Topic
This article explains how to add new IPSec tunnel connections in ControlOne.
Environment
- Cytracom ControlOne
Description
ControlOne offers the ability for IPSec tunnels to remote services such as AWS and Azure. This guide will go over the basic setup for ControlOne connectors.
Add a new connector
1. Log into the ControlOne portal and navigate to Connectors.
2. Select the blue plus sign at the bottom right of the screen to add a new connector. Name the connector and attach it to the desired gateway.
3. The screen will update and show the newly created connector. A configuration menu will pop out of the right side of the ControlOne panel. From here you can configure all settings for the IPSec tunnel.
Configure the IPSec tunnel
1. Configure the IPSec tunnel using the following settings:
- Gateway: If you need to change the selected gateway you can do so with this drop-down menu.
- Note: The endpoint IP for the tunnel will change when changing the gateway.
- Zones: Select the ControlOne zone that you want to be accessible via the connector. For the remote end, these will be Remote Networks or Remote Local Networks.
- Local IPSec ID: an ID which identifies the ControlOne IPSec peer to the remote peer.
- In some cases services such as AWS and Azure will display an IPSec ID.
- If nothing has been specified then use the public IP of the attached ControlOne gateway.
- Remote IPSec ID: an ID which identifies the remote IPSec peer to the ControlOne peer.
- In some cases services such as AWS and Azure will specify an IPSec ID.
- If nothing has been specified then use the public IP of the remote peer.
- Remote Peer IP Address: This refers to the public IP of the remote end of the tunnel.
- Remote Private IP Addresses: This refers to the local subnets from the remote end of the tunnel.
- Secret Key: This is the Pre-Shared Key (PSK) used for mutual authentication between peers, and must match on both ends of the tunnel. You can paste a key into the input field or generate a new one by clicking the Generate button on the right.
- IKE Mode: The version of the protocol used to authenticate communication between IPSec peers.
- Note: IKEv2 is the most common
- Direction: This lets you select if the tunnel can auto-start from the ControlOne end or wait for the remote peer to start the connection.
- Note: In most cases, the initiator option will provide the best result.
- Dead Peer Detection: When enabled the ControlOne peer will check to see if the remote peer is reachable, and if not the tunnel will be restarted.
- Dead Peer Detection Timeout: The amount of time the ControlOne peer will wait for a response from the remote peer before considering the tunnel "down".
2. Click the Phase 1 tab. Here you can configure your phase 1 settings. Note: These settings must match on both ends of the IPSec tunnel.
- Encryption Algorithm: The method used to transform data into ciphertext.
- Note: For AES, Cipher Block Chaining (CBC) is the common AES method used. Galois Counter Mode (GCM) is not as commonly used.
- Hash Algorithm: The method used to verify data integrity between the IPSec peers.
- Key Life: The hard lifetime set for the negotiation between peers.
- Diffie-Hellman Group: This determines the length and format of the key negotiated between the IPSec peers. Generally, a higher DH group number is more secure, but may take longer to negotiate and re-negotiate when a key expires.
- Perfect Forward Secrecy: This encryption option allows peers to exchange temporary private keys for phase 2 tunnels, which makes previously transmitted data impossible to decrypt even if the pre-shared key is known.
3. Test the IPSec tunnel by pinging the remote gateway and pinging from the remote network back to ControlOne. Also, the portal is a status indicator for the connectors. Near the top left of the ControlOne Connectors page, you will see a Connected and Disconnected status for your connectors.