Tunnel Settings Tab
Orchestrator > Orchestrator Server > Tools > Tunnels Settings
This tab enables you to manage properties for tunnels created by Orchestrator. Tunnel settings are controlled on a per-label basis, such as MPLS, Internet, or LTE.
IPSec Suite B Presets
As of version 9.2, Orchestrator provides you with four IPSec Suite B presets, as follows:
-
GCM-128
-
GCM-256
-
GMAC-128
-
GMAC-256
Each preset includes a predetermined set of IKE and ESP (IPSec) cryptographic algorithms. By selecting an IPSec Suite B preset, you can streamline the algorithm aspect of your tunnel setup rather than selecting individual algorithms. However, you can select individual algorithms if you want to. To select a preset, use the IPSec Suite B Preset drop-down field on the General tab.
The following tables show the IPSec Suite B presets in the header row and provide the associated algorithm setups for the IKEv2 and ESP (IPSec) stages.
IKEv2 Stage
GCM-128 | GCM-256 | GMAC-128 | GMAC-256 | |
---|---|---|---|---|
Encryption (Note) | AES-128-CBC | AES-256-CBC | AES-128-CBC | AES-256-CBC |
Pseudo Random Function | HMAC-SHA-256 | HMAC-SHA-384 | HMAC-SHA-256 | HMAC-SHA-384 |
Integrity (IKE Data Authentication) | HMAC-SHA-256-128 | HMAC-SHA-384-192 | HMAC-SHA-256-128 | HMAC-SHA-384-192 |
Key Exchange (NIST Elliptic Curve Groups) | DH-19 256-bit Prime Size |
DH-20 384-bit Prime Size |
DH-19 256-bit Prime Size |
DH-20 384-bit Prime Size |
ESP (IPSec) Stage
GCM-128 | GCM-256 | GMAC-128 | GMAC-256 | |
---|---|---|---|---|
Encryption | AES-128-GCM with 16 octet ICV |
AES-256-GCM with 16 octet ICV |
NULL | NULL |
Integrity (Data Authentication) | NULL | NULL | AES-128-GMAC | AES-256-GMAC |
Notice in the second table that the encryption and data authentication is done in one step for GCM. For GMAC, there is no encryption.
General Tab
Access the following fields by clicking the General Tab.
General
Field | Description |
---|---|
Mode | Indicates whether the tunnel protocol is UDP, GRE, IPSec, or IPSec UDP. The default setting is IPSec UDP. If you select IPSec, you can specify the IKE version on the IKE tab. NOTES: - If this field is set to IPSec UDP, it is recommended that you use the AES_256_GCM_16 algorithm, which performs both encryption and authentication, resulting in better performance. - Due to external firewall rules, some users may have issues with SD-WAN fabric tunnels configured in GRE mode. In these cases, it is recommended to use IPSec UDP. |
IPSec Suite B Preset | This field is available only if the Mode field is set to IPSec. Select an IPSec Suite B preset if required by the security service (GCM-128, GCM-256, GMAC-128, or GMAC-256). The default setting is None. If IPSec Suite B Preset is set to None, no preset is selected, but GCM and GMAC algorithms are available to set independently. If an IPSec Suite B preset is selected, various settings on the IKE and IPSec tabs are configured automatically based on the selected preset. |
Auto max BW enabled | When enabled, allows the appliances to auto-negotiate the maximum tunnel bandwidth. Enabled by default. |
Auto discover MTU enabled | When enabled, allows the appliances to auto-negotiate the maximum tunnel bandwidth. Enabled by default. |
MTU | Maximum Transmission Unit (MTU) is the largest possible unit of data that can be sent on a given physical medium. For example, the MTU of Ethernet is 1500 bytes. MTUs up to 9000 bytes are supported. Auto allows the tunnel MTU to be discovered automatically, and it overrides the MTU setting. This field is not available if the Auto discover MTU enabled check box is selected. |
UDP destination port | Used in UDP mode. Accept the default value unless the port is blocked by a firewall. |
UDP flows | Used in UDP mode. Number of flows over which to distribute tunnel data. |
Packet
NOTE: FEC settings do not apply when overlays are used. FEC settings only apply when routing directly to an underlay via Route Policy.
