Tunnels¶
This section offers a comprehensive overview of flexiWAN’s advanced tunnel management system, crafted for seamless site connectivity using encrypted IPSec over VxLAN tunnels. Ideal for setting up various network topologies like hub and spoke, full mesh, or custom configurations, this intuitive interface simplifies the creation and management of secure tunnels between sites. Equipped with diverse encryption methods, NAT Traversal, and Path Labels, this documentation provides all necessary resources for efficient, secure, and reliable network connectivity. Additionally, AI-Based Network Healing ensures robust and responsive network operations. Discover how flexiWAN can elevate network infrastructure management.
Overview¶
flexiWAN uses encrypted IPSec over VxLAN tunnels between sites. The tunnel headers are described in the following figure:
The tunnel configuration enables various topologies such as hub and spoke, full mesh or any other custom topology. Any tunnel topology can be created by simply selecting a set of devices and then clicking on the “Create Tunnels under the “Action” butoon. From there users can optionally select Path Lables if required and then pick between tunnel topologies. A full mesh will be created between all selected devices so that the devices are connected like point-to-point between their loopback interfaces over the secured tunnel toward the WAN. The LAN routes will be advertised across the tunnel and will be able to reach each other.
The tunnel infrastructure offers:
The ability to create a tunnel between every two sites (creating a tunnel between sites that already have a tunnel does not create another tunnel between them)
Choose between several tunnel key exchange / encryption methods: Pre-Shared Key, IKEv2 and no encryption.
Tunnels can be established directly via public IP’s or behind NAT, with private IP on flexiEdge WAN (using NAT Traversal - STUN)
Tunnels can be created with Path Labels which offer a better and more fine grain way to organize your system and your underlay networks. See Path Labels documentation section for more details.
OSPF routing between the sites LAN address across the tunnel, where OSPF cost can be user specified.
BGP routing between the sites LAN across the tunnel.
MSS Clamping is enabled by default, can be disabled from the advanced options.
Default tunnel MTU is 1500 bytes, can be customized from the advanced options.
Every tunnel uses a loopback endpoint on each device from the range 10.100.0.0/16 and another internal loopback from the range 10.101.0.0/16
The loopback MAC addresses are assigned from the range of 02:00:27:fd:XX:XX and 02:00:27:fe:XX:XX
IPSec keys are generated by the flexiManage system
Tunnel AI Based Network Healing
NAT & Tunnel Connectivity¶
flexiWAN’s NAT traversal functionality is enabled out of the box, allowing the creation of secure tunnels between flexiEdge devices, even when one or both are behind NAT. The following combinations of WAN IPs support tunnel creation:
Both sides with Public IPs: Both flexiEdges have direct public IP addresses on their WAN interfaces.
Both sides behind Full Cone NAT: Full Cone NAT allows inbound connections after an outbound request, making it compatible for tunnel creation.
One side behind NAT, one Public IP: Tunnels can be established when one device is behind NAT and the other has a public IP.
One side behind Symmetric NAT, other Public IP: flexiWAN supports this scenario, although symmetric NAT poses more challenges.
One side behind Symmetric/CGNAT and other Full Cone NAT: This combination also supports tunnel creation.
Tunnels cannot be established between two devices behind Symmetric NAT. Symmetric NAT changes both the IP address and the port for each outbound connection, making it difficult to establish direct communication between peers. In this case, a third flexiEdge site with Public IP on WAN or Full Cone NAT can act as a proxy between the sites behind Symmetric NAT / CGNAT.
Tunnel Management¶
Creating a Tunnel¶
To create a tunnel, select two or more devices and click on the “Action” button. From there select “Create Tunnels”.
Create tunnel wizard will open to provide assistance with tunnel creation topologis and Path Labels. Supported tunnel topologies are Full-Mesh and Hub & Spoke. By default Full-Mesh is selected.
It is also possible to deploy Hub & Spoke topology when three or more devices are selected. In that case simply select hub site from the drop down.
