Frequently Asked Question
Virtual Private Network Tunnelling
In order for our systems to be able to reach out to, connect to and communicate with client systems on remote sites, AND for those systems to be able to connect back to our systems, a VPN needs to be established.
This Virtual Private Network, secures traffic between GEN and the clients site ensuring that (a) it is encrypted in transit, and (b) there is no requirement to open any ports or make any unsafe firewall provisions. The tunnel effectively presents our resource at the clients network and visa-versa.
Technical Requirements
The originator (the dial out) is flexible, but generally remote sites are the A end and dial out to GEN who are the B end. GEN Supports the following configurations as standard.
Hashing
- HMAC-MD5 (not recommended)
- HMAC-SHA1
Ciphers
- DES (not recommended)
- 3DES (not recommended)
- AES (128, 192 and 256)
Groups
- G1 : Group1 (786 bit)
G2 : Group2 (1024 bit)
G5 : Group5 (1536 bit)
G14 : Group14 (2048 bit)
G19 : Group19 (256 bit Elliptic Curve)
G20 : Group20 (384 bit Elliptic Curve)
G21 : Group21 (521 bit Elliptic Curve)
Authentication
IKEv1 PSK with ESP (Encapsulated Security Payload) or AH (Authentication Header)
IKEv2 PSK with optional Local and Remote IDs and ESP
IKEv2 EAP with RSA and ESP with a Username & Password
NAT and MAP
We can NAT the VPN if there are IP address conflicts but we rarely find the need, and the NAT can be done at either end, or both. If NAT is required then a transport subnet might be required and this will need to be discussed and provisioned.
Scope
At the GEN side, we restrict the reach of each tunnel to the services applicable for that tunnel. In most cases that means the oversight monitoring nodes, our logstash/greylog infrastructure, and the storage platforms, but this can also include hosted containers, virtualisations and other resources.
At the client side, we recommend restricting the tunnel to the resources we are commissioned to monitor and/or manage. Any device we monitor will need to be able to reach our network, and we to reach that device (monitoring is almost always a two-way process - Events and telemetry are sent, and probes reach out to check operation).
Example
A typical VPN Configuration would look something like this:
| Parameter | Endpoint A | Endpoint B |
|---|---|---|
| Public IP | 12.12.12.12 | 23.34.45.12 |
| Local Subnet | 192.168.1.0/24 | 10.1.0.0/22 |
| Additional Subnets | None | |
| Scope | Oversight (192.168.1.5, 192.168.1.10, 192.168.1.15) RM (192.168.1.254, 192.168.1.252) | |
| Protocol | IPSec IKEv1 ESP PSK Main-Mode | |
| PFS (Perfect Forward Secrecy) | Yes | |
| DPD (Dead Peer Detection) | Yes | |
| Mode | Route | |
| NAT Policy | N/A | |
| Translated Local Network | N/A | |
| Multicast | No | |
| RIP | No | |
| UDP Encapsulation | No | |
| Phase 1 Lifetime (seconds) | 28800 | |
| Phase 2 Lifetime (seconds) | 3600 | |
| Phase 1 Proposal | AES256 G14 SHA1 | |
| Phase 2 Proposal | AES128 with AUTH SHA1 | |
Test
Once the tunnel has established, the infrastructure team will run some tests and ensure we can reach everything on the build, and those can reach us. Any problems and we'll work with you to resolve them.
Assistance
In many cases we can assist in setting up your firewall/appliance(s) to establish a VPN correctly, and we're experienced with Fortinet, Draytek, Watchguard, Juniper, etc so simply raise a case at the HelpDesk or speak to your account manager.
