Link Search Menu Expand Document

Tunnels Tab

Configuration > Networking > Tunnels > Tunnels

EdgeConnect tunnels are the foundation of your SD-WAN fabric. This tab displays details about tunnels in your network. It includes the following three subtabs:

  • Overlay – Displays SD-WAN bonded tunnels. Specifically, overlay tunnels consist of bonded underlay tunnels.

  • Underlay – Displays tunnels that map to discrete transports.

  • Passthrough – Displays third-party (IPSec) tunnels for service chaining to cloud security services, such as Zscaler and Netskope, and tunnels for local breakouts to trusted SaaS applications, such as Office 365.

In an SD-WAN network, Business Intent Overlays (BIOs) govern automatic tunnel creation and properties. This tab also provides the means to manually create IP Sec tunnels either between EdgeConnect appliances or from an EdgeConnect appliance to a third-party service.

NOTE: Manually created underlay tunnels cannot be used by BIOs.

Underlay Tunnel Naming

Underlay tunnels are uni-directional from the appliance listed in the Appliance column to the appliance listed after “to_” in the Underlay Tunnel column. The Underlay Tunnel column also includes the interface labels for the “from” and “to” sources.

img

Passthrough Tunnel Naming

Passthrough tunnels show “Passthrough” followed by the interface label for the source and the overlay (if applicable).

For orchestrated third-party tunnels, the Passthrough Tunnels column always shows “ThirdParty” followed by the third-party service name, the interface label for the source, and the local label, which can be “Primary”, “Secondary”, or “Tertiary”. If there are POPs it indicates which POP after the local label. In the following example, it indicates which Zscaler POP where Z1 is the primary Zscaler POP and Z2 is the backup Zscaler POP.

img

Filter by Tunnel Status

To filter the rows displayed in the Tunnels table by tunnel status, select Up or Down from the Status drop-down list. Select All to display for all statuses, which is the default setting.

Subtab Field Descriptions

The following tables describe the fields displayed on the Overlay, Underlay, and Passthrough subtabs. Field descriptions are not repeated if they appear on more than one subtab and have the same description.

Overlay Subtab

Field Description
Appliance Name of the appliance.
Overlay Tunnel Designated overlay tunnel.
Overlay Designated overlay to which the overlay tunnel is applied.
Admin Status Indicates whether the tunnel has been set to admin up or down.
Status Tunnel statuses are as follows:

down – Tunnel is down. This can occur because the Admin Status of the tunnel is set to “down” (indicated when down status background is orange) or the tunnel cannot communicate with the appliance at the other end (indicated when down status background is red). Possible causes are:

Lack of end-to-end connectivity / routability (test with iperf).

Intermediate firewall is dropping the packets (open the firewall).

Intermediate QoS policy (be packets are being starved; change control packet DSCP marking).

Mismatched tunnel mode (udp / gre / ipsec / ipsec_udp).

IPSec is misconfigured: (1) enabled on one side (see show int tunnel configured), or mismatched pre-shared key.

down - in progress – Tunnel is down. Meanwhile, the appliance is exchanging control information with the appliance at the other end, trying to bring up the tunnel.

down - misconfigured – The two appliances are configured with the same System ID (see show system).

up - active – Tunnel is up and active. Traffic destined for this tunnel is being forwarded to the remote appliance.

up - idle – Tunnel is up and active, but it has not had activity during the past five minutes, and it has slowed the rate of issuing keep-alive packets.

up - ip sla disabled – Applies to passthrough tunnels only. Tunnel is up and has connectivity, but it is down because of a configured IP SLA consequent action.

up - reduced functionality – Tunnel is up and active, but the two endpoint appliances are running mismatched software releases that provide no performance benefit.

UNKNOWN – Tunnel status is unknown. This can occur because the appliance is unable to retrieve the current tunnel status. Try again later.
MTU Maximum Transmission Unit. The largest possible unit of data that can be sent on a given physical medium. MTUs up to 9000 bytes are supported. Auto allows the tunnel MTU to be discovered automatically. It overrides the MTU setting.
Uptime Length of time the tunnel has been up.
Underlay Tunnels Designated underlay tunnels.
Live View Click the chart icon to display a live view of the status of your selected tunnel. You can view by bandwidth, loss, jitter, latency, MOS, chart, traceroute, inbound or outbound, and lock the scale.
Historical Charts Click the chart icon to display historical charts for the selected overlay and underlay tunnels.

