Create New Enterprise Site for Traffic Tunneling
- Select Administration > Enterprise Integration.
- Click Enterprise Sites and click New.
-
Enter these basic details.
- Name and Description - Enter a Name (required) and a Description (optional) for the site.
- Location -- Enter location information (country and state or province as applicable).
- Enter the Public IP address for the site and click Save to close the text box.
- User count -- Select a range that represents the number of users at the site.
- Traffic forwarding type - Select IPSec or Native endpoint steering (PAC, Agent).
- FQDN -- Enter the Fully Qualified Domain Name (FQDN) for the site. The FQDN maps to the Public IP address and provides a unique identifier for the site.
- Private IP or subnet -- Identifies the source IP for the end user network through which the traffic is moving and helps to identify the correct tunnel to direct the traffic. For example, one site might use a desktop network while a second site might use a different subnet network. Sites can have the same or different subnets.
- Click Next.
-
Enter encryption details.
-
Authentication method -- Select either Pre-Shared Key or Certificate.
A pre-shared key is shared between two endpoints. The keys on both endpoints must match for authentication to be successful.
A pre-shared key can be generated automatically by clicking the icon to the right of the Pre-Shared Key field. This generated key is longer, more complex, and provides stronger security than a pre-shared key you create and enter yourself.
If you enter a pre-shared key, the key should be between 8 and 64 characters long and include at least one lowercase character, one uppercase character, one numeric character, and one special character (for example, @ or %).
- A certificate includes any certificate you have uploaded to Lookout Cloud Security Platform using Certificate Management. From the prompt, select a certificate to present for authentication. For information about creating and managing certificates, see Certificate Management.
- IKE (Internet Key Exchange) -- IKE patterns are needed to establish tunnels. The native security platform uses the IKEV2 protocol.
- FIPS Compliant -- Check the toggle to ensure that all IKE and IPsec cipher sites are FIPS compliant.
- Encryption Algorithm -- Select from the list of available cipher sites. If you have enabled FIPS compliance, the list includes only compliant security options.
- Diffie-Hellman Group -- Select a value from the list. The higher the number in the value, the stronger the security. If you enabled FIPS compliance, the list includes only compliant security options.
- Life Time -- Enter the number of hours (between 10 and 72) for the IKE lifetime. The IKE expires after this number of hours. For example, if you entered 20 hours, the IKE expires after 20 hours. Before it expires, the tunnel goes through a renegotiation process.
-
- Click Next to configure advanced options.
-
Under Encapsulating Security Payload (ESP), enter or select the following values.
- Integrity and Encrypt algorithm -- Select a cipher site from the list.
-
ReKey -- Click the toggle to enable this option, which instructs the security platform to re-key the tunnel before the existing tunnel expires. The re-key process starts and the tunnel is
re-negotiated. If this option is disabled, the tunnel is deactivated upon expiration and traffic cannot move through it.
- ReAuth - Click the toggle to re-authenticate the two endpoints. This option is a recommended best practice to strengthen protection if either or both endpoints change or if the site has been compromised.
- Depending on the selected authentication method, you can revoke access to the tunnel in two ways:
-
If you are using pre-shared keys, they will no longer match after they are changed when Reauth is enabled. A compromised site cannot connect with the security platform.
- If you are using a certificate, you can remove or change the certificate.
-
- Life Time -- Defines the lifetime of the tunnel itself. The tunnel life expires after the number of hours you enter. The value must be between 2 and 72 hours. This lifetime has a smaller minimum value (2 hours as opposed to 10 hours for the IKE lifetime) to enable a quicker end to a tunnel life, thus helping to prevent a tunnel from being compromised.
- Dead peer detection -- Serves as a monitor of traffic "heartbeat," to detect the absence of traffic on a tunnel. The options for DPD action are:
- None (default) -- Disables sending of active DPD messages.
- Clear -- Closes the connection; no further action is taken.
- Hold -- Installs a trap policy, which catches matching traffic and tries to renegotiate the connection on demand.
- Restart -- Triggers an attempt to renegotiate the connection.
-
IKE Fragmentation -- A key exchange might include a large amount of data per packet. For example, a data packet might be larger than the Maximum Transmission Unit (MTU), which is the largest size frame or packet (approximately 1500 bytes for Ethernet links) that can be transmitted across a data link. Fragmentation allows the packet to be broken down into subpackets for transmission through the tunnel. Both endpoints must support fragmentation.
The options are:
- Yes (allow fragmentation)
- Accept (if fragmentation occurs on the Lookout side, the other endpoint will accept it)
- Force (if the packet size is known to be larger than the MTU, force fragmentation)
- No (do not allow fragmentation).
-
Click Save.
The new site definition is added to the list on the Enterprise Sites page.
A popup window displays tunnel configuration information, including Primary DNS and Secondary DNS information defined for the site. You can configure a tunnel for both a primary and a secondary DNS. The secondary DNS can serve as a backup to keep traffic moving if the primary tunnel goes down.
- The Status field shows Disconnected or Connected status.
-
If the primary tunnel is connected, the status is displayed as connected.
Once tunnels are defined, you can set up and configure web and application policies in the Management Console to determine the appropriate actions for traffic moving through the tunnel.