Configuring Overlays
From the main menu, select Settings to display the Policy Configuration window.
The Overlays section enables you to define overlays used by your appliances,
|
•
|
either Hub & Spoke overlays to create standard VPN connections between appliances and exchange traffic or |
|
•
|
External VPN Gateway overlays enabling the appliances to connect to an external provider by creating a new VPN connection to this provider (Microsoft Azure, etc.) |
Create a Hub & Spoke Overlay
|
1
|
Click Add Overlay and select Hub & Spoke as Type. |
|
2
|
Enter the Name of the overlay. |
|
3
|
Define the following parameters: |
IKE policy
Internet Key Exchange (IKE) is a key management protocol that is used to authenticate IPsec peers, negotiate and distribute IPsec encryption keys, and to automatically establish IPsec security associations (SAs). Refer to RFC 5996.
|
•
|
Encryption: drop-down list to choose the encryption algorithm (mandatory) |
|
•
|
Authentication: integrity drop-down list to choose the data integrity hash method |
|
•
|
DH Group drop-down list to choose the Diffie-Hellman group: 1 (768-bit), 2 (1024-bit), 5 (1536-bit), 14, 19, 20, 21 and 24 |
|
•
|
SA Lifetime (seconds) Security Association lifetime (86,400 (= 24 h) by default). The authorized range of values is [120 -172800]. |
IPsec Concentrator authentication
If a Pre-Shared key is already configured, you can directly select it from the list.
This Pre-Shared key is used for all the tunnels between appliances. Though it is automatically generated by the system for each Customer, you may also enter a new Pre-Shared key as a string of 32 characters at least. Use the icon different statuses to either display or hide the key.
IPsec policy
|
•
|
Encryption: drop-down list to choose the encryption algorithm (mandatory). The available options are the same as for IKE policy encryption plus NULL, |
|
•
|
Authentication: integrity drop-down list to choose the data integrity hash method (mandatory); see IKE policy integrity, |
|
•
|
DH Group (PFS only): drop-down list to choose the Diffie-Hellman group: 1 (768-bit), 2 (1024-bit) or 5 (1536-bit), 14, 19, 20, 21, 24 and PFS disabled (PFS ensures that the same key will not be generated again, so forces a new Diffie-Hellman key exchange. Both sides of VPN should support PFS in order for PFS to work. Therefore using PFS provides a more secure VPN connection), |
|
•
|
SA lifetime (seconds) Security Association lifetime (86,400 s that is: 24 hours by default; mandatory). The authorized range of values is [120 -172800], |
|
•
|
Lifebytes (kbytes) - optional: number of kilobytes sent through the tunnel before it is renewed; the tunnel is renewed after the SA lifetime period of after the Lifebytes period, whichever expires first. Valid values are in the range [5120 - 2147483648 kbytes], |
|
•
|
MTU (bytes): maximum number of bytes loaded in the Payload. The default value is 1400. This value applies to all IPsec tunnels. |
Your new overlay is displayed in the Overlays section of the Policy Configuration window. Click any overlay to edit its parameters. Use View All if you want to delete any overlay(s).
Apply the Hub & Spoke Overlay to the Appliances
|
1
|
From the main menu, select Appliances. |
|
2
|
Select the Spoke appliance and the WAN tab. |
|
3
|
Select the appropriate WAN interface in Router mode and from the Overlay list, select the Hub & Spoke overlay that will establish the VPN tunnel. Click Done. |
|
4
|
Select the Hub appliance and the WAN tab. |
|
5
|
Select the appropriate WAN interface in Router mode and apply the same Hub & Spoke overlay as for the Spoke appliance. |
|
6
|
Click Done. The tunnel is created. |
Create an External VPN Gateway Overlay
This section describes how to configure an external gateway from a site appliance over the Internet. The basic procedure for defining an external gateway consists of the following steps:
|
•
|
Identifying the external gateway |
|
•
|
Defining the Public IP addresses of both the VPN Gateway and the Branch Office appliance it is connected to. The IP addresses of the tunnel termination interfaces are also required. |
|
•
|
Defining how the traffic is routed through the tunnel by using subnet information (static configuration) or BGP (dynamic configuration). |
|
•
|
Defining the IPSec tunnel parameters. |
One tunnel is created after you have defined the appropriate parameters in both ExtremeCloud SD-WAN and in Microsoft Azure.
|
1
|
Click Add Overlay and select External VPN Gateway as Type. |
|
2
|
Enter the Name of the overlay. |
|
3
|
Enter the VPN gateway Primary Public IP Address. |
Routing
Warning: There is one prerequisite which is the necessary configuration of the gateway parameters in Microsoft Azure.
|
4
|
You can define how the traffic is routed through the tunnel by using subnet information (static configuration) or BGP (dynamic configuration). |
|
•
|
If you select Static routing, define (Add Subnet) the remote Microsoft Azure subnet IP address by entering its prefix and prefix length. Note that you also defined this IP address in Microsoft Azure. Click Add to validate. |
|
•
|
If you use BGP, enter the IP address of the BGP local peer and the Autonomous System value as they are specified on the Microsoft Azure Portal. With a Cisco router, you can find the required information in the router configuration file. Also specify the default Local Preference. |
Apply the External VPN Gateway Overlay to the Appliances
|
1
|
From the main menu, select Appliances. |
|
2
|
Select the Spoke appliance and the WAN tab. |
|
3
|
Select the appropriate WAN interface in Router mode and from the Overlay list, select the External VPN Gateway overlay that will establish the VPN tunnel. Click Done. |
|
4
|
Select the Hub appliance and the WAN tab. |
|
5
|
Select the appropriate WAN interface in Router mode and apply the same External VPN Gateway overlay as for the Spoke appliance. |
|
6
|
You may edit Tunnel Customization parameters as follows: |
|
•
|
Only specify an Initiator ID when authentication with Microsoft Azure or Cisco is executed through an address different from the public IP address. |
|
•
|
Use the IPsec Pre-Shared key field as follows: |
If in Microsoft Azure, the VPN gateway is configured with only one default Pre-Shared Key for all the tunnels connected to this gateway, leave this field blank in the SD-WAN Orchestrator.
If in Microsoft Azure, the VPN gateway has a specific PSK value for each tunnel, you should enter a Pre-Shared Key for this tunnel.
Use the icon different statuses to either display or hide the key.
|
•
|
You do not need to define the Inside Local IP address of this tunnel termination interface since the system uses the Overlay IP address it automatically generated when previous tunnels were created. |
|
•
|
When the VPN gateway is configured in static mode, specify the Inside Remote IP address which corresponds to the tunnel termination interface of the VPN gateway configured in Microsoft Azure. When an external gateway is configured in BGP mode, the Inside Remote IP field remains blank even though its BGP configuration address is sent to the appliance. |
|
•
|
The BGP Local Precedence parameter is not used when there is only one external gateway. In the case there are two gateways with the same subnet, the Precedence value enables you to define which tunnel has priority to route the traffic. |
The highest Precedence value implies priority.
|
7
|
Click Done. The tunnel is created. |