Underlay Subtab

Field Description
Segment Name of the segment. This field displays only if Routing Segmentation is enabled.
Underlay Tunnel Designated underlay tunnel.
Overlays Overlays to which the tunnels for the appliance are applied.
Admin Status Indicates whether the tunnel has been set to admin up or down. To change the admin status for the underlay tunnel, click the menu icon and select Admin Up or Admin Down.
Status Click the status indicator in this field to display detailed troubleshooting information for this tunnel. Aruba Technical Assistance Center (TAC) can request that you capture and send this diagnostic information. Tunnel statuses are as follows:

down – Tunnel is down. This can occur because the Admin Status of the tunnel is set to “down” (indicated when down status background is orange) or the tunnel cannot communicate with the appliance at the other end (indicated when down status background is red). Possible causes are:

Lack of end-to-end connectivity / routability (test with iperf).

Intermediate firewall is dropping the packets (open the firewall).

Intermediate QoS policy (be packets are being starved; change control packet DSCP marking).

Mismatched tunnel mode (udp / gre / ipsec / ipsec_udp).

IPSec is misconfigured: (1) enabled on one side (see show int tunnel configured), or mismatched pre-shared key.

down - in progress – Tunnel is down. Meanwhile, the appliance is exchanging control information with the appliance at the other end, trying to bring up the tunnel.

down - misconfigured – The two appliances are configured with the same System ID (see show system).

up - active – Tunnel is up and active. Traffic destined for this tunnel is being forwarded to the remote appliance.

up - idle – Tunnel is up and active, but it has not had activity during the past five minutes, and it has slowed the rate of issuing keep-alive packets.

up - ip sla disabled – Applies to passthrough tunnels only. Tunnel is up and has connectivity, but it is down because of a configured IP SLA consequent action.

up - reduced functionality – Tunnel is up and active, but the two endpoint appliances are running mismatched software releases that provide no performance benefit.

UNKNOWN – Tunnel status is unknown. This can occur because the appliance is unable to retrieve the current tunnel status. Try again later.
Local IP:Port IP address and port number of the local appliance.
Remote IP:Port Public IP address and port number of the remote-peer appliance. This represents the IP address of the EdgeConnect WAN-side interface learned by Orchestrator. Orchestrator uses this to create tunnels between remote sites.

NOTE: If the NAT-related link under the Next Hop field on the WAN side of the appliance deployment is set to “NAT” (see the figure below), the appliance is behind a NAT-ed interface and the WAN Public IP address is auto discovered from the Cloud Portal.
  img
Discovered IP:Port Discovered IP address and port number, which represents the IP address and port contained in the NAT Discovery (NAT-D) packet sent at the beginning of tunnel setup. If this field displays “NONE:NONE”, the local appliance has not received a NAT-D packet from the remote appliance. This indicates connectivity issues between the locations. If the local appliance receives NAT-D packets, this field populates accordingly, and data path tunnel packets are being received as well.

NOTE: If Remote IP:Port and Discovered IP:Port are different, they are shown in italics. This is informational only. No action is required by the administrator. Remote IP:Port is what was initially learned by Orchestrator. Discovered IP:Port is the accurate representation of the network in real time.
Max BW (Kbps) Maximum bandwidth for the tunnel in kilobits per second (Kbps).
Mode Indicates whether the tunnel protocol is IPSec, IPSec UDP, UDP, or GRE.
Advanced Options Click the info icon to open the Tunnel Advanced Options dialog box, which displays details about the tunnel’s settings.
Traceroute Click the chart icon to display a traceroute chart for the selected appliance.
Historical Charts Click the chart icon to display historical charts for the selected underlay tunnel.

Passthrough Subtab

Field Description
Passthrough Tunnel Designated passthrough tunnel.
Charts Click the chart icon to display historical charts for the selected passthrough tunnel.
Local IP IP address of the local endpoint.
Remote IP IP address of the remote endpoint.
Mode Indicates whether the tunnel protocol is GRE, IPSec, or No Encap.
NAT Indicates whether Network Address Translation (NAT) has been applied.
Peer/Service Peer or service being used.

Troubleshooting

  1. Have you created and applied the Overlay to all the appliances on which you are expecting tunnels to be built?

    Verify this on the Apply Overlays tab.

  2. Are the appliances on which you are expecting the Overlays to be built using Release 8.0 or later?

    View the active software releases on Administration > Software > Upgrade > Software Versions.

  3. Do you have at least one WAN Label selected as a Primary port in the Overlay Policy?

    Verify this on the Business Intent Overlay tab in the WAN Links & Bonding Policy section.