Field | Description |
---|---|
Reorder wait | Maximum time (in milliseconds) the appliance holds an out-of-order packet when attempting to reorder. 100 ms is the default value and should be adequate for most situations. FEC can introduce out-of-order packets if the reorder wait time is not set high enough. |
FEC | Forward Error Correction (FEC) can be set to enable, disable, or auto. |
FEC ratio | When FEC is set to auto, FEC will range dynamically from off to 1:10 based on detected loss. The options are 1:1, 1:2, 1:5, 1:10, or 1:20. This field is available only if FEC is set to enable. |
Tunnel Health
Field | Description |
---|---|
Retry count | Number of failed keep-alive messages allowed before the appliance brings the tunnel down. |
DSCP | Determines the DSCP marking that the keep-alive messages should use. |
FastFail Thresholds
NOTE: FastFail thresholds do not apply when overlays are used. FastFail only applies when routing directly to an underlay via Route Policy.
Field | Description |
---|---|
Fastfail enabled | When multiple tunnels are carrying data between two appliances, this feature determines how quickly to disqualify a tunnel from carrying data. The Fastfail connectivity detection algorithm for the wait time from receipt of last packet before declaring a brownout is: Twait = Base + N * RTTavg where Base is a value in milliseconds, and N is the multiplier of the average Round Trip Time over the past minute.For example, if: Base = 200mS N = 2 then, RTTavg = 50mS The appliance declares a tunnel to be in brownout if it does not see a reply packet from the remote end within 300 mS of receiving the most recent packet. In the Tunnel Advanced Options, Base is expressed as Fastfail wait-time base offset (ms), and N is expressed as Fastfail RTT multiplication factor.Fastfail enabled - This option is triggered when a tunnel’s keep-alive signal does not receive a reply. The options are disable, enable, and continuous. If the disqualified tunnel subsequently receives a keep-alive reply, its recovery is instantaneous. For disable, keep-alives are sent every second, and 30 seconds elapse before failover. In that time, all transmitted data is lost. For enable, keep-alives are sent every second, and a missed reply increases the rate at which keep-alives are sent from one per second to ten per second. Failover occurs after one second. For continuous, keep-alives are continuously sent at ten per second. Therefore, failover occurs after one tenth of a second. |
Latency | Amount of latency in milliseconds. Thresholds for Latency, Loss, or Jitter are checked once every second. Receiving three successive measurements in a row that exceed the threshold puts the tunnel into a brownout situation and flows will attempt to fail over to another tunnel within the next 100 ms. Receiving three successive measurements in a row that drop below the threshold will drop the tunnel out of brownout. |
Loss | Amount of data lost as a percentage. |
Jitter | Amount of jitter in milliseconds. |
Fastfail wait-time base offset | Fastfail basic timeout time in milliseconds. |
Fastfail RTT multiplication factor | Amount of RTT (Round Trip Time) added to the basic timeout. |
IKE Tab
Access the following fields by clicking the IKE tab. This tab is displayed only if the Mode field on the General tab is set to IPSec.
