How to configure IPsec tunnel between SD-WAN and third-party devices 编辑

August 27, 2021 Contributed by:  H S

To configure IPsec tunnel for intranet or LAN service:

  1. In the Configuration Editor, navigate to Connections > View Site > [Site Name] > IPsec Tunnels. Choose a Service Type (LAN or Intranet).

  2. Enter a Name for the service type. For Intranet service type, the configured Intranet Server determines which Local IP addresses are available.

    Local IP

    Citrix SD-WAN can now establish IPsec tunnels when a WAN link is directly terminated on the appliance and a dynamic IP is being assigned to the WAN link.

    With 11.1.0 release, Intranet IPsec tunnels must be configurable when the local tunnel IP address is not or cannot be known. This helps in creating IPsec tunnels on the interfaces whose address is assigned through DHCP.

    While configuring the interface for IPsec tunnel, a local tunnel IP must be mentioned. This interface is modified to allow an empty IP to be selected when the tunnel type is Intranet.

    Also, the label for an unset address is changed to Auto when the tunnel type is Intranet.

    If the Local IP is set as Auto, it has the ability of taking the IP address that is incorporated for the access interface on that WAN link. That WAN link access interface might get the IP either statically configured or from DHCP. IPsec tunnel is established using the primary WAN link access interface by default.

    Earlier, you can establish IPsec tunnels over a single WAN link. This exposes the branch environment to service loss during periods of outright link failures and when packet loss on a link is inadvertently high to allow for reliable connectivity.

    From 11.1.0 release onwards, you can use two WAN links for establishing IPsec tunnels to guard branch environments against periods of service disruption. If the primary link goes down, the secondary link turns active/up within milliseconds.

    Note

    When the <Auto> option is selected, the IPsec tunnel is established using the primary WAN link access interface. If the primary wan link goes down, the IPsec tunnel is established using the secondary WAN link access interface.

    Two WAN links

  3. Select the available Local IP address and enter the Peer IP address of the IPsec tunnel.

    Sites intranet settings IPsec

    IPsec tunnel types

    IPsec intranet tunnel types

    Note

    If the Service Type is Intranet, the IP address is pre-determined by the chosen Intranet Service.

    Sites LAN settings

  4. Configure IPsec settings by applying the criteria described in the following tables. When finished, click Apply to save your settings.

FieldDescriptionValue
Service TypeChoose a service type from the drop-down menuIntranet, LAN
NameIf the service type is Intranet, choose from the list of configured intranet services in the drop-down menu. If the service type is LAN, enter a unique nameText string
Local IPChoose the local IP address of the IPsec Tunnel from the drop-down menu of available virtual IP addresses configured at this SiteIP address
Peer IPEnter the peer IP address of the IPsec TunnelIP address
MTUEnter the MTU for fragmenting IKE and IPsec fragmentsDefault: 1500
IKE SettingsVersion: Choose an IKE version from the drop-down menuIKEv1 IKEv2
ModeChoose a mode from the drop-down menuFIPS compliant: Main, Non-FIPS compliant: Aggressive
IdentityChoose an Identity from the drop-down menuAuto IP Address Manual IP Address User FQDN
AuthenticationChoose the authentication type from the drop-down menuPre-Shared Key: If you are using a pre-shared key, copy and paste it into this field. Click the Eyeball () icon to view the Pre-Shared Key. Certificate: If you are using an identity certificate, choose it from the drop-down menu.
Validate Peer IdentitySelect this check box to validate the IKE’s peer. If the peer’s ID type is not supported, do not enable this featureNone
DH GroupChoose Diffie-Hellman group to use for IKE key generation from the drop-down menuNon-FIPS compliant: Group 1, FIPS-compliant: Group 2 Group 5 Group 14 Group 15 Group 16 Group 19 Group 20 Group 21
Hash AlgorithmChoose an algorithm from the drop-down menu to authenticate IKE messagesNon-FIPS compliant: MD5 FIPS compliant: SHA1 SHA-256
Encryption ModeChoose the Encryption Mode for IKE messages from the drop-down menuAES 128-bit AES 192-bit AES 256-bit
Lifetime (s)Enter the preferred duration, in seconds, for an IKE security association to exist3600 seconds (default)
Lifetime (s) MaxEnter the maximum preferred duration, in seconds, to allow an IKE security association to exist86400 seconds (default)
DPD Timeout (s)Enter the Dead Peer Detection timeout, in seconds, for VPN connections300 seconds (default)
IKEv2Peer Authentication: Choose Peer Authentication from the drop-down menuMirrored Pre-Shared Key Certificate
IKE2 - Pre-shared keyPeer Pre-Shared Key: Paste the IKEv2 Peer Pre-Shared Key into this field for authentication. Click the eyeball () icon to view the Pre-Shared KeyText string
Integrity AlgorithmChoose an algorithm as the hashing algorithm to use for HMAC verification from the drop-down menuNon-FIPS compliant: MD5 FIPS compliant: SHA1 SHA-256

Note:

If the terminating IPsec router includes Hash-based Message Authentication Code (HMAC) in the config, change the IPsec mode to EXP+Auth with a hashing algorithm as SHA1.

IKE settings IPsec tunnel

IKE2 settings IPsec tunnel

IPsec and IPsec Protected Network Settings:

FieldDescriptionValue (s)
Tunnel TypeChoose the Tunnel Type from the drop-down menuESP ESP+Auth ESP+NULL AH
PFS GroupChoose Diffie-Hellman group to use for perfect forward secrecy key generation from the drop-down menuNone Group 1 Group 2 Group 5 Group 14 Group 15 Group 16 Group 19 Group 20 Group 21
Encryption ModeChoose the Encryption Mode for IPsec messages from the drop-down menuIf you chose ESP or ESP+ Auth, select either one of the following, AES 128 Bit, AES 192 Bit, AES 256 Bit, AES 128-Bit GCM 64 Bit, AES 192-Bit GCM 64 Bit, AES 256-Bit GCM 64 Bit, AES 128-Bit GCM 96 Bit, AES 192-Bit GCM 96 Bit, AES 256-Bit GCM 96 Bit, AES 128-Bit GCM 128 Bit, AES 192-Bit GCM 128 Bit, AES 256-Bit GCM 128 Bit. AES 128/192/256-Bit are CBC supported.
Lifetime (s)Enter the amount of time, in seconds to allow an IPsec security association to exist28800 seconds (default)
Lifetime Max (s)Enter the maximum amount of time, in seconds to allow an IPsec security association to exist86400 seconds (default)
Lifetime (KB)Enter the amount of data, in kilobytes, for an IPsec security association to existKilobytes
Lifetime (KB) MaxEnter the maximum amount of data, in kilobytes, to allow an IPsec security association to existKilobytes
Network Mismatch BehaviorChoose the action to take if a packet does not match the IPsec Tunnel’s Protected Networks from the drop-down menuDrop, Send Unencrypted, Use Non-IPsec Route
IPsec Protected NetworksSource IP/Prefix: After clicking the Add (+ Add) button, enter the Source IP and Prefix of the network traffic the IPsec Tunnel will protectIP address
IPsec Protected NetworksDestination IP/Prefix: Enter the Destination IP and Prefix of the network traffic the IPsec Tunnel will protectIP address

IPsec tunnel settings

Note

Citrix SD-WAN supports connectivity to Oracle Cloud Infrastructure (OCI) through IPsec.


Monitor IPsec Tunnels

Navigate to Monitoring>IKE/IPsec in the SD-WAN appliance GUI to view and monitor IPsec tunnel configuration.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:53 次

字数:11402

最后编辑:7 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文