  4. Are the same WAN labels selected in the Overlay assigned to the WAN interfaces on the appliances?

    Verify that at least one of the Primary Labels selected in the Business Intent Overlay is identical to a Label assigned on the appliance’s Deployment page. Tunnels are built between matching Labels on all appliances participating in the overlay.

  5. Do any two (or more) appliances have the same Site Name?

    We only assign the same Site Name if we do not want those appliances to connect directly. To view the list of Site Names, navigate to the Configuration > Networking > Tunnels > Tunnels tab, and then click Sites at the top.

Tunnels Dialog Box

This dialog box enables you to add, modify, or delete manually created underlay and passthrough tunnels for an appliance. In an SD-WAN network, Business Intent Overlays (BIOs) govern automatic tunnel creation and properties.

The Tunnels dialog box includes the following three subtabs:

  • Overlay – Displays SD-WAN bonded tunnels. Specifically, overlay tunnels consist of bonded underlay tunnels.

  • Underlay – Displays tunnels that map to discrete transports.

  • Passthrough – Displays third-party (IPSec) tunnels for service chaining to cloud security services, such as Zscaler and Netskope, and tunnels for local breakouts to trusted SaaS applications, such as Office 365.

About Authentication in IPSec Tunnels

Orchestrator and EdgeConnect Release 9.4 as part of compliance for Common Criteria, includes Public Key Infrastructure (PKI) use of RFC5280 X.509 certificates for IPSec peer authentication.

EdgeConnect-to-EdgeConnect and EdgeConnect-to-third-party IPSec Tunnels can also be manually created. In Release 9.4, manually created EdgeConnect-to-EdgeConnect IPSec tunnels can use either PSK (pre-shared key) or certificate-based authentication, using <RSA/ECDSA/both> X.509v3 certificates. IPSec tunnel peer-authentication options are shown in the following table.

IPSec Tunnel Construction EdgeConnect-to-EdgeConnect EdgeConnect-to-3rd Party
Orchestrated
IPSec_UDP (default mode)
Proprietary Authentication
Not FIPS or Common Criteria approved
Not Applicable
Orchestrated
IKE-based IPSec
Orchestrator-generated
Pre-Shared Key (PSK), see Note 1
Orchestrator-generated
Pre-Shared Key (PSK), see Note 2
Manually created
IKE-based IPSec
x509v3 certificate OR
User configured Pre-Shared Key (PSK), see Note 3
User configured
Pre-Shared Key (PSK), see Note 3

NOTE 1: Orchestrator automatically creates pre-shared keys on orchestrated IKE-based tunnels with a length of 20 characters. IPSec PSK is derived from Orchestrator’s Random Number Generator (RNG) secure random implementation.

NOTE 2: Orchestrator automatically creates pre-shared keys on orchestrated IKE-based tunnels with a length of 36 characters. IPSec PSK is derived from a pseudo-randomly generated type-4 UUID (universal unique identifier). A 16-byte array is produced, which is then converted to a 36-character string.

NOTE 3: The pre-shared key must contain at least 8 characters, and cannot contain [ ] { } “ # * characters. Max length is 64 characters. The default value is “silverpeak”.

Add or Modify a Manually Created Underlay Tunnel

To add a manually created underlay tunnel, perform the following steps:

  1. Navigate to Configuration > Networking > Tunnels > Tunnels.

  2. Click the edit icon next to the appliance for which you want to add or modify a tunnel.

    The Tunnels dialog box opens.

    NOTE: To modify a tunnel, click the edit icon next to the tunnel. The Modify Tunnel dialog box opens. Change the fields as described below, and then click Save.

  3. Click Underlay.

  4. Click Add Tunnel.

    The Add Tunnel dialog box opens.

  5. Complete the following fields as appropriate.

    Add Tunnel dialog box (for manually created underlay)

    The Add Tunnel dialog box displays a General tab. If you set the Mode field on this tab to IPSec, the IKE and IPSec tabs are also displayed.

    General tab (for manually created underlay)

    Access the following fields by clicking the General tab on the Add Tunnel dialog box.

    General

    Field Description
    Alias Alias name of the tunnel.
    Mode Indicates whether the tunnel protocol is UDP, GRE, IPSec, or IPSec UDP. If you select IPSec, you can specify the IKE version on the IKE tab.

    NOTE: If using IKE-based IPSec with IKEv2 you can leave this field set to Auto, otherwise it is recommended that you use the AES_256_GCM_16 algorithm, which performs both encryption and authentication, resulting in better performance.
    IPSec Suite B Preset This field is available only if the Mode field is set to IPSec. Select an IPSec Suite B preset if required by the security service (GCM-128, GCM-256, GMAC-128, or GMAC-256). The default setting is None.

