IPsec Peering

Overview

flexiWAN’s peering functionality with IPsec IKEv2 is a crucial feature for establishing secure communication tunnels between flexiEdge devices and third-party devices or endpoints. This capability ensures that organizations can connect their SD-WAN network with other networks using standardized, secure VPN protocols.

The IPsec Peering feature allows connecting pure IPSec tunnels between flexiEdge devices to other peers.

@startuml

skinparam linetype ortho

left to right direction
skinparam rectangle {
   borderColor Transparent
   backgroundColor Transparent
   fontColor Transparent
   stereotypeFontColor Transparent
   shadowing false
}

node "flexiEdge" as FE {
   usecase "LAN" as LAN
   rectangle GRP1 {
      usecase "LB1" as LB
      note bottom: 10.100.0.4/31
      queue "IPSec               \n       " as TUN
   }
   rectangle GRP3 {
      usecase "R" as R
      usecase "WAN" as WAN
   }
   node "NAT" as NAT
}
cloud "Internet" as INET
node "Peer" as P {
   queue "IPSec               \n       " as PTUN
}

LAN -- R
R -- LB
R ---- WAN
WAN -- NAT
NAT -- INET
LB -- TUN
TUN -- WAN
INET -- PTUN


@enduml

flexiWAN’s IPsec IKEv2 based Peering is suitable for a diverse array of applications. Notable use cases include:

  • Robust Cloud Security: Secure connections to cloud-based security and Secure Access Service Edge (SASE) platforms, this feature allows for simultaneous provisioning across various service providers, optimizing cloud security integration.

  • Network Traffic Consolidation: Through network aggregation gateways, it streamlines the consolidation of network traffic, thereby enhancing the efficiency and oversight of data transmission.

  • Versatile Cloud Connectivity: It simplifies the establishment of secure connections to cloud environments, ensuring protected data transfer and access to cloud resources.

  • Interoperability with Various Devices: The solution extends its connectivity to include non-flexiEdge hardware, establishing tunnels with third-party devices that adhere to the IPsec IKEv2 specifications.

The implementation of IPsec Peering within flexiWAN leverages IKEv2/IPSec protocols to create these connections, ensuring compatibility with third-party devices or services that can synchronize with the given parameters. flexiWAN supports both routed and policy-based connections, providing flexibility in deployment options.

Traffic directed from flexiEdge devices is managed through established path selection policies, enabling administrators to designate specific applications to particular tunnels or peers. Administrators have the discretion to route traffic directly between sites, allow local breakout (Direct Internet Access), or channel it via cloud security services, based on the crafted policies.

For the technical execution of these peerings, IKEv2/IPsec utilizes UDP ports 4500 and 500, in addition to the IP protocol ESP port 50, to maintain secure and reliable tunnel connections.

Note

Using a peer connection instead of using a flexiWAN tunnels does have some drawbacks:

  • Since flexiManage does not control the peers, connecting to a peer requires more configuration from the administrator

  • Traffic back from the peer to flexiEdge does not benefit from the SD-WAN advantages available on flexiEdge as the remote peer sending the traffic is not a flexiEdge instance but rather an IPsec peer

Configuring a new IPsec peer

IPsec Peering functionality can be accessed from Inventory > Peers.

Peering

Click on New Peer button to get started.

Adding a peer

In order to add a new peer, fill out the following areas:

Name

Peer name for e.g. “Company router”

ID Type

Define identification type. Can be a Fully Qualified Domain Name or IP address based.

Local ID

Enter distinguished name for local identifier. If IPv4 is selected under type above, keep automatic instead.

Remote ID

Define remote IP or distinguished name.

PSK

Pre-Shared Key used for authentication on both ends. Make sure to use a strong key for better security.

Remote IP

IP address of remote IPsec site to which flexiEdge will connect.

Adding a peer 2

Peer Monitoring

Define a monitor IP or URL used for monitoring Peer connectivity. IP and URL based monitoring can be single or multiple comma entries. Monitoring traffic will exit using the Peer as gateway, so any IP or URL may be configured.

Monitoring.

Warning

If the monitoring IP is not defined peer connection latency and drop rate will not be measured.

Cryptography

In this section all authentication and key exchange parameters can be set. Make sure to use a matching parameters on both sides. IPsec Peering relies on Internet Key Exchange v2 and Encapsulating Security Payload (ESP) protocols. We suggest to use and match these defaults on the remote end.

Cryptography.

Traffic Selector

In the last section, Traffic Selector, configure local and remote traffic ranges which will be allowed to communicate. If kept as default, communication from all ranges will be allowed.

Cryptography.

Peer Path Label

Once new Peer is added, before connecting to it, the next step is to create a tunnel Path Label which will be used for deploying the new Peering connection. The following steps are required on flexiEdge device site before adding a new peering connection:

  • Creating a new tunnel Path Label dedicated for Peering connection.

  • Assigning the newly created Path Label to the WAN interface on the flexiEdge device.

Navigate to Inventory > Path Labels and create a new Path Label which will be used for Peering. Make sure DIA (internet breakout) is not selected. Check Path Labels documentation section to learn more about path labels.

Path Label 1

After creating the Path Label, navigate to the device on which Peering connection will be deployed. Assign the newly created Path Label to WAN interface. On a device with multiple WAN interfaces Peering connection will use the WAN interface Path Label is assigned to.

Path Label 2

Creating a peer connection

Adding a peer connection to an existing flexiEdge site is done in just a few clicks. Navigate to Inventory > Devices, select the device to which the Path Label was assigned and click on the Action menu. Select Create Peer Connection from the menu.

Peering 1

From the Create Peers dialog select the previously created Path Label and select the Peer configuration. Click Create Peer.

Peering 2

Advanced section offers OSPF cost and routig options. New peers use OSPF routing by default however BGP can be used instead.

Peering 3

That’s it, the new Peer connection should be created and connecting. You can define any routing or path selection policies for peers as for regular tunnels.

Viewing or removing peer connections

After adding a peering connection, its status can be viewed from Inventory > Tunnels, together with other tunnels that may exist.

Peering 3

In this case, CloudVPC interface is identified as Peer. If latency and drop rate are not shown, make sure to add the Monitor IP in peering configuration.

Deleting a peer connection is done in the same way as with tunnels, simply click on delete icon under action column and confirm the deletion.

Peering 4

Deployment & Templates

The flexiWAN IPsec Peering functionality has been tested with multiple Cloud providers and 3rd party network devices. We are continously working on adding more supported providers and devices. Below listed are tested and supported providers, however any 3rd party devices or services with matching IKEv2/IPsec parameters should be able to establish connection using flexiWAN peering.

Peering feature has been tested and confirmed to work with the following cloud providers and 3rd party networking vendors:

Templates

The following template settings are tested with 3rd party services and products.

Cisco Umbrella

template

Cisco routers

template

AWS VPC

template

strongSwan

Templates

pfSense & OPNsense

Templates

Troubleshooting

To view status of peer connections enter the following command from the device Command tab or using shell:

vppctl show ikev2 sa details

Advanced logging may be set running the following commands via Command tab or shell:

  1. vppctl ikev2 set logging level 5

  2. vppctl event-logger clear

  3. vppctl show event-logger

After entering the above commands, IKEv2/IPsec logging will be outputed to the device syslog. Syslog can be fetched from flexiManage, by navigating to device Logs tab.