IPsec Recommendations

Print version

6. IPsec Recommendations

The number of IPsec parameters is very high and it can be hard to optimize their settings to suit the network performance. The following section provides explanation and several recommendations to optimize the configuration when utilizing it on the Radio channel.

Parameter

Recommendation

Make-before-break

A temporary connection break during IKE_SA re-authentication is suppressed by this parameter.

Set it to “On” for a higher tunnel reliability and availability, because the connection is not interrupted during re-authentication.

IKE version

Use the “IKEv2” if possible. One of the main reasons is a lower bandwidth consumption compared to IKEv1, always helpful for the Radio channel.

Start state

One possible approach is to set “Passive” mode in the central site (IPsec concentrator) and “Start” in all Peers. In such a configuration, if the Peer is turned off, the Master does not try to establish the connection. Only if the Peer is alive, will it automatically establish the connection itself and the Master station will be ready to answer.

Do NOT use the “Passive” mode on both end-points. In such configuration, no tunnel will be established.

Neither is it recommended to configure a “Start” mode on both peers, because establishment can be initiated from both peers simultaneously and two SAs can be created which might result in dropping the tunnel and re-establishment. Eventually, a correct tunnel is established, but it may take a while in a cycle before the tunnel is established correctly.

MOBIKE

In static RipEX networks, mobility support is not required – turn it “Off”.

Dead Peer
Detection

It is set in our example and is used to keep the tunnel up and running. If keep-alive packets are lost, the tunnel is closed and “action” is performed. Turn this option “On” for faster communication loss recovery.

The “DPD Action” might be any of the available options, one possible option is to use “Hold” in the Master station and “Restart” in remote units.

Encryption
algorithm

Use the default AES128 which provides a sufficient level of security while keeping CPU usage at low values.

Integrity algorithm

Use the default SHA256 for a sufficient level of packet integrity.

Diffie-Hellman group

With default Encryption and Integrity settings, we suggest using Group19 or Group20. Both are within the so called “Elliptic Curve” group. They provide the same or better security, but consume less CPU than typical “Modulo Prime” groups. Nevertheless, “Modulo Prime” groups are widely used and a default group is MODP3072 (Group15).

Reauthentication

We recommend you to turn this option “Off” (default), because it consumes less bandwidth when the IKEv2 SA expires and negotiation is required. On the other hand, enabled reauthentication is more secure.

SA lifetime

If these values are too low, this leads to high CPU usage for reauthentication which will also occur too often. The default values are 14400 seconds (2 days) for IKE phase I and 3600 seconds (1 hour) for IKE phase II. These are the minimal recommended values for the Radio channel while maintaining a sufficiently high security level.

IPcomp
compression

Where possible turn this useful option “On”, because this feature might save precious bandwidth using the compression. If using IPsec, the default radio compression does not have any effect on packet sizes. By default, it is “Off”, because the Peer might not support this feature.

Pre-shared keys

Choose a pass phrase length as required, but 30 or more characters are more than secure enough and no special characters are required.

Consider a different PSK for every IPsec tunnel. You can also use a “Key” mode and generate a secure and unique key for a particular tunnel. Copy and paste the key to the Peer unit.