    If IPSec Suite B Preset is set to None, no preset is selected, but GCM and GMAC algorithms are available to set independently.

    If an IPSec Suite B preset is selected, various settings on the IKE and IPSec tabs are configured automatically based on the selected preset.
    Admin Indicates whether the tunnel has been set to admin up or down.
    Local IP IP address of the local endpoint.
    Remote IP IP address of the remote endpoint.
    Auto discover MTU enabled When enabled, allows the appliances to auto-negotiate the maximum tunnel bandwidth. Enabled by default.
    MTU Maximum Transmission Unit (MTU) is the largest possible unit of data that can be sent on a given physical medium. For example, the MTU of Ethernet is 1500 bytes. MTUs up to 9000 bytes are supported. Auto allows the tunnel MTU to be discovered automatically, and it overrides the MTU setting. This field is not available if the Auto discover MTU enabled check box is selected.
    Auto max BW enabled When enabled, allows the appliances to auto-negotiate the maximum tunnel bandwidth. Enabled by default.
    Max BW Kbps Maximum amount of bandwidth in kilobits per second. This field is not available if the Auto max BW enabled check box is selected.
    UDP destination port Used in UDP mode. Accept the default value unless the port is blocked by a firewall.
    UDP flows Used in UDP mode. Number of flows over which to distribute tunnel data.
    Min BW Kbps Minimum amount of bandwidth in kilobits per second.

    Packet

    NOTE: FEC settings do not apply when overlays are used. FEC settings only apply when routing directly to an underlay via Route Policy.

    Field Description
    Reorder wait Maximum time (in milliseconds) the appliance holds an out-of-order packet when attempting to reorder. 100 ms is the default value and should be adequate for most situations. FEC can introduce out-of-order packets if the reorder wait time is not set high enough.
    FEC Set Forward Error Correction (FEC) to enable, disable, or auto.
    FEC ratio When FEC is set to auto, FEC will range dynamically from off to 1:10 based on detected loss. The options are 1:1, 1:2, 1:5, 1:10, and 1:20. This field is available only if FEC is set to enable.

    Tunnel Health

    Field Description
    Retry count Number of failed keep-alive messages that are allowed before the appliance raises a tunnel-down alarm. Default value is 30; maximum value is 60.
    DSCP Determines the DSCP marking that the keep-alive messages should use.

    FastFail Thresholds

    NOTE: FastFail thresholds were used in a legacy application and should be ignored.

    Field Description
    Fastfail enabled When multiple tunnels are carrying data between two appliances, this feature determines how quickly to disqualify a tunnel from carrying data.

    The Fastfail connectivity detection algorithm for the wait time from receipt of last packet before declaring a brownout is:

    Twait = Base + N * RTTavg

    where Base is a value in milliseconds, and N is the multiplier of the average Round Trip Time over the past minute.

    For example, if:

    Base = 200mSN = 2

    Then,

    RTTavg = 50mS

    The appliance declares a tunnel to be in brownout if it does not see a reply packet from the remote end within 300 mS of receiving the most recent packet.

    In the Tunnel Advanced Options, Base is expressed as Fastfail wait-time base offset (ms), and N is expressed as Fastfail RTT multiplication factor.

    Fastfail enabled – This option is triggered when a tunnel’s keep-alive signal does not receive a reply. The options are disable, enable, and continuous. If the disqualified tunnel subsequently receives a keep-alive reply, its recovery is instantaneous.

    For disable, keep-alives are sent every second, and 30 seconds elapse before failover. In that time, all transmitted data is lost.

    For enable, keep-alives are sent every second, and a missed reply increases the rate at which keep-alives are sent from one per second to ten per second. Failover occurs after one second.

    For continuous, keep-alives are continuously sent at ten per second. Therefore, failover occurs after one tenth of a second.
    Latency Amount of latency in milliseconds. Thresholds for Latency, Loss, or Jitter are checked once every second.

    Receiving three successive measurements in a row that exceed the threshold puts the tunnel into a brownout situation and flows will attempt to fail over to another tunnel within the next 100 ms.

    Receiving three successive measurements in a row that drop below the threshold will drop the tunnel out of brownout.
    Loss Amount of data lost as a percentage.
    Jitter Amount of jitter in milliseconds.
    Fastfail wait-time base offset Fastfail basic timeout time in milliseconds.
    Fastfail RTT multiplication factor Amount of RTT (Round Trip Time) added to the basic timeout.

    IKE tab (for manually created underlay)

    Access the following fields by clicking the IKE tab on the Add Tunnel dialog box. This tab is displayed only if the Mode field on the General tab is set to IPSec.

