Tunnels

Overview

flexiWAN uses encrypted IPSec over VxLAN tunnels between sites. The tunnel headers are described in the following figure:

@startuml
skinparam defaultTextAlignment center
rectangle PKT [
   VxLAN + UDP
   --
   IPSec Tunnel
   --
   GRE
   --
   Original Packet
]
@enduml

The tunnel configuration offers various topologies such as hub and spoke, full mesh or any other customized topology. Any tunnel topology can be created by selecting a set of devices, selecting Path Lables if required and clicking the “Create Tunnels” under the “Action” button. A full mesh will be created between all selected devices so that the devices are connected like point-to-point between their loopback interfaces over the secured tunnel toward the WAN. The LAN routes will be advertised across the tunnel and will be able to reach each other.

The tunnel infrastructure offers:

  • The ability to create a tunnel between every two sites (creating a tunnel between sites that already have a tunnel does not create another tunnel between them)

  • Choose between several tunnel key exchange / encryption methods: Pre-Shared Key, IKEv2 and no encryption.

  • Tunnels can be established directly via public IP’s or behind NAT, with private IP on flexiEdge WAN (using NAT Traversal - STUN)

  • Tunnels can be created with Path Labels which offer a better and more fine grain way to organize your system and your underlay networks. See Path Labels documentation section for more details.

  • OSPF routing between the sites LAN address across the tunnel

  • Every tunnel uses a loopback endpoint on each device from the range 10.100.0.0/16 and another internal loopback from the range 10.101.0.0/16

  • The loopback MAC addresses are assigned from the range of 02:00:27:fd:XX:XX and 02:00:27:fe:XX:XX

  • IPSec keys are generated by the flexiManage system

Creating a Tunnel

To create a tunnel, select the devices to create connection for and click on the “Create Tunnel” button. In this case we are not selecting any Path Labels. A full mesh tunnel configuration is created between all selected devices. If only two devices are selected, a single tunnel is created between them. In the example below, a full mesh is created between all three devices:

Select Tunnels

Tunnels can be viewed from the Inventory -> Tunnels menu:

Tunnels Created

Every created tunnel displays the flexiEdge device and interface the device is connecting, Path Label, the tunnel connectivity status, round-trip time, encryption and loss measured using ICMP between the tunnel endpoints.

Note

The connectivity status, round-trip time and loss displays the status for the existing path selected between the tunnel end-points, even if no direct path is used.

A graphical representation of the tunnel configuration can also be viewed in the Dashboards -> Network menu:

Tunnels Network

Hovering the mouse over a tunnel shows the round-trip time and drop rate for that tunnel.

Deleting a Tunnel

A single or multiple tunnels can be deleted. To delete a tunnel, while at Tunnels page select a specific or multiple tunnnels and then click “Delete tunnels” button.

Tunnels delete

Changing Tunnel Key Exchange Type

flexiWAN supports several tunnel key ecchange / encryption types:

  • PSK - Pre-Shared Key, used by default

  • IKEv2

  • None - No encryption at all

Tunnel key exchange type is managed on organizational level. To change between the methods navigate to Account > Organizations and click on organization settings:

Change encryption 0

Then from Update organization section change the tunnel key exchange method to your preference and save.

Change encryption 1

Please note tunnels must be re-added for the tunnel encryption key exchange change to take place. Tunnels existing before the encryption key exchange method change will not be removed.