SD-WAN for Central Breakout

In this lab user will learn to how to configure Hub and Spoke using OpenVPN (SSLVPN) for central breakout.

SSL VPNs are essential for central breakouts due to several reasons:

  • Security: SSL VPNs provide a secure tunnel for data transmission, which is crucial when sensitive information is being accessed or transferred through central breakouts.
  • Authentication: They ensure that only authorized users can access the network, which is important for maintaining the integrity of central resources.
  • Encryption: SSL VPNs encrypt data, making it unreadable to anyone who intercept it during transmission. This is particularly important for central breakouts where data might traverse public networks.
  • Access Control: They allow fine-grained access control to resources, ensuring users can only access what they are permitted to, which is vital for central breakouts to prevent unauthorized access to sensitive areas of the network.
  • Remote Access: SSL VPNs facilitate remote access to central resources, allowing employees to work from anywhere while still having a secure connection to the central network.

These factors of above makes SSL VPNs a necessary component for secure, authenticated, and compliant access to central resources, especially when considering the architecture of modern networks that often include cloud services and remote access requirements.

.

Required Lab Materials

  1. Public IP – Static for WAN port
  2. CMG appliance – 1 nos
  3. HSA / XE / UA – 1 nos or 2 nos or more, based on requirement
  4. Webserver or any application server
  5. Branch Internet – Open internet connection
  6. RansNet mfusion [portal10.ransnet.com] login credential for sd-wan management.

NOTE

Host’s LAN (ETH2) by default it is configured with IP 192.168.8.1/22 and enabled as DHCP server interface

.

Prerequisite

  1. Upgrade the firmware of CMG/HSA/UA/XE to the latest stable version. Refer to upgrade Host’s firmware link.
  2. Provision CMG/HSA/UA/XE to mfusion. Refer to Provision mbox appliance link.

Procedure

Configure CMG [Gateway]

STEP 1 – Configure WAN

  1. Navigate to ‘Orchestrator > Gateway‘, and click on the Gateway MAC address.
  2. Navigate to ‘Network‘ tab, Click on ‘Interface’ sub-menu and Configure WAN / ETH0 / Port1 with static ip address. Refer to New Ethernet Interface link.

STEP 2 – Configure SD-WAN SSLVPN

  1. Navigate to SD-WAN tab > Click on VPN menu

  1. Click on ‘Add VPN Instance‘ button to configure new instance.

  1. Configure the ‘VPN Instance‘, key-in the fields for the SSL VPN.
    • The main fields as listed below
      • VPN Instance ID
      • Gateway IP / FQDN
      • VPN Topology
      • VPN Network Mode
      • VPN Protocol
      • VPN Options
      • OpenVPN Encryption
      • VPN Address Pool & VPN Port number
      • Gateway Network/Prefix – Key-in open network (0.0.0.0/0).

  1. Click on then then button to push the configuration to CMG.

.

Configure Branch CPE [HSA / UA / XE]

STEP 3 – Configure WAN interface

  1. Configure WAN ETH0 / Port1 with static ip address. Refer to New Ethernet Interface link.

STEP 4 – Configure Network Route

  1. Navigate to ‘Network‘ tab > ‘Static Routing‘ sub-menu.
  2. Select Network/Prefix option from the IPv4 Route Destination field and configure the below routes. Click on button after configuring each route.
    • Default route with higher distance [Select IPv4 Administrative Distance (point 5) to configure distance]
      • ex: ip route 0.0.0.0/0 nexthop 192.168.1.254 distance 250Code for console interface
    • Route to SD-WAN Gateway
      • ex: ip route 17.5.7.8/32 nexthop 192.168.1.254Code for console interface
    • Route to portal.ransnet.com
      • ex: ip route 118.189.175.170/32 nexthop 192.168.1.254Code for console interface
    • Route DNS through default gateway to internet if VPN tunnel fails.
      • ex: ip route 8.8.8.8/32 nexthop 192.168.1.254Code for console interface

  1. Click on then button to push the config to the Branch CPE.

.

Configure Firewall Rule for Tap Interface

STEP 5 – Configure snat Rule for tap interface

  1. Navigate to ‘Security‘ tab > ‘Firewall Policies‘ menu
  2. In the ‘SNAT/Masquerade‘ section, Click on button to add a snat firewall rule.
    • ex: firewall-snat 105 overload outbound tap1Code for console interface

  1. Click on then then button to push the configuration to the Branch CPE.

.

Configure VPN Instance in Branch CPE

STEP 6 – Configure VPN Instance

  1. Navigate to ‘SD-WAN‘ tab > click on ‘VPN‘ menu
  2. From the ‘VPN Instances‘ section, Click on button
  3. Select the ‘VPN Instance ID‘ from the dropdown.

  1. Click on then then button to push the configuration to the Branch CPE.
wpChatIcon
wpChatIcon