Peer-to-Peer VPN
A Peer-to-Peer VPN, also called Site-to-Site VPN, offers the possibility to securely connect two or more geographically separate locations via the internet, as if they were a single private network. (for example, branch offices and the head office)
Set up Peer-to-Peer VPN
- In the router portal under the Network tab ➜ Peer-to-Peer VPN
- Activate and save the Peer-to-Peer VPN function
- Add a new VPN site and enter and add the VPN connection data of the remote VPN peer.
Note on Peer-to-Peer VPN Encryption
VPN between Centro Business and Centro Business
When a VPN is set up between two Centro Business devices, the choice of encryption is always automatic.
Centro Business to arbitrary VPN Peer
When a VPN is set up to a peer that does not use a Centro Business, the encryption must be configured manually. The Centro Business offers the following options (PFS is always recommended):
| Profile | Swisscom-IKEv2-PFS | Swisscom-IKEv2 |
|---|---|---|
| IKE Exchange Mode | Main | Main |
| Phase 1 Encryption Algs | AES-CBC-256, AES-CBC | AES-CBC-256, AES-CBC |
| Phase 1 Integrity Algs | HMAC-SHA2-256-128, HMAC-SHA1-160 | HMAC-SHA2-256-128, HMAC-SHA1-160 |
| Phase 1 DH Transforms | Curve25519, MODP-8192, ECP-384, MODP-2048 | Curve25519 MODP-8192, ECP-384 MODP-2048 |
| Phase 1 SA Lifetime (sec) | 86400 | 86400 |
| Phase 2 Encryption Algs | AES-CBC-256, AES-CBC | AES-CBC-256, AES-CBC |
| Phase 2 Integrity Algs | HMAC-SHA2-256-128, HMAC-SHA1-160 | HMAC-SHA2-256-128, HMAC-SHA1-160 |
| Phase 2 SA Lifetime (sec) | 86400 | 86400 |
| PFS | Curve25519, MODP-8192, ECP-384, MODP-2048 | Deactivated |
Restrictions
- Not available with BNS/EC-S contract
FAQ on Peer-to-Peer VPN
What must be considered when connecting networks via VPN?
- If security gaps exist at one of the VPN sites, VPN tunnels offer an attacker the chance to access further infrastructure (the risk of damage increases).
- If a Centro Business router is not used at the remote site, the configuration of the VPN requires technical knowledge as there are many different possibilities.
What is PFS?
PFS stands for "Perfect Forward Secrecy" and is a security feature that is used to ensure the security of communication. The main advantage of PFS is that it ensures that even if the keys of a specific communication channel are compromised, past sessions cannot be decrypted.
Why is IKEv1 no longer supported?
IKEv1 (Internet Key Exchange Version 1) is increasingly no longer supported for several reasons. Firstly, IKEv2 offers significant improvements in terms of security and efficiency, including a simplified protocol structure and better encryption algorithms. Secondly, IKEv2 includes features such as the MOBIKE protocol for better support of mobile devices and dynamic IP changes. In addition, vulnerabilities that existed in IKEv1 have been fixed in IKEv2, making it a safer choice. Given these advantages and the continuous development of network security standards, many modern VPN solutions tend to no longer support IKEv1.
Is something missing here? Provide feedback! pilot@swisscom.com Describe in which area what is expected or what could be improved.