flexiWAN uses encrypted IPSec over VxLAN tunnels between sites. The tunnel headers are described in the following figure:

skinparam defaultTextAlignment center
rectangle PKT [
   VxLAN + UDP
   IPSec Tunnel
   Original Packet

The tunnel configuration enables various topologies such as hub and spoke, full mesh or any other custom topology. Any tunnel topology can be created by simply selecting a set of devices and then clicking on the “Create Tunnels under the “Action” butoon. From there users can optionally select Path Lables if required and then pick between tunnel topologies. A full mesh will be created between all selected devices so that the devices are connected like point-to-point between their loopback interfaces over the secured tunnel toward the WAN. The LAN routes will be advertised across the tunnel and will be able to reach each other.

The tunnel infrastructure offers:

  • The ability to create a tunnel between every two sites (creating a tunnel between sites that already have a tunnel does not create another tunnel between them)

  • Choose between several tunnel key exchange / encryption methods: Pre-Shared Key, IKEv2 and no encryption.

  • Tunnels can be established directly via public IP’s or behind NAT, with private IP on flexiEdge WAN (using NAT Traversal - STUN)

  • Tunnels can be created with Path Labels which offer a better and more fine grain way to organize your system and your underlay networks. See Path Labels documentation section for more details.

  • OSPF routing between the sites LAN address across the tunnel, where OSPF cost can be user specified.

  • BGP routing between the sites LAN across the tunnel.

  • MSS Clamping is enabled by default, can be disabled from the advanced options.

  • Default tunnel MTU is 1500 bytes, can be customized from the advanced options.

  • Every tunnel uses a loopback endpoint on each device from the range and another internal loopback from the range

  • The loopback MAC addresses are assigned from the range of 02:00:27:fd:XX:XX and 02:00:27:fe:XX:XX

  • IPSec keys are generated by the flexiManage system

  • Tunnel AI Based Network Healing

Tunnel Management

Creating a Tunnel

To create a tunnel, select two or more devices and click on the “Action” button. From there select “Create Tunnels”.

Select Tunnels

Create tunnel wizard will open to provide assistance with tunnel creation topologis and Path Labels. Supported tunnel topologies are Full-Mesh and Hub & Spoke. By default Full-Mesh is selected.


It is also possible to deploy Hub & Spoke topology when three or more devices are selected. In that case simply select hub site from the drop down.


If only two devices are selected for tunnel creation, direct tunnels will be created regardless of topology selection.

Tunnels can be viewed from the Inventory -> Tunnels menu:

Tunnels Created

Every created tunnel displays the flexiEdge device and interface the device is connecting, Path Label, the tunnel connectivity status, round-trip time, encryption and loss measured using ICMP between the tunnel endpoints.


The connectivity status, round-trip time and loss displays the status for the existing path selected between the tunnel end-points, even if no direct path is used.

A graphical representation of the tunnel configuration can also be viewed in the Dashboards -> Network menu:

Tunnels Network

Hovering the mouse over a tunnel shows the round-trip time and drop rate for that tunnel.

Deleting a Tunnel

A single or multiple tunnels can be deleted. To delete a tunnel, while at Tunnels page select a specific or multiple tunnnels and then click “Delete tunnels” button.

Tunnels delete

Advanced tunnel settings

When creating tunnels between two or more sites, several advanced options can be set:


By default 1500 bytes are used, can be set to lower MTU. Max supported tunnel MTU is 1500 bytes.

MSS Clamping

Enabled by default, it limits and reduces size of the packets / Maximum Segment Size.


Used when connecting flexiEdge LAN to OSPF aware device such as smart switch. Default set to none.

Advanced options

Routing can be configured to use OSPF or BGP.

Advanced options

Changing Tunnel Key Exchange Type

flexiWAN supports several tunnel key ecchange / encryption types:


Pre-Shared Key, used by default


IKE version 2


No encryption at all

Tunnel key exchange type is managed on organizational level. To change between the methods navigate to Account > Organizations and click on organization settings:

Change encryption 0

Then from Update organization section change the tunnel key exchange method to your preference and save.

Change encryption 1

Please note tunnels must be re-added for the tunnel encryption key exchange change to take place. Tunnels existing before the encryption key exchange method change will not be removed.

Tunnel status

Once new tunnels are created between multiple flexiEdge sites, multiple connection statuses can occur, from connected and not connected, to pending and not available. Each status is covered in this section.

Connected status

Once two or more sites are fully connected, status will show as Connected.

Change encryption 0
Not Connected

When the devices are connected but tunnels show as Not Connected means that devices have not established tunnels yet. This message is also show when vRouter is not running. After tunnel provisioning, it might take a minute to fully connect the tunnel.

Change encryption 0

Pending status is shown when flexiWAN’s AI Based Network Healing detects issues with site connectivity. Check the AI Base Network Healing for more info.

When tunnel is in pending status it means that it’s not connected and removed from the device configuration. Hovering the pending state represent the exact issue detected and the device is waiting for the recovery of the issue.

Change encryption 0

When one of the devices is not connect to flexiManage, tunnel status will show N/A

Change encryption 0