VPN Connections

Round 1: Information Required from Client

1. Vendor
   The manufacturer of the client’s gateway device (for example, Cisco Systems, Inc).
   Note: If the client is running their infrastructure in AWS, then they just need to set up Network Load Balancer and Private Link pointing to the services that need to be exposed to Ready Education, and then provide PrivateLink Endpoints Service name. This way no VPC is required for integration.

2. Platform
   The class of the client’s gateway device (for example, J-Series).

3. Software
   The operating system running on the client gateway device (for example, ScreenOS).

4. Region
   Region where the VPN will be deployed. Normally, this is the the same where the client infrastructure is setup.

5. Client Gateway IP Address
   The public IP address of client's VPN router.

6. Private CIDR range(s)
   The client can choose a private CIDR range that the router of the client can route to, and the client must whitelist this CIDR range so that we can connect to eg. the BANNER databases.
   Note: Client can't specify publicly routable IP addresses. The services on the client end must be configured to run on one of these IP addresses.
   10.0.0.0/8 (RFC 1918), 192.168.0.0/16 (RFC 1918), 100.64.0.0/10 (RFC 6598), 172.16.0.0/12 (RFC 1918)

7. IP addresses of the services
   Client needs to provide the IP addresses of the services that Ready Education needs to connect to e.g. IP address for Banner database

8. Preshared Keys (PSK)
   Two preshared keys are required. These are used to establish an IPsec VPN connection between the Local Tunnel Endpoint and the Remote Tunnel Endpoint. The PSK must be between 8 and 64 characters in length and cannot start with zero (0). Allowed characters are alphanumeric characters, periods (.), and underscores (_). Default: A 32-character alphanumeric string.
   This is an optional step, as Ready Education can also generate these keys and share them.

Form 1.0

Form 1.0 (Filled Sample)

Round 2 Information Provided to Client

Next, the client needs to configure components in their network infrastructure to allow the network traffic to go through between the VPN that has been setup by Ready Education and the client's network. This will include configuring Firewall, Routing Tables, Gateway etc.

Ready Education will provide a system generated configuration file based on the client's specific Vendor, Platform and Software version of the gateway device. The file will contain detailed steps on how to set up the VPN connection. However, on a minimal level, the information conveyed in automated configuration file will include the following

1. Remote Tunnel Endpoint
   IP addresses provided by Ready Education, that terminates the VPN connection on the Ready Education side of the VPN connection.

2. Endpoint
   The IP address range (CIDR block) of Ready Education VPC

3. Inside tunnel IPv4 CIDR
   The range of inside (internal) IPv4 addresses for the VPN tunnel.

4. Pre Shared key

5. Dead peer detection (DPD) timeout
   The number of seconds after which a DPD timeout occurs. It is set to 40 seconds

6. DPD timeout action
   The action to take after dead peer detection (DPD) timeout occurs. Ready Education sets this value to Clear, which implies to end the IKE session when DPD timeout occurs (stop the tunnel and clear the routes). Other supported actions are None and Restart.

7. IKE versions
   The IKE versions that are permitted for the VPN tunnel. Ready Education only supports IKEv2

8. Phase 1 Diffie-Hellman (DH) group numbers
   The DH group numbers that are permitted for the VPN tunnel for phase 1 of the IKE negotiations. Ready Education only supports [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]

9. Phase 2 Diffie-Hellman (DH) group numbers
   The DH group numbers that are permitted for the VPN tunnel for phase 2 of the IKE negotiations. Ready Education only supports [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]

10. Phase 1 encryption algorithms
    The encryption algorithms that are permitted for the VPN tunnel for phase 1 of the IKE negotiations. Ready Education only supports ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]

11. Phase 2 encryption algorithms
    The encryption algorithms that are permitted for the VPN tunnel for phase 2 of the IKE negotiations. Ready Education only supports ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]

12. Phase 1 integrity algorithms
    The integrity algorithms that are permitted for the VPN tunnel for phase 1 of the IKE negotiations. Ready Education only supports ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]

13. Phase 2 integrity algorithms
    The integrity algorithms that are permitted for the VPN tunnel for phase 1 of the IKE negotiations. Ready Education only supports ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]

14. Phase 1 lifetime
    The lifetime in seconds for phase 1 of the IKE negotiations. Ready Education sets the value to i.e. 28,800 (8 hours)

15. Phase 2 lifetime
    The lifetime in seconds for phase 1 of the IKE negotiations. Ready Education sets the value to i.e. 3,600 (1 hours)

16. Rekey fuzz
    The percentage of the rekey window. Ready Education sets the value to 100

17. Rekey margin time
    The margin time in seconds before the phase 1 and phase 2 lifetime expires, during which the AWS side of the VPN connection performs an IKE rekey. Ready Education sets the value to 270 (4.5 minutes)

18. Replay window size packets
    The number of packets in an IKE replay window. Ready Education sets the value to 1024

19. Startup action
    The action to take when establishing the tunnel for a VPN connection. Ready Education sets the value to Add, which means that the client gateway device must initiate the IKE negotiation to bring the tunnel up. 

Form 2.0

Form 2.0 (Filled Sample)