IPsec Peering¶
Overview¶
flexiWAN’s peering functionality with IPsec IKEv2 is a crucial feature for establishing secure communication tunnels between flexiEdge devices and third-party devices or endpoints. This capability ensures that organizations can connect their SD-WAN network with other networks using standardized, secure VPN protocols.
The IPsec Peering feature allows connecting pure IPSec tunnels between flexiEdge devices to other peers.
flexiWAN’s IPsec IKEv2 based Peering is suitable for a diverse array of applications. Notable use cases include:
Robust Cloud Security: Secure connections to cloud-based security and Secure Access Service Edge (SASE) platforms, this feature allows for simultaneous provisioning across various service providers, optimizing cloud security integration.
Network Traffic Consolidation: Through network aggregation gateways, it streamlines the consolidation of network traffic, thereby enhancing the efficiency and oversight of data transmission.
Versatile Cloud Connectivity: It simplifies the establishment of secure connections to cloud environments, ensuring protected data transfer and access to cloud resources.
Interoperability with Various Devices: The solution extends its connectivity to include non-flexiEdge hardware, establishing tunnels with third-party devices that adhere to the IPsec IKEv2 specifications.
The implementation of IPsec Peering within flexiWAN leverages IKEv2/IPSec protocols to create these connections, ensuring compatibility with third-party devices or services that can synchronize with the given parameters. flexiWAN supports both routed and policy-based connections, providing flexibility in deployment options.
Traffic directed from flexiEdge devices is managed through established path selection policies, enabling administrators to designate specific applications to particular tunnels or peers. Administrators have the discretion to route traffic directly between sites, allow local breakout (Direct Internet Access), or channel it via cloud security services, based on the crafted policies.
For the technical execution of these peerings, IKEv2/IPsec utilizes UDP ports 4500 and 500, in addition to the IP protocol ESP port 50, to maintain secure and reliable tunnel connections.
Note
Using a peer connection instead of using a flexiWAN tunnels does have some drawbacks:
Since flexiManage does not control the peers, connecting to a peer requires more configuration from the administrator
Traffic back from the peer to flexiEdge does not benefit from the SD-WAN advantages available on flexiEdge as the remote peer sending the traffic is not a flexiEdge instance but rather an IPsec peer
Configuring a new IPsec peer¶
IPsec Peering functionality can be accessed from Inventory > Peers.
Click on New Peer button to get started.
In order to add a new peer, fill out the following areas:
- Name
Peer name for e.g. “Company router”
- ID Type
Define identification type. Can be a Fully Qualified Domain Name or IP address based.
- Local ID
Enter distinguished name for local identifier. If IPv4 is selected under type above, keep automatic instead.
- Remote ID
Define remote IP or distinguished name.
- PSK
Pre-Shared Key used for authentication on both ends. Make sure to use a strong key for better security.
- Remote IP
IP address of remote IPsec site to which flexiEdge will connect.
Peer Monitoring¶
Define a monitor IP or URL used for monitoring Peer connectivity. IP and URL based monitoring can be single or multiple comma entries. Monitoring traffic will exit using the Peer as gateway, so any IP or URL may be configured.
Warning
If the monitoring IP is not defined peer connection latency and drop rate will not be measured.
Cryptography¶
In this section all authentication and key exchange parameters can be set. Make sure to use a matching parameters on both sides. IPsec Peering relies on Internet Key Exchange v2 and Encapsulating Security Payload (ESP) protocols. We suggest to use and match these defaults on the remote end.
Traffic Selector¶
In the last section, Traffic Selector, configure local and remote traffic ranges which will be allowed to communicate. If kept as default, communication from all ranges will be allowed.
Peer Path Label¶
Once new Peer is added, before connecting to it, the next step is to create a tunnel Path Label which will be used for deploying the new Peering connection. The following steps are required on flexiEdge device site before adding a new peering connection:
Creating a new tunnel Path Label dedicated for Peering connection.
Assigning the newly created Path Label to the WAN interface on the flexiEdge device.
Navigate to Inventory > Path Labels and create a new Path Label which will be used for Peering. Make sure DIA (internet breakout) is not selected. Check Path Labels documentation section to learn more about path labels.
After creating the Path Label, navigate to the device on which Peering connection will be deployed. Assign the newly created Path Label to WAN interface. On a device with multiple WAN interfaces Peering connection will use the WAN interface Path Label is assigned to.
Creating a peer connection¶
Adding a peer connection to an existing flexiEdge site is done in just a few clicks. Navigate to Inventory > Devices, select the device to which the Path Label was assigned and click on the Action menu. Select Create Peer Connection from the menu.
From the Create Peers dialog select the previously created Path Label and select the Peer configuration. Click Create Peer.
Advanced section offers OSPF cost and routig options. New peers use OSPF routing by default however BGP can be used instead.
That’s it, the new Peer connection should be created and connecting. You can define any routing or path selection policies for peers as for regular tunnels.
Viewing or removing peer connections¶
After adding a peering connection, its status can be viewed from Inventory > Tunnels, together with other tunnels that may exist.
In this case, CloudVPC interface is identified as Peer. If latency and drop rate are not shown, make sure to add the Monitor IP in peering configuration.
Deleting a peer connection is done in the same way as with tunnels, simply click on delete icon under action column and confirm the deletion.
Deployment & Templates¶
The flexiWAN IPsec Peering functionality has been tested with multiple Cloud providers and 3rd party network devices. We are continously working on adding more supported providers and devices. Below listed are tested and supported providers, however any 3rd party devices or services with matching IKEv2/IPsec parameters should be able to establish connection using flexiWAN peering.
Peering feature has been tested and confirmed to work with the following cloud providers and 3rd party networking vendors:
Amazon Site-to-Site VPN https://aws.amazon.com/vpn/site-to-site-vpn/
Acreto Gateway https://kb.acreto.net/how-to/quickstart/create-gateway/
Oracle Site-to-Site VPN https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/overviewIPsec.htm
strongSwan
Meraki Site-to-Site VPN https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_peers
pfSense IKEv2/IPsec VTI
Cisco VTI
Templates¶
The following template settings are tested with 3rd party services and products.
Cisco Umbrella¶
Cisco routers¶
AWS VPC¶
strongSwan¶
pfSense & OPNsense¶
Troubleshooting¶
To view status of peer connections enter the following command from the device Command tab or using shell:
vppctl show ikev2 sa details
Advanced logging may be set running the following commands via Command tab or shell:
vppctl ikev2 set logging level 5
vppctl event-logger clear
vppctl show event-logger
After entering the above commands, IKEv2/IPsec logging will be outputed to the device syslog. Syslog can be fetched from flexiManage, by navigating to device Logs tab.