as well as a configuration menu popping out of the right side of the ControlOne panel. From here you can configure all settings for the IPSec tunnel.
- Gateway: If you need to change the selected gateway you can do so with this drop-down.
- Note: The endpoint IP for the tunnel will change when changing the gateway.
- Zones: Select the ControlOne zone that you want to be accessible via the connector. For the remote end, these will be the "Remote Networks" or "Remote Local Networks".
- Local IPSec ID: an ID which identifies the ControlOne IPSec peer to the remote peer.
- In some cases services such as AWS and Azure will display an IPSec ID.
- If nothing has been specified then use the public IP of the attached ControlOne gateway.
- Remote IPSec ID: an ID which identifies the remote IPSec peer to the ControlOne peer.
- In some cases services such as AWS and Azure will specify an IPSec ID.
- If nothing has been specified then use the public IP of the remote peer.
- Remote Peer IP Address: This refers to the public IP of on the remote end of the tunnel.
- Remote Private IP Addresses: This refers to the local subnets from the remote end of the tunnel.
- Secret Key: This is the Pre-Shared Key (PSK) used for mutual authentication between peers, and must match on both ends of the tunnel. A key can be pasted into the input field or a new one can be generated using the "Generate" button on the right.
- IKE Mode: The version of the protocol used to authenticate communication between IPSec peers.
- Note: IKEv2 is the most common
- Direction: This allows you to select if the tunnel can auto-start from the ControlOne end or wait for the remote peer to start the connection.
- Note: In most cases, the initiator option will provide the best result.
- Dead Peer Detection: When enabled the ControlOne peer will check to see if the remote peer is reachable, and if not the tunnel will be restarted.
- Dead Peer Detection Timeout: The amount of time the ControlOne peer will wait for a response from the remote peer before considering the tunnel "down".
On the next tab, "Phase 1", you can configure your phase 1 settings. Note: These settings must match on both ends of the IPSec tunnel.
- Encryption Algorithm: The method used to transform data into ciphertext.
- Note: For AES, CBC (Cipher Block Chaining) is the common AES method used. GCM (Galois Counter Mode) is not as commonly used.
- Hash Algorithm: The method used to verify data integrity between the IPSec peers.
- Key Life: The hard lifetime set for the negotiation between peers.
- Diffie-Hellman Group: This determines the length and format of the key negotiated between the IPSec peers.
- Generally a higher DH group number is more secure, but may take longer to negotiate and re-negotiate when a key expires.
- Perfect Forward Secrecy: This encryption option allows peers to exchange temporary private keys for phase 2 tunnels, which makes previously transmitted data impossible to decrypt even if the pre-shared key is known.
Lastly, test the IPSec tunnel by pinging the remote gateway and pinging from the remote network back to ControlOne. Also, the portal is a status indicator for the Connectors. Near the top left of the ControlOne Connectors page, you will see a "Connected" and "Disconnected" status for your connectors.