IPSec
IPSec is a secure and flexible VPN solution for bi-directional data connections between your private network and an on-premises or cloud environment.
Connecting to the Simbase OpenVPN server allows remote access to the private static IP address of your SIM card. Use an OpenVPN client on the desktop or install OpenVPN on any server for secure two-way communication with all IoT devices.
When using IPsec to establish a secure connection between a private network and an on-premises network, the basic process involves configuring IPsec in our dashboard and on your VPN concentrator. Both sides of the tunnel are then configured to authenticate each other using a shared secret (pre-shared key) so that data can be transmitted over a secure tunnel between the networks.
Once the secure tunnel is established, the traffic between the private network and on-premises networks is encrypted and authenticated using the IPsec protocol. This ensures that any data transmitted between the networks is protected from eavesdropping, tampering, or other forms of attack.
There are several different ways to configure an IPsec tunnel between a private network and an on-premises network, depending on the specific requirements of the network and the devices that are being used. Please see the section below for detailed recommendations.
It is important to also have proper rules and access control in place for this VPN for both secure and control access. Other things like regular audits, certifications rotation and monitoring will also be important for maintaining the security of this VPN.
Overview
Most IoT use cases use an application server with a public IP address that allows the IoT sensors to offload their data. A good example would be a GPS tracker that sends it latitude and longitude to a server every 5 minutes.
There are scenarios, in which you would like to send this data over a private connection, instead of via the public internet. IPSec tunnels basically connect your corporate or cloud network to the subnet used by your SIM cards.
In the setup above, SIM cards can connect to anything on the internet (resources with a public IP). Additionally, SIM cards can access private resources in the customer network.
It is also possible to route all traffic over the IPSec tunnel. Optionally, you can set up your own Internet Gateway and control any inbound and/or outbound traffic. Please also see the sketch below.
Setup IPSec tunnel
Before configuring the IPSec tunnel make sure to take the necessary preparations. Depending on your type of VPN concentrator, the basic steps for setting up an IPsec tunnel typically include the following:
Deploy a Private network. More info can be found here.
Deploy a VPN concentrator (pfSense is a good option) in your corporate network or cloud network with a public IP address.
Configure the IPSec tunnel in the Simbase dashboard.
Configure the IPSec tunnel in your VPN concentrator.
It is important to understand that the steps and details may vary depending on the specific devices and software that are being used, so it is important to consult the documentation for those devices for detailed instructions on how to configure them. Also is important to do this in a lab environment for testing before implementing in production.
You may also want to consider hiring an experienced network engineer to assist you with configuring the IPsec tunnel, especially if you are not familiar with the process or if you are working with large or complex networks.
Configure IPSec tunnel (Simbase)
Notes on IPSec
Please see below for some guidance on the specific IPSec options
Key Exchange version
When possible select IKEv2 as it is considered faster and more secure than IKEv1. Use auto when unsure.
Simbase IP address
This is the IP address of our VPN concentrator. Please make sure to take note of this for the next step.
Remote IP address
Enter the IPv4 address of your VPN concentrator into this field.
Phase 1 Pre-Shared Key
Please enter a pre-shared key into this field, or copy the proposed key. Make sure the key is long and random. Avoid special characters. Never share this key with anybody as it can lead to a compromised tunnel.
Phase 1 Encryption Algorithm
Select the Phase 1 algorithm and key length. If your device supports AES128-GCM (128 bits key), please select that one as it provides best the security vs. performance.
Phase 1 Hash Algorithm
Select the Phase 1 Hash and key length. If your device supports SHA256, please select that one as it provides the best security vs. performance. Please note the SHA1 is generally considered unsafe and should be avoided.
Phase 1 DH Group Key
Select the Phase 1 DH Group Key. If your device supports 14 (2048 bit), please select that one as it provides the best security vs. performance.
Phase 1 Lifetime
Hard IKE SA lifetime, in seconds, after which the IKE SA will be expired. Select 28800 sec if you are unsure. Tip: Set one endpoint to this recommended value but use a higher Life Time on the other endpoint by at least 10% (e.g. 5400) to help avoid overlap. Value can be anything between 20000 and 86400 seconds.
Phase 1 Dead Peer Detection
Check the liveness of a peer by using IKEv2 INFORMATIONAL exchanges or IKEv1 R_U_THERE messages. Active DPD checking is only enforced if no IKE or ESP/AH packet has been received for the configured DPD delay. Set to disabled when unsure.
Phase 2 SIM Network
This is the subnet used by the SIM cards. That is why it is fixed and cannot be changed.
Phase 2 Remote Network
This is the subnet in CIDR notation used on your side of the IPSec tunnel. Leave to 0.0.0.0/0 to route all traffic to your servers.
Phase 2 ESP
Encapsulating Security Payload (ESP) performs encryption and authentication. This value cannot be changed.
Phase 2 Encryption Algorithm
Select the Phase 2 algorithm and key length. If your device supports AES128-GCM (128 bits key), please select that one as it provides the best security vs. performance.
Phase 2 Hash Algorithm
Select the Phase 3 Hash and key length. If your device supports SHA256, please select that one as it provides the best security vs. performance. Please note that SHA1 is generally considered unsafe and should be avoided.
Phase 2 DH Group Key
Select the Phase 2 DH Group Key. If your device supports 14 (2048 bit), please select that one as it provides the best security vs. performance.
Phase 2 Lifetime
Hard Child SA lifetime, in seconds, after which the Child SA will be expired. Must be larger than Rekey Time. Tip: Set one endpoint to this recommended value but use a higher Life Time on the other endpoint by at least 10% (e.g. 5400) to help avoid overlap. Value can be anything between 1800 and 7200 seconds
Configure IPSec tunnel (Customer side)
How to configure the IPSec on your side highly depends on what service you are using. Below you find a video on how to do it in pfSense, which we highly recommend.
Specifications and limitations
Last updated