Tunnels

Overview

flexiWAN uses encrypted IPSec over VxLAN tunnels between sites. The tunnel headers are described in the following figure:

@startuml skinparam defaultTextAlignment center rectangle PKT [ VxLAN + UDP -- IPSec Tunnel -- GRE -- Original Packet ] @enduml

The tunnel configuration enables various topologies such as hub and spoke, full mesh or any other custom topology. Any tunnel topology can be created by simply selecting a set of devices and then clicking on the “Create Tunnels under the “Action” butoon. From there users can optionally select Path Lables if required and then pick between tunnel topologies. A full mesh will be created between all selected devices so that the devices are connected like point-to-point between their loopback interfaces over the secured tunnel toward the WAN. The LAN routes will be advertised across the tunnel and will be able to reach each other.

The tunnel infrastructure offers:

  • The ability to create a tunnel between every two sites (creating a tunnel between sites that already have a tunnel does not create another tunnel between them)

  • Choose between several tunnel key exchange / encryption methods: Pre-Shared Key, IKEv2 and no encryption.

  • Tunnels can be established directly via public IP’s or behind NAT, with private IP on flexiEdge WAN (using NAT Traversal - STUN)

  • Tunnels can be created with Path Labels which offer a better and more fine grain way to organize your system and your underlay networks. See Path Labels documentation section for more details.

  • OSPF routing between the sites LAN address across the tunnel, where OSPF cost can be user specified.

  • BGP routing between the sites LAN across the tunnel.

  • MSS Clamping is enabled by default, can be disabled from the advanced options.

  • Default tunnel MTU is 1500 bytes, can be customized from the advanced options.

  • Every tunnel uses a loopback endpoint on each device from the range 10.100.0.0/16 and another internal loopback from the range 10.101.0.0/16

  • The loopback MAC addresses are assigned from the range of 02:00:27:fd:XX:XX and 02:00:27:fe:XX:XX

  • IPSec keys are generated by the flexiManage system

  • Tunnel AI Based Network Healing

Tunnel Management

Creating a Tunnel

To create a tunnel, select two or more devices and click on the “Action” button. From there select “Create Tunnels”.

Select Tunnels

Create tunnel wizard will open to provide assistance with tunnel creation topologis and Path Labels. Supported tunnel topologies are Full-Mesh and Hub & Spoke. By default Full-Mesh is selected.

Full-mesh

It is also possible to deploy Hub & Spoke topology when three or more devices are selected. In that case simply select hub site from the drop down.

Hub-spoke

If only two devices are selected for tunnel creation, direct tunnels will be created regardless of topology selection.

Tunnels can be viewed from the Inventory -> Tunnels menu:

Tunnels Created

Every created tunnel displays the flexiEdge device and interface the device is connecting, Path Label, the tunnel connectivity status, round-trip time, encryption and loss measured using ICMP between the tunnel endpoints.

Note

The connectivity status, round-trip time and loss displays the status for the existing path selected between the tunnel end-points, even if no direct path is used.

A graphical representation of the tunnel configuration can also be viewed in the Dashboards -> Network menu:

Tunnels Network

Hovering the mouse over a tunnel shows the round-trip time and drop rate for that tunnel.

Deleting a Tunnel

A single or multiple tunnels can be deleted. To delete a tunnel, while at Tunnels page select a specific or multiple tunnnels and then click “Delete tunnels” button.

Tunnels delete

Advanced tunnel settings

When creating tunnels between two or more sites, several advanced options can be set:

MTU

By default 1500 bytes are used, can be set to lower MTU. Max supported tunnel MTU is 1500 bytes.

MSS Clamping

Enabled by default, it limits and reduces size of the packets / Maximum Segment Size.

OSPF Cost

Used when connecting flexiEdge LAN to OSPF aware device such as smart switch. Default set to none.

Advanced options

Routing can be configured to use OSPF or BGP.

Advanced options

Changing Tunnel Key Exchange Type

flexiWAN supports several tunnel key ecchange / encryption types:

PSK

Pre-Shared Key, used by default

IKEv2

IKE version 2

None

No encryption at all

Tunnel key exchange type is managed on organizational level. To change between the methods navigate to Account > Organizations and click on organization settings:

Change encryption 0

Then from Update organization section change the tunnel key exchange method to your preference and save.

Change encryption 1

Note

Tunnels must be re-added for the tunnel encryption key exchange change to take place, or wait until the tunnels are rebuilt manually due IP or STUN port changes. Tunnels existing before the encryption key exchange method change will not be removed.

Changing VXLAN port

flexiWAN uses VXLAN UDP port 4789 for tunnel source by default. Some deployments may require changing to a different source UDP port. In order to change the source port from default to custom, navigate to Account > Organizations to view existing organizations and tunnel ports used. Select organization on which you wish to change the port and click on settings icon.

Note

While source port can be set custom for organization, destination port is dictated by the network. If there is no NAT in between sites, destination will be the same as source. If there is NAT involved, destination will use different port determined by NAT.

tunnels port

In the Organization settings navigate to VXLAN port and set a custom port. Click on Update to confirm changes.

tunnels port

Note

Changing port number will re-establish all tunnels immediately.

Tunnel status

Once new tunnels are created between multiple flexiEdge sites, multiple connection statuses can occur, from connected and not connected, to pending and not available. Each status is covered in this section.

Connected status

Once two or more sites are fully connected, status will show as Connected.

Change encryption 0
Not Connected

When the devices are connected but tunnels show as Not Connected means that devices have not established tunnels yet. This message is also show when vRouter is not running. After tunnel provisioning, it might take a minute to fully connect the tunnel.

Change encryption 0
Pending

Pending status is shown when flexiWAN’s AI Based Network Healing detects issues with site connectivity. Check the AI Base Network Healing for more info.

When tunnel is in pending status it means that it’s not connected and removed from the device configuration. Hovering the pending state represent the exact issue detected and the device is waiting for the recovery of the issue.

Change encryption 0
N/A

When one of the devices is not connect to flexiManage, tunnel status will show N/A

Change encryption 0