When creating Edge-to-Edge or Edge-to-Gateway IPSec tunnels, you can modify the security policy configuration settings at the Customer Configuration level.
Procedure
- In the Operator portal, navigate to Manage Customers.
- Select a customer and click Actions > Modify or click the link to the customer.
- In the Enterprise portal, click Configure > Customers. The Customer Configuration page appears.
- In the Security Policy area, you can configure the following security settings:
- Hash - By default, there is no authentication algorithm configured for the VPN header as AES-GCM is an authenticated encryption algorithm. When you select the Turn off GCM checkbox, you can select one of the following as the authentication algorithm for the VPN header, from the drop-down list:
- SHA 1
- SHA 256
- SHA 384
- SHA 512
- Encryption—Select either AES 128 or AES 256 as the AES algorithms key size to encrypt data. The default encryption algorithm mode is AES 128-GCM, when the Turn off GCM checkbox is not selected.
- DH Group—Select the Diffie-Hellman (DH) Group algorithm to be used when exchanging a pre-shared key. The DH Group sets the strength of the algorithm in bits. The supported DH Groups are 2, 5, 14, 15, and 16. It is recommended to use DH Group 14.
- PFS—Select the Perfect Forward Secrecy (PFS) level for additional security. The supported PFS levels are 2, 5, 14, 15, and 16. By default, PFS is deactivated.
- Turn off GCM—By default, AES 128-GCM is enabled. If needed, select the checkbox to turn off this mode.
- IPsec SA Lifetime—Time when Internet Security Protocol (IPSec) rekeying is initiated for Edges. The minimum IPsec lifetime is 3 minutes and maximum IPsec lifetime is 480 minutes. The default value is 480 minutes.
- IKE SA Lifetime—Time when Internet Key Exchange (IKE) rekeying is initiated for Edges. The minimum IKE lifetime is 10 minutes and maximum IKE lifetime is 1440 minutes. The default value is 1440 minutes.
Note: It is not recommended to configure low lifetime values for IPsec (less than 10 minutes) and IKE (less than 30 minutes) as it can cause traffic interruption in some deployments due to rekeys. The low lifetime values are for debugging purposes only.
- Secure Default Route Override— Select the check box so that the destination of traffic matching a secure default route (either Static Route or BGP Route) from a Partner Gateway can be overridden using Business Policy.
For instructions about how to enable secure routing on an Edge, refer to Configure Partner Handoff. For more information about configuring Network Service for Business Policy rule, refer to the "Configure Network Service for Business Policy Rule" in the VMware SD-WAN Administration Guide available at VMware SD-WAN Documentation.
- Hash - By default, there is no authentication algorithm configured for the VPN header as AES-GCM is an authenticated encryption algorithm. When you select the Turn off GCM checkbox, you can select one of the following as the authentication algorithm for the VPN header, from the drop-down list:
- After configuring the settings, click Save Changes.
Note: When you modify the security settings, the changes may cause interruptions to the current services. In addition, these settings may reduce overall throughput and increase the time required for VCMP tunnel setup, which may impact branch to branch dynamic tunnel setup times and recovery from Edge failure in a cluster.