Firewall IPsec

A quick overview of how you can apply IPsec practices within your Xelon HQ Firewall Service.

IPsec is a security practice that allows you to safeguard the network connection and data by encrypting the IP packets. Within the platform, you can add encryption and authentication for one or multiple connections for public and shared networks.

Get started with IPsec

To set up IPsec, you should configure two connection sides with the same settings:

Xelon HQ side can be configured on the interface wizard you see below. Most settings are predefined, but you can adjust them according to your needs
The remote side needs to be configured with the same encryption settings.

Encrypted connection settings include these fields:

Phase 1

Remote Gateway – public IP to connect to
Mode – can be Tunnel or Transport

Modes

	Tunnel	Transport
Encryption	The whole IP packet	Payload only
IP packet	New IP packet with new IP header	No changes in the IP header, IP header not encrypted
Communication	Network-to-network, host-to-network, host-to-host	Host-to-host

Encryption – the encryption algorithm (AES 256bit / AES 128bit)
Hash algorithm – the algorithm which transforms the payload into a string format (SHA1 / SHA256 / SHA384 / SHA512)
DH group – an algorithm for key exchange (Security IKE algorithms)
Pre-Shared key – a public key for IPsec tunnel establishment
DH Lifetime – a period of DH group value life

Phase 2

Local Network – a network of Xelon HQ instance
Remote LAN Network – a LAN network to connect to
Encryption – a second encryption algorithm (AES 256bit / AES 128bit)
Hash algorithm – the algorithm with which payload will be transformed into a string format (SHA1 / SHA256 / SHA384 / SHA512)
PFS group – an algorithm that ensures the keys are dynamic and the same key won’t be used twice. It also protects your data if the private key was exposed.
PFS Lifetime – a period of PFS group value life

Need some assistance?

For questions regarding the Firewall IPsec Service, drop us a line here.