flexiWAN uses encrypted IPSec over VxLAN tunnels between sites. The tunnel headers are described in the following figure:
The tunnel configuration offers various topologies such as hub and spoke, full mesh or any other customized topology. Any tunnel topology can be created by selecting a set of devices, selecting Path Lables if required and clicking the “Create Tunnels” under the “Action” button. A full mesh will be created between all selected devices so that the devices are connected like point-to-point between their loopback interfaces over the secured tunnel toward the WAN. The LAN routes will be advertised across the tunnel and will be able to reach each other.
The tunnel infrastructure offers:
- The ability to create a tunnel between every two sites (creating a tunnel between sites that already have a tunnel does not create another tunnel between them)
- Tunnels can be established directly via public IP’s or behind NAT, with private IP on flexiEdge WAN (using NAT Traversal - STUN)
- Tunnels can be created with Path Labels which offer a better and more fine grain way to organize your system and your underlay networks. See Path Labels documentation section for more details.
- OSPF routing between the sites LAN address across the tunnel
- Every tunnel uses a loopback endpoint on each device from the range 10.100.0.0/16 and another internal loopback from the range 10.101.0.0/16
- The loopback MAC addresses are assigned from the range of 02:00:27:fd:XX:XX and 02:00:27:fe:XX:XX
- IPSec keys are generated by the flexiManage system
Create a Tunnel¶
To create a tunnel, select the devices to create connection for and click on the “Create Tunnel” button. In this case we are not selecting any Path Labels. A full mesh tunnel configuration is created between all selected devices. If only two devices are selected, a single tunnel is created between them. In the example below, a full mesh is created between all three devices:
You can view your tunnels in the Inventory -> Tunnels menu:
Every created tunnel displays the flexiEdge device and interface the device is connecting, Path Label, the tunnel connectivity status, round-trip time and loss measured using ICMP between the tunnel endpoints.
The connectivity status, round-trip time and loss displays the status for the existing path selected between the tunnel end-points, even if no direct path is used.
A graphical representation of the tunnel configuration can also be viewed in the Dashboards -> Network menu:
Hovering the mouse over a tunnel shows the round-trip time and drop rate for that tunnel.
To delete a tunnel click on the Delete button in the Inventory -> Tunnels menu