Secure VPN Access

Description

Secure VPN Access is a highly configurable, production quality IKEv1 and IKEv2 IPsec-based VPN solution that customers can choose to implement if they have on-premises data sources that need to be accessed by their Ascend environment. This is a premium level feature which requires the ENTERPRISE subscription tier.

On-premises Secure Access provides the following benefits:

  • IKEv1 and IKEv2 (RFC 7296) key exchange protocols.
  • Automatic insertion and deletion of IPsec-policy-based firewall rules.
  • NAT-Traversal via UDP encapsulation and port forwarding.
  • Dead Peer Detection (DPD, RFC 3706) for dangling tunnels.
  • Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555).

Information Required

This solution requires Ascend to collect VPN and Network information that is specific to your site. Please work with your customer success representative to collect the following required pieces of information:

  • Pre-shared key (required): A pre-shared key is a string of characters that is used as an authentication key for site-to-site VPN authentication and with third-party VPN clients.
  • The network CIDR notation (required): This is the Network CIDR notation for any on-premises resources the Ascend platform needs to connect to, e.g. 192.168.0.1/24
  • The IP address of the VPN service(s) (required): This is the IP address of the VPN service
  • IKE version (prefer IKEv2) (required): Internet Key Exchange (IKE) versions is the protocol used to set up a security association (SA) in the IPsec protocol suite, e.g. IKEv2. Ascend prefers IKEv2
  • IKE Cipher Suite (required): The cipher suite can be used with the IKE and ESP directives in ipsec.conf or the proposals settings in swanctl.conf to define cipher suites. Please see a list of supported IKE cipher suite at https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites, e.g. aes256-sha1-modp1536
  • ESP Cipher Suite (required): The cipher suite can be used with the IKE and ESP directives in ipsec.conf or the proposals settings in swanctl.conf to define cipher suites. Please see a list of supported IKE cipher suite at https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites, e.g. aes256-sha1
  • Service Ports (default: 500/4500) (required): This is the service port of the VPN services, e.g. default is 500/4500

Example configuration:

  • Pre-shared key (required):
  • The network CIDR notation: 192.168.0.1/24
  • The IP address of the VPN service(s): 1.1.1.1
  • IKE version (prefer IKEv2): IKEv2
  • IKE Cipher Suite: aes256-sha1-modp1536
  • ESP Cipher Suite: aes256-sha1
  • Service Ports (default: 500/4500): 500/4500

Did this page help you?