All RansNet Appliances (HSG / CMG / HSA / UA ) support VPN. It’s based on OpenVPN technology, which utilizes Transport Layer Security (TLS), Secure Sockets Layer (SSL) cryptographic protocols. It uses X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating and to exchange a symmetric session key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and message authentication codes for message integrity and as a by-product, message authentication.
mbox SSL VPN has following key characteristics:
- primarily runs in client-to-server VPN mode. One mbox acts as a VPN server (head end); one mbox acts as a client (remote end). In this case, remote/client site mbox can support dynamic/DHCP public IP addressing or behind any firewall (without punch a hold on the firewall for inbound access) because the VPN is always initiated from remote(client) site. This is a significant advantage over traditional IPSec or GRE VPN tunnels, which require both sites to have static IP addresses and directly accessible/reachable to each other. And it is extremely scalable, easy to deploy and support.
- two mbox gateways form site-to-site VPN (for protected networks) for their protected private networks. Hosts behind mbox gateways can communicate directly, as if they are passing through a private leased line. Dynamic routing protocols (OSPF and BGP) are used to auto learn/advertise routes/networks behind each gateway.
- all SSLVPN tunnels can run in either tunnel mode (default) or tap mode (layer 2 tunnel). Note: If you want to run OSPF or bonding/bridging with SSL tunnel, it’s a must to run in tap mode.
- in either tunnel or tap mode, raw/original traffic is encapsulated and encrypted into a virtual tunnel:
- there’s a virtual IP assigned to the tunnel interface, for both server and client
- by default, no address translation for raw traffic passing through the tunnel, eg. hosts on each side “see” each other’s original IP address
- by default all traffic is allowed to pass through the tunnel, eg. no firewall filtering inside tunnel
- supports both unicast and multicast across the tunnel
- SSLVPN tunnel provides data encryption, integration and authentication <<??>>
- RSA certificate for gateway authentication
- DH algorithm for generating session keys
- SHA-512/MD5-128 for data integrity
- DES/3DES/AES-256 for data encryption
There’s significant performance degradation using SSL VPN tunnels due to SSL encryption (also depends on which which encryption options used). For example, for an CMG-1500, which produces wired speed (1Gbps) routing and firewall/NAT throughput, the max SSLVPN throughput can drop down to 200Mbps.
User must explicitly permit input TCP/1443 (depends on your VPN instance port number) on the VPN server for remote clients to communicate with gateway mbox.
Configure “firewall-access xx” rules to permit traffic passing through tunnels
This allows the user to create an instance in the Gateway that can be connected to the configured Edge devices to establish a secured connection between Gateway and Edge.
User can access the VPN Instance page by clicking the tab when editing a Gateway in ‘MFUSION CLOUD > Orchestration‘.
User can click on an existing VPN Instance to edit the settings.
New VPN Instance
Procedure to Create VPN Instance
- Click on button in Image 1 to create a new VPN instance.
- Expand the new VPN Instance panel to configure the VPN settings as shown below in Image 2.
- Enable the button to start the VPN Instance.
- Click the ‘Save Changes‘ button to save your settings
Multiple VPN Instances can be added at this point as per the requirement.
Settings of VPN Instance
The fields of the VPN Instance List are explained below:
|01.||VPN Instance ID||The VPN Instance-id creates a globally unique identifier for a VPN instance. In the format of Numeric|
|02.||Server Public Address/VPN Port||Public ip of the VPN Server (VPN Gateway) and the port number need to configure.|
|03.||Tunnel Address Pool||Client IP address who gets connected through the VPN tunnel.|
|04.||Encryption Options||Supports 4 options Default Encryption, Encryption None, AES Encryption & DES Encryption. Need to choose encryption method as per the requirement|
|05||VPN Mode||<<LIST DOWN THE OPTIONS>>|
|06.||OSPF Options||Supports option like|
Hello Interval :
Dead Interval :
Transmit Delay :
Re-transmit Interval :
MTU Ignore :
|07.||Other Options||Few options available like |
Allow Inter-Client Connection :
Bind Instance to Interface/Link :
Track Host IP/Interval :
After the above configuration, User can Start/Stop the VPN Instance by toggling the panel header button, and clicking the ‘Save Changes‘ button.
Show/Edit Remote (Edge)
Each VPN Instance can be linked to a few Edge Devices, which are listed under Show/Edit Remote Panel. Once a VPN Instance is added, the User can link it to any Edge device within the Entity. User can add New Remote / Edge Devices by clicking button.
Procedure to Add VPN Remote
- User to click on the ‘Link Remote’ Button, and select the created instance list from ‘SDWAN VPN Instances’ category and select the available Edge devices and save the changes.
- User can remove the linked Edge device by clicking the Delete icon under the Action column.
All VPN instances between Gateways and Edges are presented graphically in the SD-WAN Topology Graph. See ‘SD-WAN Topology‘ .