IKE
Field | Description |
---|---|
Peer Authentication | There are two options for IKE authentication, End entity certificate or Pre-shared key, choose one of the options. End entity certificate is the recommended option. End entity certificate – If selected, select a profile from the End entity certificate profile drop-down menu. NOTE: To select an orchestrated end entity certificate profile, you must first add an EST server profile and create an appliance end entity profile with a Purpose of “SD-WAN”. To do this, see End Entity Certificates Tab. If you have not created an appliance end entity certificate with a Purpose of “SD-WAN”, the menu will be empty. Pre-shared key – If selected, a default value of “silverpeak” is pre-populated in the Pre-shared key field. It is recommended to change the pre-shared key per the following requirements: The pre-shared key must contain at least 8 characters, and cannot contain [ ] { } “ # * characters. Max length is 64 characters. NOTE: If you change the pre-shared key, record the new pre-shared key you entered, as the pre-shared key configuration on both peers should match. |
Authentication algorithm | Authentication algorithm used for IKE security association (SA). If the IPSec Suite B Preset field on the General tab is set to None, you can select SHA1, SHA2-256, SHA2-384, or SHA2-512. The default setting is SHA1. If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to the appropriate algorithm. NOTE: With IKEv2 and the Encryption algorithm field set to auto, AES-GCM will probably be negotiated, which includes encryption and authentication. In this case, this field might show a SHA setting that is not actually used. If the Encryption algorithm field is set to AES-GCM-128 or AES-GCM-256, this field will show as NA because the authentication algorithm is already included. |
Encryption algorithm | Encryption algorithm used for IKE security association (SA). If the IPSec Suite B Preset field on the General tab is set to None, and the IKE Version field is set to IKE v1, you can select AES-CBC-128, AES-CBC-256, or auto. The default setting is auto. If the IPSec Suite B Preset field is set to None, and the IKE Version field is set to IKE v2, you can select AES-CBC-128, AES-CBC-256, AES-GCM-128, AES-GCM-256, or auto. The default setting is auto. If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to the appropriate algorithm. |
Pseudo Random Function | This field is displayed only if the IKE Encryption Algorithm field is set to AES-GCM-128 or AES-GCM-256. For AES-GCM-128, you can select SHA2-256, SHA2-384, or SHA2-512. For AES-GCM-256, you can select SHA-384 or SHA-512. |
Diffie-Hellman group | Diffie-Hellman Group used for IKE security association (SA) negotiation. If the IPSec Suite B Preset field on the General tab is set to None, you can select the appropriate group. Available groups are 14 through 21, 26, and 31. If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to the appropriate group. |
Rekey interval/lifetime | Rekey interval/lifetime of IKE security association (SA) in minutes. The default is 360 minutes. |
Dead peer detection | Delay time: Interval (in seconds) to check the lifetime of the IKE peer. Retry count: Number of times to retry the connection before determining that the connection is dead. This field is not editable. |
Phase 1 mode | Exchange mode for the IKE security association (SA) negotiation. If the IKE Version field is set to IKE v1, you can select Main or Aggressive. If the IKE Version field is set to IKE v2, this field is automatically set to Aggressive. |
IKE version | If the IPSec Suite B Preset field on the General tab is set to None, you can select IKE v1 or IKE v2. If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to IKE v2. |
IPSec Tab
Access the following fields by clicking the IPSec tab. This tab is displayed only if the Mode field on the General tab is set to IPSec or IPSec UDP.
IPSec
Field | Description |
---|---|
Authentication algorithm | Authentication algorithm used for the IPSec security association (SA). If the IPSec Suite B Preset field on the General tab is set to None, you can select SHA1, SHA2-256, SHA2-384, SHA2-512, AES-GMAC-128, or AES-GMAC-256. The default setting is SHA1. If the IPSec Suite B Preset field is set to GMAC-128 or GMAC-256, this field is automatically set to the appropriate algorithm. If the IPSec Suite B Preset field is set to GCM-128 or GCM-256, this field is not applicable. |
Encryption algorithm | Encryption algorithm used for the IPSec security association (SA). If the IPSec Suite B Preset field on the General tab is set to None, and the IPSec Authentication algorithm field is set to SHA1, SHA2-256, SHA2-384, or SHA2-512, you can select AES-CBC-128, AEC-CBC-256, AES-GCM-128, AES-GCM-256, NULL, or Auto. The default setting is Auto. If the IPSec Suite B Preset field is set to None, and the IPSec Authentication algorithm field is set to AES-GMAC-128 or AES-GMAC-256, this field is automatically set to NULL. |
IPSec anti-replay window | Select a size from the drop-down list or Disable to disable the IPSec anti-replay window. If a size is selected, protection is provided against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. |
Relay interval/lifetime | Rekey interval/lifetime of the IPSec security association (SA) in minutes. The default is 360 minutes. |
Perfect forward secrecy group | Diffie-Hellman group used for IPSec security association (SA) negotiation. Based on the setting of the IPSec Suite B Preset field on the General tab, this field is set to the following Diffie-Hellman group: For None: 14 (by default) For GCM-128 or GMAC-128: 19 For GCM-256 or GMAC-256: 20 |