By default, vSphere Replication does not encrypt replication traffic. To ensure that your data is safe and secure, OVH US requires an IPsec (Internet Protocol Security) tunnel between your remote host and our OVH US host. This is integral to ensuring that your data is safe and secure during the vSphere Replication process. This article will cover how to set up your IKE (Internet Key Exchange) parameters to establish a secure connection utilizing IPsec. Since all of the vendor appliances (Cisco, Juniper, pfSense, Fortinet, etc) on which you would configure IPsec are slightly different, we will be focusing on the standard settings and parameters that are required by OVH US for the connection.
IKE Phase One Parameters
To set up your SA (Security Association) within IPsec we will be using the protocol IKE. In IKE phase one, we will be establishing a secure authenticated connection, negotiating cryptographic parameters, and generating a shared secret key to encrypt our IKE communication.
The IKE phase one parameters used by the VPN are:
- Main mode
- MODP (DH) group 2 (MODP1024 bits)
- PSK (Pre-shared Key)
- SA lifetime of 28800 seconds with no KB (Kilobytes) rekeying
- DPD (Dead Peer Detection) ENABLED
IKE Phase Two Parameters
IKE phase two negotiates an IPsec tunnel by creating keying material for the IPsec tunnel to use. For our purposes, we will be using the IKE phase one keys as a base. In IKE phase two, we will peer using the secure channel established in phase one.
The IKE phase two parameters used by the VPN are:
- AES-128 [matching the phase one setting]
- SHA-1 [matching the phase one setting]
- ESP tunnel mode
- MODP (DH) group 2 (MODP1024bits)
- Perfect forward secrecy DISABLED
- SA lifetime of 3600 seconds with no KBs rekeying
Note: Other firewall or NAT rules may be required to complete the installation of vSphere Replication based on the internal architecture of your remote host. Please consult your internal network team for guidance.
If you have difficulty setting up the IPsec tunnel, please contact our support team by submitting a ticket from your OVH US Manager or chatting in.
At OVH US, we understand how important data security is, not only to our customers but to our business as a whole. As a result, we take data security very seriously and provide you with the steps to ensure your vSphere Replication is safe and secure.