Support Center > Search Results > SecureKnowledge Details
Quantum Spark Portal (SMP) Site to Site VPN using FQDNs Technical Level
Solution

Background

The Quantum Spark Portal (SMP) offers a quick and easy way for Site to Site VPN (IPsec) deployment. The configuration is completed within minutes.

The default and most common VPN setup configuration is to utilize IP addresses. For specific scenarios, we offer VPN configurations using FQDNs instead of IP addresses.

FQDN (Fully Qualified Domain Name) is a domain name that specifies all domain levels and is sometimes referred to as an absolute domain name.

For FQDNs, we utilize SMP's DDNS Service (DDNSbox.com). This specific setup is ideal for environments which do not hold a static WAN IP address or if the WAN IP address might be subject to change (i.e. dynamically assigned via DHCP by the ISP). In these cases, SMP offers the option "Use DNS name" in the VPN community.

To participate in the VPN community, add the Quantum Spark gateways to the SMP VPN community. The Quantum Spark gateways receive the VPN configuration via a “push” from the SMP or directly after a “fetch” from the local Quantum Spark gateway.


Configuration guidelines

  1. Add the gateways to the relevant SMP Service Domain.
    Note - Hostnames which contain "_" are not permitted due to a limitation in the DNS naming convention, RFC 1035 and are therefore not supported. Only predefined names are supported with the relevant DDNS hostname (provided by ddnsbox.com). In this setup we used "allow automatic gateway creation" option in the Plan.
  2. Navigate to Home > Communities 
  3. Enter a Name and a Description for the VPN community and click Finish. Save the community.

  4. Navigate to General.
    Note - See the description and if needed add this community to a parent community.
  5. Navigate to VPN Settings 
    • Topology
      • SMP supports Full Mesh or Star VPN types.
      • Permanent tunnel - While using IP addresses, permanent tunnels are supported. If using hostnames, permanent tunnels are not supported (not enabled by. default).
    • Firewall
      • Disable NAT (enabled by default).
    • Encryption
      • SMP supports IKEv1 and IKEv2 (default is IKEv1).
  6. Navigate to IKE Settings
  7. Notes:
    • IKE Phase 1 configuration options for: Encryption, Authentication, DH Group and Renegotiation.
    • IKE Phase 2 configuration options for: Encryption, Authentication, PFS, DH Group, Renegotiation and VPN Tunnel Sharing (default is one VPN tunnel per Gateway Pair). In this setup we use one VPN tunnel per subnet pair.
  8. Navigate to Gateways > VPN
    • Community 
      • Inherited from the VPN community settings.
      • Enable the checkbox "Use DNS name". 
        Note - "Do not encrypt connections originating from the local gateway" is enabled by default.
    • Authentication 
      • The only option we offer is Certificate. PSK. Pre Shared Key is not supported.
      • Internal Network Topology
      • Define the local encryption domains in the internal network of the Quantum Spark gateway:
  9. Add the members (Quantum Spark gateway) to the VPN community and click Save.
  10. The Quantum Spark gateways receive the VPN settings by one of these:
    • A "push" action performed in the SMP.
    • A "fetch" or pull action performed on the Quantum Spark gateway itself.

Further studies

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment