Peer-to-Peer VPN
A Peer-to-Peer VPN, also known as a Site-to-Site VPN, provides the ability to securely connect two or more geographically separate locations over the Internet as if they were a single private network (e.g., branch offices and the headquarters).
Setting up Peer-to-Peer VPN
- In the router portal, under the Network tab ➜ Peer-to-Peer VPN
- Activate the Peer-to-Peer VPN function and save
- Add a new VPN site and enter the VPN connection data of the remote VPN site and add it.
Note on Peer-to-Peer VPN encryption
VPN between Centro Business and Centro Business
When a VPN is set up between two Centro Business devices, the encryption is always selected automatically.
Centro Business to any other VPN remote site
When a VPN is set up to a remote site that does not use a Centro Business, the encryption must be configured manually. The Centro Business offers the following options (PFS is always recommended):
| Profile | Swisscom-IKEv2-PFS | Swisscom-IKEv2 |
|---|---|---|
| IKE Exchange Mode | Main | Main |
| Phase 1 Encr. Algs | AES-CBC-256, AES-CBC | AES-CBC-256, AES-CBC |
| Phase 1 Integrity Algs | HMAC-SHA2-256-128, HMAC-SHA1-160 | HMAC-SHA2-256-128, HMAC-SHA1-160 |
| Phase 1 DH Transforms | Curve25519, MODP-8192, ECP-384, MODP-2048 | Curve25519 MODP-8192, ECP-384 MODP-2048 |
| Phase 1 SA Lifetime | 86400 | 86400 |
| Phase 2 Encr. Algs | AES-CBC-256, AES-CBC | AES-CBC-256, AES-CBC |
| Phase 2 Integrity Algs | HMAC-SHA2-256-128, HMAC-SHA1-160 | HMAC-SHA2-256-128, HMAC-SHA1-160 |
| Phase 2 SA Lifetime | 86400 | 86400 |
| PFS | Curve25519, MODP-8192, ECP-384, MODP-2048 | Disabled |
Performance optimization for VPNs (NAT-T)
For VPN connections established via your own router or a firewall behind the Centro Business, activating NAT-T (NAT Traversal) is recommended.
Technical benefits:
- Increased throughput: Activating this feature increases the transfer speed of the VPN tunnel.
- Hardware acceleration: NAT-T encapsulates IPsec packets into UDP packets. This allows the Centro Business to accelerate the packets via hardware (acceleration).
Prerequisite: For the connection to be established successfully and for the performance benefits to take effect, NAT-T must also be activated on the remote site.
Limitations
- Not available with BNS/EC-S contracts
FAQ on Peer-to-Peer VPN
What should be considered when connecting networks via VPN?
- If security vulnerabilities exist at one of the VPN sites, VPN tunnels provide an attacker with the chance to access further infrastructure (the risk of damage increases).
- If no Centro Business router is used at the remote site, configuring the VPN requires technical knowledge as there are many different possibilities.
What is PFS?
PFS stands for "Perfect Forward Secrecy" and is a security feature used to ensure the security of communication. The main benefit of PFS is that it ensures that even if the keys of a specific communication channel are compromised, past sessions cannot be decrypted.
Why is IKEv1 no longer supported?
IKEv1 (Internet Key Exchange Version 1) is increasingly no longer supported for several reasons. First, IKEv2 offers significant improvements in security and efficiency, including a simplified protocol structure and better encryption algorithms. Second, IKEv2 includes features such as the MOBIKE protocol for better support of mobile devices and dynamic IP changes. Furthermore, vulnerabilities that existed in IKEv1 were fixed in IKEv2, making it a more secure choice. Given these advantages and the constant evolution of network security standards, many modern VPN solutions tend to no longer support IKEv1.
Is something missing here? Give us your feedback!
Help us improve the CB-Guide. Let us know what content you are missing or how we can improve.
Send feedback