    IKE

    Field Description
    Peer authentication There are two options for IKE authentication, Pre-shared key or End entity certificate, choose one of the options.

    Pre-shared key – If selected, a default value of “silverpeak” is pre-populated in the Pre-shared key field. It is recommended to change the pre-shared key per the following requirements: The pre-shared key must contain at least 8 characters, and cannot contain [ ] { } “ # * characters. Max length is 64 characters.

    NOTE: If you change the pre-shared key, record the new pre-shared key you entered, as the pre-shared key configuration on both peers should match.

    End entity certificate – If selected, select the certificate (label) from the End entity certificate drop-down menu.

    NOTE: To select an end entity certificate, you must first generate an end entity certificate for use. To do this, see End Entity Certificates Tab. If you have not generated any end entity certificates, the menu will be empty.
    Authentication Algorithm Authentication algorithm used for IKE security association (SA). The default is SHA1. If the Encryption Algorithm field is set to AES-GCM-128 or AES-GCM-256, this field is not applicable.

    If the IPSec Suite B Preset field on the General tab is set to None, you can select SHA1, SHA2-256, SHA2-384, or SHA2-512.

    If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to the appropriate algorithm.

    NOTE: With IKEv2 and the Encryption algorithm field set to auto, AES-GCM will probably be negotiated, which includes encryption and authentication. In this case, this field might show a SHA setting that is not actually used.
    Encryption Algorithm Encryption algorithm used for IKE security association (SA). The recommendation is to select AES-GCM-256. This algorithm also includes authentication (Authentication Algorithm will show as “NA”).

    If the IPSec Suite B Preset field on the General tab is set to None, and the IKE Version field is set to IKE v1, you can select AES-CBC-128, AES-CBC-256, or auto. The default setting is auto.

    If the IPSec Suite B Preset field on the General tab is set to None, and the IKE Version field is set to IKE v2, you can select AES-CBC-128, AES-CBC-256, AES-GCM-128, AES-GCM-256, or auto. The default setting is auto.

    If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to the appropriate algorithm.
    Pseudo Random Function This field is displayed only if the IKE Encryption Algorithm field is set to AES-GCM-128 or AES-GCM-256.

    For AES-GCM-128, you can select SHA2-256, SHA2-384, or SHA2-512.

    For AES-GCM-256, you can select SHA-384 or SHA-512.

    The recommendation is to select SHA-384.
    Diffie-Hellman Group Diffie-Hellman Group used for IKE security association (SA) negotiation. The default setting is DH 14.

    If the IPSec Suite B Preset field on the General tab is set to None, you can select the appropriate group. Available groups are 14 through 21, 26, and 31.

    If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to the appropriate group.

    If IPSec Suite B preset is not selected, then groups 19 or higher are recommended.
    Rekey interval/lifetime Rekey interval/lifetime of IKE security association (SA) in minutes. The default is 360 minutes.
    Dead peer detection Delay time: The interval (in seconds) to check the lifetime of the IKE peer.

    Retry count: Number of times to retry the connection before determining that the connection is dead. This field is not editable.
    Local IKE identifier Specify the local IKE identifier.

    If you are using an end entity certificate for authentication, the certificate Subject Name (SN) is auto populated in this field. The Subject Alternative Name (SAN) may also be used but refer to the following note for guidance.

    NOTE: A bi-directional IPSec tunnel is configured as two uni-directional tunnel objects, each with a local IKE identifier and a remote IKE identifier. In a tunnel from A-to-B, the local IKE identifier for A matches the end-entity certificate for A, while the remote IKE identifier matches the end-entity certificate for B. There is a dependency between the A-to-B tunnel configuration and the B-to-A tunnel configuration. When provisioning the A-to-B tunnel, the Local IKE identifier field is pre-populated with the Subject Name (SN) for A as specified on the end-entity certificate for A, e.g., Subject Name (O=HPE, OU=Aruba, CN=10.81.87.64). If the SN is used for the local IKE identifier for A, then the full SN must also be used as the remote IKE identifier when configuring the tunnel B-to-A. Either the SN or SAN can be used, but whichever is chosen, the local IKE identifier of one direction must match the remote IKE identifier of the other direction.

    Also, whenever SN is used, the full SN must be used as specified in the end-entity certificate, e.g., O=HPE, OU=Aruba, CN=10.81.87.64 (where O=organization, OU=organizational unit, CN=common name) and it must be entered in the exact order it appears on the certificate. As a best practice, if the SN is preferred, then SN must be used as identifiers for BOTH tunnels. If SAN is preferred, enter the value for SAN without any prefix letters such as “IP:”, and only enter the IP address e.g., 10.81.87.65. When SN/SAN are used interchangeably, the tunnel will not be established.
    Remote IKE identifier Specify the remote IKE identifier.

