flexiWAN uses encrypted IPSec over VxLAN tunnels between sites. The tunnel headers are described in the following figure:
The tunnel configuration enables various topologies such as hub and spoke, full mesh or any other custom topology. Any tunnel topology can be created by simply selecting a set of devices and then clicking on the “Create Tunnels under the “Action” butoon. From there users can optionally select Path Lables if required and then pick between tunnel topologies. A full mesh will be created between all selected devices so that the devices are connected like point-to-point between their loopback interfaces over the secured tunnel toward the WAN. The LAN routes will be advertised across the tunnel and will be able to reach each other.
The tunnel infrastructure offers:
The ability to create a tunnel between every two sites (creating a tunnel between sites that already have a tunnel does not create another tunnel between them)
Choose between several tunnel key exchange / encryption methods: Pre-Shared Key, IKEv2 and no encryption.
Tunnels can be established directly via public IP’s or behind NAT, with private IP on flexiEdge WAN (using NAT Traversal - STUN)
Tunnels can be created with Path Labels which offer a better and more fine grain way to organize your system and your underlay networks. See Path Labels documentation section for more details.
OSPF routing between the sites LAN address across the tunnel, where OSPF cost can be user specified.
BGP routing between the sites LAN across the tunnel.
MSS Clamping is enabled by default, can be disabled from the advanced options.
Default tunnel MTU is 1500 bytes, can be customized from the advanced options.
Every tunnel uses a loopback endpoint on each device from the range 10.100.0.0/16 and another internal loopback from the range 10.101.0.0/16
The loopback MAC addresses are assigned from the range of 02:00:27:fd:XX:XX and 02:00:27:fe:XX:XX
IPSec keys are generated by the flexiManage system
Tunnel AI Based Network Healing
Creating a Tunnel¶
To create a tunnel, select two or more devices and click on the “Action” button. From there select “Create Tunnels”.
Create tunnel wizard will open to provide assistance with tunnel creation topologis and Path Labels. Supported tunnel topologies are Full-Mesh and Hub & Spoke. By default Full-Mesh is selected.
It is also possible to deploy Hub & Spoke topology when three or more devices are selected. In that case simply select hub site from the drop down.
If only two devices are selected for tunnel creation, direct tunnels will be created regardless of topology selection.
Tunnels can be viewed from the Inventory -> Tunnels menu:
Every created tunnel displays the flexiEdge device and interface the device is connecting, Path Label, the tunnel connectivity status, round-trip time, encryption and loss measured using ICMP between the tunnel endpoints.
The connectivity status, round-trip time and loss displays the status for the existing path selected between the tunnel end-points, even if no direct path is used.
A graphical representation of the tunnel configuration can also be viewed in the Dashboards -> Network menu:
Hovering the mouse over a tunnel shows the round-trip time and drop rate for that tunnel.
Deleting a Tunnel¶
A single or multiple tunnels can be deleted. To delete a tunnel, while at Tunnels page select a specific or multiple tunnnels and then click “Delete tunnels” button.
Advanced tunnel settings¶
When creating tunnels between two or more sites, several advanced options can be set:
By default 1500 bytes are used, can be set to lower MTU. Max supported tunnel MTU is 1500 bytes.
- MSS Clamping
Enabled by default, it limits and reduces size of the packets / Maximum Segment Size.
- OSPF Cost
Used when connecting flexiEdge LAN to OSPF aware device such as smart switch. Default set to none.
Routing can be configured to use OSPF or BGP.
Changing Tunnel Key Exchange Type¶
flexiWAN supports several tunnel key ecchange / encryption types:
Pre-Shared Key, used by default
IKE version 2
No encryption at all
Tunnel key exchange type is managed on organizational level. To change between the methods navigate to Account > Organizations and click on organization settings:
Then from Update organization section change the tunnel key exchange method to your preference and save.
Tunnels must be re-added for the tunnel encryption key exchange change to take place, or wait until the tunnels are rebuilt manually due IP or STUN port changes. Tunnels existing before the encryption key exchange method change will not be removed.
Changing VXLAN port¶
flexiWAN uses VXLAN UDP port 4789 for tunnel source by default. Some deployments may require changing to a different source UDP port. In order to change the source port from default to custom, navigate to Account > Organizations to view existing organizations and tunnel ports used. Select organization on which you wish to change the port and click on settings icon.
While source port can be set custom for organization, destination port is dictated by the network. If there is no NAT in between sites, destination will be the same as source. If there is NAT involved, destination will use different port determined by NAT.
In the Organization settings navigate to VXLAN port and set a custom port. Click on Update to confirm changes.
Changing port number will re-establish all tunnels immediately.
Once new tunnels are created between multiple flexiEdge sites, multiple connection statuses can occur, from connected and not connected, to pending and not available. Each status is covered in this section.
- Connected status
Once two or more sites are fully connected, status will show as Connected.
- Not Connected
When the devices are connected but tunnels show as Not Connected means that devices have not established tunnels yet. This message is also show when vRouter is not running. After tunnel provisioning, it might take a minute to fully connect the tunnel.
Pending status is shown when flexiWAN’s AI Based Network Healing detects issues with site connectivity. Check the AI Base Network Healing for more info.
When tunnel is in pending status it means that it’s not connected and removed from the device configuration. Hovering the pending state represent the exact issue detected and the device is waiting for the recovery of the issue.
When one of the devices is not connect to flexiManage, tunnel status will show N/A