If only two devices are selected for tunnel creation, direct tunnels will be created regardless of topology selection.
Tunnels can be viewed from the Inventory -> Tunnels menu:
Every created tunnel displays the flexiEdge device and interface the device is connecting, Path Label, the tunnel connectivity status, round-trip time, encryption and loss measured using ICMP between the tunnel endpoints.
Note
The connectivity status, round-trip time and loss displays the status for the existing path selected between the tunnel end-points, even if no direct path is used.
A graphical representation of the tunnel configuration can also be viewed in the Dashboards -> Network menu:
Hovering the mouse over a tunnel shows the round-trip time and drop rate for that tunnel.
Deleting a Tunnel¶
A single or multiple tunnels can be deleted. To delete a tunnel, while at Tunnels page select a specific or multiple tunnnels and then click “Delete tunnels” button.
Advanced tunnel settings¶
When creating tunnels between two or more sites, several advanced options can be set:
- MTU
By default 1500 bytes are used, can be set to lower MTU. Max supported tunnel MTU is 1500 bytes.
- MSS Clamping
Enabled by default, it limits and reduces size of the packets / Maximum Segment Size.
- OSPF Cost
Used when connecting flexiEdge LAN to OSPF aware device such as smart switch. Default set to none.
Routing can be configured to use OSPF or BGP.
Changing Tunnel Key Exchange Type¶
flexiWAN supports several tunnel key ecchange / encryption types:
- PSK
Pre-Shared Key, used by default
- IKEv2
IKE version 2
- None
No encryption at all
Tunnel key exchange type is managed on organizational level. To change between the methods navigate to Account > Organizations and click on organization settings:
Then from Update organization section change the tunnel key exchange method to your preference and save.
Note
Tunnels must be re-added for the tunnel encryption key exchange change to take place, or wait until the tunnels are rebuilt manually due IP or STUN port changes. Tunnels existing before the encryption key exchange method change will not be removed.
Changing VXLAN port¶
flexiWAN uses VXLAN UDP port 4789 for tunnel source by default. Some deployments may require changing to a different source UDP port. In order to change the source port from default to custom, navigate to Account > Organizations to view existing organizations and tunnel ports used. Select organization on which you wish to change the port and click on settings icon.
Note
While source port can be set custom for organization, destination port is dictated by the network. If there is no NAT in between sites, destination will be the same as source. If there is NAT involved, destination will use different port determined by NAT.
In the Organization settings navigate to VXLAN port and set a custom port. Click on Update to confirm changes.
Note
Changing port number will re-establish all tunnels immediately.
Changing Tunnel Network Range¶
flexiWAN uses 10.100.0.0/16 network range for tunnel loopback network. Once connecting two more devices using tunnels, each device will receive an IP from the 10.100.0.0/16 default network range. Network range is specific to each organization, so different ranges can be used aross multiple organizations. To change the tunnel network range, navigate to organization settings and enter the new range within Tunnel Range section. Click Update to make changes.
After configuring new range, tunnels will be rebuilt automatically using the new range.
Tunnel status¶
Once new tunnels are created between multiple flexiEdge sites, multiple connection statuses can occur, from connected and not connected, to pending and not available. Each status is covered in this section.
- Connected status
Once two or more sites are fully connected, status will show as Connected.
- Not Connected
When the devices are connected but tunnels show as Not Connected means that devices have not established tunnels yet. This message is also show when vRouter is not running. After tunnel provisioning, it might take a minute to fully connect the tunnel.
- Pending
Pending status is shown when flexiWAN’s AI Based Network Healing detects issues with site connectivity. Check the AI Base Network Healing for more info.
When tunnel is in pending status it means that it’s not connected and removed from the device configuration. Hovering the pending state represent the exact issue detected and the device is waiting for the recovery of the issue.
- N/A
When one of the devices is not connect to flexiManage, tunnel status will show N/A