    If you are using an end entity certificate for authentication, enter the entire SN or SAN of the peer certificate, and refer to the note in the Local IKE identifier description above for guidance.
    Phase 1 mode Exchange mode for the IKE security association (SA) negotiation.

    If the IKE Version field is set to IKE v1, you can select Main or Aggressive.

    If the IKE Version field is set to IKE v2, this field is automatically set to Aggressive.
    IKE version If the IPSec Suite B Preset field on the General tab is set to None, you can select IKE v1 or IKE v2. The recommendation is to select IKE v2.

    If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to IKE v2.

    IPSec tab (for manually created underlay)

    Access the following fields by clicking the IPSec tab on the Add Tunnel dialog box. This tab is displayed only if the Mode field on the General tab is set to IPSec.

    IPSec

    Field Description
    Authentication algorithm Authentication algorithm used for the IPSec security association (SA). The default is SHA1. If the Encryption Algorithm field is set to AES-GCM-128 or AES-GCM-256, this field is not applicable.

    If the IPSec Suite B Preset field on the General tab is set to None, you can select SHA1, SHA2-256, SHA2-384, SHA2-512, AES-GMAC-128, or AES-GMAC-256.

    If the IPSec Suite B Preset field is set to GMAC-128 or GMAC-256, this field is automatically set to the appropriate algorithm.
    Encryption algorithm Encryption algorithm used for the IPSec security association (SA). The recommendation is to select AES-GCM-256. This algorithm also includes authentication (Authentication Algorithm will show as “NA”).

    If the IPSec Suite B Preset field on the General tab is set to None, and the IPSec Authentication algorithm field is set to SHA1, SHA2-256, SHA2-384, or SHA2-512, you can select AES-CBC-128, AEC-CBC-256, AES-GCM-128, AES-GCM-256, NULL, or Auto. The default setting is auto.

    If the IPSec Suite B Preset field is set to None, and the IPSec Authentication algorithm field is set to AES-GMAC-128 or AES-GMAC-256, this field is automatically set to NULL.
    IPSec anti-replay window Select a size from the drop-down list or Disable to disable the IPSec anti-replay window.

    If a size is selected, protection is provided against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet.
    Rekey interval/lifetime Rekey interval/lifetime of the IPSec security association (SA) in minutes. The default is 360 minutes.
    Perfect forward secrecy group Diffie-Hellman group used for IPSec security association (SA) negotiation. The recommendation is to select groups 19 or higher.

    Based on the setting of the IPSec Suite B Preset field on the the General tab, this field is set to the following Diffie-Hellman group:

    For None: 14 (by default)

    For GCM-128 or GMAC-128: 19

    For GCM-256 or GMAC-256: 20
  6. Click Save.

Add or Modify a Manually Created Passthrough Tunnel

To add a manually created passthrough tunnel, perform the following steps:

  1. Navigate to Configuration > Networking > Tunnels > Tunnels.

  2. Click the edit icon next to the appliance for which you want to add or modify a tunnel.

    The Tunnels dialog box opens.

    NOTE: To modify a tunnel, click the edit icon next to the tunnel. The Modify Tunnel dialog box opens. Change the fields as described below, and then click Save.

  3. Click Passthrough.

  4. Click Add Tunnel.

    The Add Passthrough Tunnel dialog box opens.

  5. Complete the following fields as appropriate.

    Add Passthrough Tunnel dialog box

    The Add Passthrough Tunnel dialog box displays a General tab. If you set the Mode field on this tab to IPSec, the IKE and IPSec tabs are also displayed.

    General tab (for manually created passthrough)

    Access the following fields by clicking the General tab on the Add Passthrough Tunnel dialog box.

    Field Description
    Alias Alias name of the tunnel.
    Mode Indicates whether the tunnel protocol is GRE, No Encap, IPSec, or IPSec UDP.

    NOTE: If using IKE-based IPSec with IKEv2 you can leave this field set to Auto, otherwise it is recommended that you use the AES_256_GCM_16 algorithm, which performs both encryption and authentication, resulting in better performance.
    IPSec Suite B Preset This field is available only if the Mode field is set to IPSec. Select an IPSec Suite B preset if required by the security service (GCM-128, GCM-256, GMAC-128, or GMAC-256). The default setting is None.

