Extra Config Parameters with VNS3

Follow

We recommend connecting to your VNS3 Controllers with tunnels using AES256 encryption and SHA authentication for both IKE and ESP.

IPsec Configuration: Extra Parameters
VNS3's IPSec subsystem is good at autodiscovery on IKE and ESP choices with a wide range of boxes. We recommend being as specific as possible when entering tunnel parameters. Match the algorithm, hash and DiffieH group for your gateway settings by specifying them in the "Extra Params" text field.

We support combinations algorithms:

  • 3DES, AES128, or AES256
  • hashes SHA1, MD5, SHA2-256, or SHA2-512
  • DH groups 2, 5, 14, 15, 16, 17, 18

Example entries for IKE (Phase 1) and ESP (Phase 2) in the extra params box:
phase1=aes128-sha1
phase1=aes256-sha2_256
phase1=3des-md5-dh2
phase1=aes256-sha2_512-dh5
phase2=aes256-sha1
phase2=3des-sha1


PFS Group
Extra params entry for PFS Group is technically required only when it must be different from pfs group in phase1. If that is the case, then use:
pfsgroup=dh2
pfsgroup=dh14

IKE and ESP Lifetime
phase1-lifetime=3600s
phase2-lifetime=28800s


NOTE: Both are default lifetime setting on VNS3

Dead Peer Detection
Disabled by default, to enable DPD to attempt to re-connect during periods of no response use the following:
dpdaction=restart

dpddelay=30s
dpdtimeout=90s

Other DPD options are “hold” meaning just wait, or “clear” meaning drop the security association.

dpdaction=hold
dpdaction=clear

Other, less frequently used options available are:
Other options are “receive” meaning to not initiate connections, only receive them. This is the default:
connection=bidirectional

Other options are “no” meaning no Phase1 or Phase2 re-key operations are done:
connection-rekey=yes

This option allows underlying parameters of the IPSec, BGP, Routing, Firewall, or SSL VPN subsystems to be passed straight into the environment with no parsing or validation.

NOTE: This option should only be used at the instruction of Cohesive. It is only used in a small fraction of interoperability situations.
compat:some-text

 

Here is an example IPsec tunnel setup with extra parameters: 

 

Watch the video guide on YouTube

 

Have more questions? Submit a request

Comments