This article describes the general VPN parameters wich are required to set up a VPN connection to SwyxON
Changed Parameters
According to BSI regulation we adapted the VPN Security rules and Proposals to the newest requirements. Depending on active VPN configuration of customer VPN Gateway it might be necessary to adapt those.
The following table shows the current VPN requirements for connecting customer-side VPN GateWay with SwyxON Tenant
The following IPsec parameters have to be configured
| General | |
| Protokoll | IKEv2 |
| Gateway IP | Unique DNS-Name for every UC-Tenant |
| DPD | 60 Seconds |
| NAT Traversal | Automatic / Enabled |
| IKE Exchange | Main Mode |
| Short Hold Time | 9999 |
| Phase 1 | |
| IKE Group | DH Group 21 (521-bit random ECP group) DH Group 15 (3072-bit Key) |
| IKE proposal list | AES256GCM-PRFSHA384 AES256GCM-PRFSHA256 AES256-SHA256 |
| Authentication | Pre Shared Key |
| Lifetime | 86400 (24hours) |
| Phase 2 | |
| Proposal | AES-GCM-256 AES256-SHA256 |
| PFS Group | DH Group 21 (521-bit random ECP group) DH Group 15 (3072-bit Key) |
| Encryption ESP | AES-GCM-256 AES256-SHA256 |
| Mode | Tunnel |
| Key | 256 |
| Authentication (ESP) | HMAC-SHA256 |
| Authentication (AH) | No AH |
| Compression (IPCOMP) | No IPCOMP |
| Lifetime | 3600 (1 hour) |
WICHTIG: IKEv1 connections are not supported any more Existing IKEv1 Offices can not be edited any more and must be reconfigured to IKEv2 |
General
These are the prerequisites for a VPN tunnel:
- Internet connection with DNS
- Firewall exceptions for the gateway
- Port 500 UDP or/and Port 4500 UDP if NAT-T needs to be used
- ESP packets
- IPsec packets
Access lists and routes:
Please remind that the access lists need to be configured to suite the customer network infrastructure on the VPN gateway on customer side.
Also do not forget that the customer IT administrator defines a central route to the UC tenant and choose the VPN device as the gateway.
Comments
0 comments
Article is closed for comments.