    If IPSec Suite B Preset is set to None, no preset is selected, but GCM and GMAC algorithms are available to set independently.

    If an IPSec Suite B preset is selected, various settings on the IKE and IPSec tabs are configured automatically based on the selected preset.
    Admin Indicates whether the tunnel has been set to admin up or down.
    Local IP IP address of the local endpoint.
    Remote IP IP address of the remote endpoint.
    NAT Whether Network Address Translation (NAT) has been applied.
    Peer/Service Enter the peer or service being used.
    Auto max BW enabled When enabled, allows the appliances to auto-negotiate the maximum tunnel bandwidth.
    Max BW Kbps Maximum amount of bandwidth in kilobits per second. This field is not available if the Auto max BW enabled check box is selected.

    IKE Tab (for manually created passthrough)

    Access the following fields by clicking the IKE tab on the Add Passthrough Tunnel dialog box. This tab is displayed only if the Mode field on the General tab is set to IPSec.

    IKE

    Field Description
    Pre-shared key The pre-shared key used for IKE authentication. A default value of “silverpeak” is pre-populated in the Pre-shared key field. It is recommended to change the pre-shared key per the following requirements: The pre-shared key must contain at least 8 characters, and cannot contain [ ] { } “ # * characters. Max length is 64 characters.

    NOTE: If you change the pre-shared key, record the new pre-shared key you entered, as the pre-shared key configuration on both peers should match.
    Authentication Algorithm Authentication algorithm used for IKE security association (SA). The default is SHA1. If the Encryption Algorithm field is set to AES-GCM-128 or AES-GCM-256, this field is not applicable.

    If the IPSec Suite B Preset field on the General tab is set to None, you can select SHA1, SHA2-256, SHA2-384, or SHA2-512.

    If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to the appropriate algorithm.

    NOTE: With IKEv2 and the Encryption algorithm field set to auto, AES-GCM will probably be negotiated, which includes encryption and authentication. In this case, this field might show a SHA setting that is not actually used.
    Encryption Algorithm Encryption algorithm used for IKE security association (SA). The recommendation is to select AES-GCM-256. This algorithm also includes authentication (Authentication Algorithm will show as “NA”).

    If the IPSec Suite B Preset field on the General tab is set to None, and the IKE Version field is set to IKE v1, you can select AES-CBC-128, AES-CBC-256, or auto. The default setting is auto.

    If the IPSec Suite B Preset field on the General tab is set to None, and the IKE Version field is set to IKE v2, you can select AES-CBC-128, AES-CBC-256, AES-GCM-128, AES-GCM-256, or auto. The default setting is auto.

    If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to the appropriate algorithm.
    Pseudo Random Function This field is displayed only if the IKE Encryption Algorithm field is set to AES-GCM-128 or AES-GCM-256.

    For AES-GCM-128, you can select SHA2-256, SHA2-384, or SHA2-512.

    For AES-GCM-256, you can select SHA-384 or SHA-512.

    The recommendation is to select SHA-384.
    Diffie-Hellman Group Diffie-Hellman Group used for IKE security association (SA) negotiation. The default setting is DH 14.

    If the IPSec Suite B Preset field on the General tab is set to None, you can select the appropriate group. Available groups are 14 through 21, 26, and 31.

    If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to the appropriate group.

    If IPSec Suite B preset is not selected, then groups 19 or higher are recommended.
    Rekey interval/lifetime Rekey interval/lifetime of IKE security association (SA) in minutes. The default is 360 minutes.
    Dead peer detection Delay time: The interval (in seconds) to check the lifetime of the IKE peer.

    Retry count: Number of times to retry the connection before determining that the connection is dead. This field is not editable.
    Local IKE identifier Specify the local IKE identifier. This field is displayed only if the IKE Version field is set to IKE v2.
    Remote IKE identifier Specify the remote IKE identifier. This field is displayed only if the IKE Version field is set to IKE v2.
    Phase 1 mode Exchange mode for the IKE security association (SA) negotiation.

    If the IKE Version field is set to IKE v1, you can select Main or Aggressive.

    If the IKE Version field is set to IKE v2, this field is automatically set to Aggressive.
    IKE version If the IPSec Suite B Preset field on the General tab is set to None, you can select IKE v1 or IKE v2. The recommendation is to select IKE v2.

    If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to IKE v2.

    IPSec tab (for manually created passthrough)

    Access the following fields by clicking the IPSec tab on the Add Passthrough Tunnel dialog box. This tab is displayed only if the Mode field on the General tab is set to IPSec.

