Link Search Menu Expand Document

Tunnel Settings Tab

Orchestrator > Orchestrator Server > Tools > Tunnels Settings

This tab enables you to manage properties for tunnels created by Orchestrator. Tunnel settings are controlled on a per-label basis, such as MPLS, Internet, or LTE.

IPSec Suite B Presets

As of version 9.2, Orchestrator provides you with four IPSec Suite B presets, as follows:

  • GCM-128

  • GCM-256

  • GMAC-128

  • GMAC-256

Each preset includes a predetermined set of IKE and ESP (IPSec) cryptographic algorithms. By selecting an IPSec Suite B preset, you can streamline the algorithm aspect of your tunnel setup rather than selecting individual algorithms. However, you can select individual algorithms if you want to. To select a preset, use the IPSec Suite B Preset drop-down field on the General tab.

The following tables show the IPSec Suite B presets in the header row and provide the associated algorithm setups for the IKEv2 and ESP (IPSec) stages.

IKEv2 Stage

  GCM-128 GCM-256 GMAC-128 GMAC-256
Encryption (Note) AES-128-CBC AES-256-CBC AES-128-CBC AES-256-CBC
Pseudo Random Function HMAC-SHA-256 HMAC-SHA-384 HMAC-SHA-256 HMAC-SHA-384
Integrity (IKE Data Authentication) HMAC-SHA-256-128 HMAC-SHA-384-192 HMAC-SHA-256-128 HMAC-SHA-384-192
Key Exchange (NIST Elliptic Curve Groups) DH-19
256-bit Prime Size
DH-20
384-bit Prime Size
DH-19
256-bit Prime Size
DH-20
384-bit Prime Size

ESP (IPSec) Stage

  GCM-128 GCM-256 GMAC-128 GMAC-256
Encryption AES-128-GCM
with 16 octet ICV
AES-256-GCM
with 16 octet ICV
NULL NULL
Integrity (Data Authentication) NULL NULL AES-128-GMAC AES-256-GMAC

Notice in the second table that the encryption and data authentication is done in one step for GCM. For GMAC, there is no encryption.

General Tab

Access the following fields by clicking the General Tab.

General

Field Description
Mode Indicates whether the tunnel protocol is UDP, GRE, IPSec, or IPSec UDP. The default setting is IPSec UDP. If you select IPSec, you can specify the IKE version on the IKE tab.

NOTE: If this field is set to IPSec UDP, it is recommended that you use the AES_256_GCM_16 algorithm, which performs both encryption and authentication, resulting in better performance.
IPSec Suite B Preset This field is available only if the Mode field is set to IPSec. Select an IPSec Suite B preset if required by the security service (GCM-128, GCM-256, GMAC-128, or GMAC-256). The default setting is None.

NOTE: If IPSec Suite B preset is set to None, no preset is selected, but GCM and GMAC algorithms are available to set independently.
Auto max BW enabled When enabled, allows the appliances to auto-negotiate the maximum tunnel bandwidth.
Auto discover MTU enabled When enabled, allows the appliances to auto-negotiate the maximum tunnel bandwidth.
MTU Maximum Transmission Unit (MTU) is the largest possible unit of data that can be sent on a given physical medium. For example, the MTU of Ethernet is 1500 bytes. MTUs up to 9000 bytes are supported. Auto allows the tunnel MTU to be discovered automatically, and it overrides the MTU setting. This field is not available if the Auto discover MTU enabled check box is selected.
UDP destination port Used in UDP mode. Accept the default value unless the port is blocked by a firewall.
UDP flows Used in UDP mode. Number of flows over which to distribute tunnel data.

Packet

NOTE: FEC settings do not apply when overlays are used. FEC settings only apply when routing directly to an underlay via Route Policy.

Field Description
Reorder wait Maximum time (in milliseconds) the appliance holds an out-of-order packet when attempting to reorder. 100 ms is the default value and should be adequate for most situations. FEC can introduce out-of-order packets if the reorder wait time is not set high enough.
FEC Forward Error Correction (FEC) can be set to enable, disable, or auto.
FEC ratio When FEC is set to auto, FEC will range dynamically from off to 1:10 based on detected loss. The options are 1:1, 1:2, 1:5, 1:10, or 1:20. This field is available only if FEC is set to enable.

Tunnel Health

Field Description
Retry count Number of failed keep-alive messages allowed before the appliance brings the tunnel down.
DSCP Determines the DSCP marking that the keep-alive messages should use.

FastFail Thresholds

NOTE: FastFail thresholds do not apply when overlays are used. FastFail only applies when routing directly to an underlay via Route Policy.

Field Description
Fastfail enabled When multiple tunnels are carrying data between two appliances, this feature determines how quickly to disqualify a tunnel from carrying data.

The Fastfail connectivity detection algorithm for the wait time from receipt of last packet before declaring a brownout is:

Twait = Base + N * RTTavg

where Base is a value in milliseconds, and N is the multiplier of the average Round Trip Time over the past minute.

For example, if:

Base = 200mS
N = 2

then,

RTTavg = 50mS

The appliance declares a tunnel to be in brownout if it does not see a reply packet from the remote end within 300 mS of receiving the most recent packet.

In the Tunnel Advanced Options, Base is expressed as Fastfail wait-time base offset (ms), and N is expressed as Fastfail RTT multiplication factor.

