Prerequisites
Site network requirements
WALLIX One PAM supports only IPv4 traffic to flow through the IPsec tunnel.
WALLIX One PAM can manage only private networks and subnets as defined in RFC1918:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
Site gateway requirements
Site gateway must support IKEv2 protocol and NAT-T encapsulation (UDP/4500).
Site gateway must use IPv4 address.
NOTE
IKE negotiation is initiated from the site gateway. WALLIX One PAM gateway acts as responder: it will not attempt to establish a connection with your gateway.
Supported ciphers
Phase 1 (without AEAD)
| Cipher role | Cipher | Notes |
|---|---|---|
| Encryption | - AES128 - AES256 | - |
| Integrity & PRF | - SHA2_256 - SHA2_384 - SHA2_512 | Integrity and PRF algorithms must be the same |
| Diffie-Hellman (DH) | - modp_2048 (group 14) - modp_3072 (group 15) - modp_4096 (group 16) - ecp_256 (group 19) - ecp_384 (group 20) - ecp_521 (group 21) - curve_25519 (group 31) |
Phase 2 (with AEAD)
| Cipher role | Cipher | Notes |
|---|---|---|
| Encryption & integrity | - AES128_GCM_16 - AES256_GCM_16 | - |
| Diffie-Hellman (DH) | - modp_2048 (group 14) - modp_3072 (group 15) - modp_4096 (group 16) - ecp_256 (group 19) - ecp_384 (group 20) - ecp_521 (group 21) - curve_25519 (group 31) | Must be the same as phase1 |
Phase 2 (without AEAD)
| Cipher role | Cipher | Notes |
|---|---|---|
| Encryption | - AES128 - AES256 | - |
| Integrity & PRF | - SHA2_256 - SHA2_384 - SHA2_512 | Integrity and PRF algorithms must be the same |
| Diffie-Hellman (DH) | - modp_2048 (group 14) - modp_3072 (group 15) - modp_4096 (group 16) - ecp_256 (group 19) - ecp_384 (group 20) - ecp_521 (group 21) - curve_25519 (group 31) | Must be the same as phase1 |