    IPSec

    Field Description
    Authentication algorithm Authentication algorithm used for the IPSec security association (SA). The default is SHA1. If the Encryption Algorithm field is set to AES-GCM-128 or AES-GCM-256, this field is not applicable.

    If the IPSec Suite B Preset field on the General tab is set to None, you can select SHA1, SHA2-256, SHA2-384, SHA2-512, AES-GMAC-128, or AES-GMAC-256.

    If the IPSec Suite B Preset field is set to GMAC-128 or GMAC-256, this field is automatically set to the appropriate algorithm.
    Encryption algorithm Encryption algorithm used for the IPSec security association (SA). The recommendation is to select AES-GCM-256. This algorithm also includes authentication (Authentication Algorithm will show as “NA”).

    If the IPSec Suite B Preset field on the General tab is set to None, and the IPSec Authentication algorithm field is set to SHA1, SHA2-256, SHA2-384, or SHA2-512, you can select AES-CBC-128, AEC-CBC-256, AES-GCM-128, AES-GCM-256, NULL, or Auto. The default setting is auto.

    If the IPSec Suite B Preset field is set to None, and the IPSec Authentication algorithm field is set to AES-GMAC-128 or AES-GMAC-256, this field is automatically set to NULL.
    IPSec anti-replay window Select a size from the drop-down list or Disable to disable the IPSec anti-replay window.

    If a size is selected, protection is provided against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet.
    Rekey interval/lifetime Rekey interval/lifetime of the IPSec security association (SA) in minutes. The default is 360 minutes.
    Perfect forward secrecy group Diffie-Hellman group used for IPSec security association (SA) negotiation. The recommendation is to select groups 19 or higher.

    Based on the setting of the IPSec Suite B Preset field on the the General tab, this field is set to the following Diffie-Hellman group:

    For None: 14 (by default)

    For GCM-128 or GMAC-128: 19

    For GCM-256 or GMAC-256: 20
  6. Click Save.

Delete a Tunnel

To delete a tunnel listed in the table on the Underlay or Passthrough subtab of the Tunnels dialog box, click the corresponding delete icon (X) in the last column.

Use Passthrough Tunnels

Use passthrough tunnels in the following situations:

  • For internet breakout to a trusted SaaS application, like Office 365

  • For service chaining to a cloud security service, like Zscaler or Netskope

    • This requires building secure and compatible third-party IPSec tunnels from EdgeConnect devices to non-EdgeConnect devices in the data center or cloud.

    • When you create the tunnel, the Service Name in the Business Intent Overlay’s Internet Traffic Policies must exactly match the Peer/Service specified in the Passthrough tunnel configuration.

    • To load balance, create two or more passthrough IPSec tunnels and, in the Business Intent Overlay, ensure that they all specify the same Service Name in the Internet Traffic Policies.

IPSec Suite B Presets

As of version 9.2, Orchestrator provides you with four IPSec Suite B presets, as follows:

  • GCM-128

  • GCM-256

  • GMAC-128

  • GMAC-256

Each preset includes a predetermined set of IKE and ESP (IPSec) cryptographic algorithms. By selecting an IPSec Suite B preset, you can streamline the algorithm aspect of your tunnel setup rather than selecting individual algorithms. However, you can select individual algorithms if you want to. To select a preset, use the IPSec Suite B Preset drop-down field on the Add Tunnel or Modify Tunnel dialog box.

The following tables show the IPSec Suite B presets in the header row and provide the associated algorithm setups for the IKEv2 and ESP (IPSec) stages.

IKEv2 Stage

  GCM-128 GCM-256 GMAC-128 GMAC-256
Encryption (Note) AES-128-CBC AES-256-CBC AES-128-CBC AES-256-CBC
Pseudo Random Function HMAC-SHA-256 HMAC-SHA-384 HMAC-SHA-256 HMAC-SHA-384
Integrity (IKE Data Authentication) HMAC-SHA-256-128 HMAC-SHA-384-192 HMAC-SHA-256-128 HMAC-SHA-384-192
Key Exchange (NIST Elliptic Curve Groups) DH-19
256-bit Prime Size
DH-20
384-bit Prime Size
DH-19
256-bit Prime Size
DH-20
384-bit Prime Size

ESP (IPSec) Stage

  GCM-128 GCM-256 GMAC-128 GMAC-256
Encryption AES-128-GCM
with 16 octet ICV
AES-256-GCM
with 16 octet ICV
NULL NULL
Integrity (Data Authentication) NULL NULL AES-128-GMAC AES-256-GMAC

Notice in the second table that the encryption and data authentication is done in one step for GCM. For GMAC, there is no encryption.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America