Fastfail enabled - This option is triggered when a tunnel’s keep-alive signal does not receive a reply. The options are disable, enable, and continuous. If the disqualified tunnel subsequently receives a keep-alive reply, its recovery is instantaneous.

For disable, keep-alives are sent every second, and 30 seconds elapse before failover. In that time, all transmitted data is lost.

For enable, keep-alives are sent every second, and a missed reply increases the rate at which keep-alives are sent from one per second to ten per second. Failover occurs after one second.

For continuous, keep-alives are continuously sent at ten per second. Therefore, failover occurs after one tenth of a second.
Latency Amount of latency in milliseconds. Thresholds for Latency, Loss, or Jitter are checked once every second.

Receiving three successive measurements in a row that exceed the threshold puts the tunnel into a brownout situation and flows will attempt to fail over to another tunnel within the next 100 ms.

Receiving three successive measurements in a row that drop below the threshold will drop the tunnel out of brownout.
Loss Amount of data lost as a percentage.
Jitter Amount of jitter in milliseconds.
Fastfail wait-time base offset Fastfail basic timeout time in milliseconds.
Fastfail RTT multiplication factor Amount of RTT (Round Trip Time) added to the basic timeout.

IKE Tab

Access the following fields by clicking the IKE tab. This tab is displayed only if the Mode field on the General tab is set to IPSec.

IKE

Field Description
Authentication algorithm Authentication algorithm used for IKE security association (SA).

If the IPSec Suite B Preset field on the General tab is set to None, you can select SHA1, SHA2-256, SHA2-384, or SHA2-512. The default setting is SHA1.

If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to the appropriate algorithm.

NOTE: With IKEv2 and the Encryption algorithm field set to auto, AES-GCM will probably be negotiated, which includes encryption and authentication. In this case, this field might show a SHA setting that is not actually used.
Encryption algorithm Encryption algorithm used for IKE security association (SA).

If the IPSec Suite B Preset field on the General tab is set to None, and the IKE Version field is set to IKE v1, you can select AES-CBC-128, AES-CBC-256, or auto. The default setting is auto.

If the IPSec Suite B Preset field is set to None, and the IKE Version field is set to IKE v2, you can select AES-CBC-128, AES-CBC-256, AES-GCM-128, AES-GCM-256, or auto.

If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to the appropriate algorithm.
Pseudo Random Function This field is displayed only if the IKE Encryption Algorithm field is set to AES-GCM-128 or AES-GCM-256.

For AES-GCM-128, you can select SHA2-256, SHA2-384, or SHA2-512.

For AES-GCM-256, you can select SHA-384 or SHA-512.
Diffie-Hellman group Diffie-Hellman Group used for IKE security association (SA) negotiation.

If the IPSec Suite B Preset field on the General tab is set to None, you can select the appropriate group. Available groups are 14 through 21, 26, and 31.

If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to the appropriate group.
Rekey interval/lifetime Rekey interval/lifetime of IKE security association (SA) in minutes. The default is 360 minutes.
Dead peer detection Delay time: Interval (in seconds) to check the lifetime of the IKE peer.

Retry count: Number of times to retry the connection before determining that the connection is dead. This field is not editable.
Phase 1 mode Exchange mode for the IKE security association (SA) negotiation.

If the IKE Version field is set to IKE v1, you can select Main or Aggressive.

If the IKE Version field is set to IKE v2, this field is automatically set to Aggressive.
IKE version If the IPSec Suite B Preset field on the General tab is set to None, you can select IKE v1 or IKE v2.

If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to IKE v2.

IPSec Tab

Access the following fields by clicking the IPSec tab. This tab is displayed only if the Mode field on the General tab is set to IPSec or IPSec UDP.

IPSec

Field Description
Authentication algorithm Authentication algorithm used for the IPSec security association (SA).

If the IPSec Suite B Preset field on the General tab is set to None, you can select SHA1, SHA2-256, SHA2-384, SHA2-512, AES-GMAC-128, or AES-GMAC-256. The default setting is SHA1.

If the IPSec Suite B Preset field is set to GMAC-128 or GMAC-256, this field is automatically set to the appropriate algorithm.

NOTE: With IKEv2 and the Encryption algorithm field set to auto, AES-GCM will probably be negotiated, which includes encryption and authentication. In this case, this field might show a SHA setting that is not actually used.

If the IPSec Suite B Preset field is set to GCM-128 or GCM-256, this field is not applicable.
Encryption algorithm Encryption algorithm used for the IPSec security association (SA).

If the IPSec Suite B Preset field on the General tab is set to None, and the IPSec Authentication algorithm field is set to SHA1, SHA2-256, SHA2-384, or SHA2-512, you can select AES-CBC-128, AEC-CBC-256, AES-GCM-128, AES-GCM-256, NULL, or Auto. The default setting is Auto.

If the IPSec Suite B Preset field is set to None, and the IPSec Authentication algorithm field is set to AES-GMAC-128 or AES-GMAC-256, this field is automatically set to NULL.
IPSec anti-replay window Select a size from the drop-down list or Disable to disable the IPSec anti-replay window. If a size is selected, protection is provided against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet.
Relay interval/lifetime Rekey interval/lifetime of the IPSec security association (SA) in minutes. The default is 360 minutes.
Perfect forward secrecy group Diffie-Hellman group used for IPSec security association (SA) negotiation.

Back to top

© Copyright 2022 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.