Overview
When using workflows to deploy controllers, templates and devices, default encryption settings for IKE and IPSEC are applied. Depending on the enterprise security needs the defaults can be changed. This article will guide you through the steps needed to make the changes in two scenarios. One during the initial deployment itself and the other for an already operational network.
For Control plane, all branches to controller1 will leverage the same IKE/IPSEC settings. The settings can be same or different for all branches to controller2. The sd-wan data plane will need the same settings across the board. So, all branch to branch settings will remain the same for all branches.
Default Settings
Since the default settings can change between code versions, we recommend reviewing the configuration after deploying the controllers and templates.
> IKE/IPSEC settings for Staging VPN profile under 'Provider' Org (Controller)
set orgs org-services Provider ipsec vpn-profile ************controller1-StagingIpsec ipsec fragmentation pre-fragmentation
set orgs org-services Provider ipsec vpn-profile ************controller1-StagingIpsec ipsec force-nat-t disable
set orgs org-services Provider ipsec vpn-profile ************controller1-StagingIpsec ipsec transform esp-aes128-sha1
set orgs org-services Provider ipsec vpn-profile ************controller1-StagingIpsec ipsec mode tunnel
set orgs org-services Provider ipsec vpn-profile ************controller1-StagingIpsec ipsec pfs-group mod-none
set orgs org-services Provider ipsec vpn-profile ************controller1-StagingIpsec ipsec anti-replay enable
set orgs org-services Provider ipsec vpn-profile ************controller1-StagingIpsec ipsec life duration 28000
set orgs org-services Provider ipsec vpn-profile ************controller1-StagingIpsec ipsec hello-interval send-interval 10
set orgs org-services Provider ipsec vpn-profile ************controller1-StagingIpsec ike version v2
set orgs org-services Provider ipsec vpn-profile ************controller1-StagingIpsec ike frag-size 576
set orgs org-services Provider ipsec vpn-profile ************controller1-StagingIpsec ike group mod19
set orgs org-services Provider ipsec vpn-profile ************controller1-StagingIpsec ike transform aes128-sha1
set orgs org-services Provider ipsec vpn-profile ************controller1-StagingIpsec ike lifetime 28800
set orgs org-services Provider ipsec vpn-profile ************controller1-StagingIpsec ike dpd-timeout 10
set orgs org-services Provider ipsec vpn-profile ************controller1-StagingIpsec ike auth-domain ************controller1-StagingIpsec-Domain
Picture 1: Default IKE Settings
Picture 2: Default IPSEC Settings
> IKE/IPSEC settings for PostStaging VPN profile under respective customer org (Controller).
Picture 3: Default IKE Settings
Picture 4: Default IPSEC Settings
> Branch SDWAN Profile on the sdwan branch (not controller)
> show configuration orgs org-services Secondary-Provider ipsec branch-sdwan-profile b2b-sdwan | display set | details
set orgs org-services Secondary-Provider ipsec branch-sdwan-profile b2b-sdwan dh-group mod19
set orgs org-services Secondary-Provider ipsec branch-sdwan-profile b2b-sdwan transform esp-aes128-gcm
set orgs org-services Secondary-Provider ipsec branch-sdwan-profile b2b-sdwan life-time 28800
set orgs org-services Secondary-Provider ipsec branch-sdwan-profile b2b-sdwan rekey-time 6300
Scenario1
In this scenario it is assumed that the controllers, templates and device workflows are already deployed and some or all branch devices are also activated and actively reachable from Versa director.
Pre-Validation:
Since this is assumed to be a functional network, we need to have a pre-validation step.
Ensure that all branches' SLAs are up from both controllers to all branches. During this process each branch will be single threaded towards a controller while the changes are applied in sequential steps.
In CLI, run the command show orgs org <org name> sd-wan sla-monitor status | tab on both controllers to check the SLA status to the branches within the org.
admin@controller1-cli> show orgs org Secondary-Provider sd-wan sla-monitor status | tab | nomore
LOCAL REMOTE
WAN WAN
PATH REMOTE SITE FWD LOCAL WAN REMOTE WAN LINK LINK PATH ADAPTIVE DAMP DAMP CONN LAST
SITE NAME HANDLE NAME CLASS LINK LINK ID ID MTU MONITORING STATE FLAPS STATE FLAPS FLAPPED
-----------------------------------------------------------------------------------------------------------------------------------------------
HA-Branch-1 7344384 HA-Branch-1 fc_nc control-1 Internet 1 1 1500 disable disable 0 up 1 2w0d06h
7344640 HA-Branch-1 fc_nc control-1 Internet2 1 2 700 disable disable 0 up 1 2w0d06h
HA-Branch-2 7540992 HA-Branch-2 fc_nc control-1 Internet2 1 1 1500 disable disable 0 up 1 2w0d06h
7541248 HA-Branch-2 fc_nc control-1 Internet 1 2 700 disable disable 0 up 1 2w0d06h
controller2 135424 controller2 fc_nc control-1 control-1 1 1 1500 disable disable 0 up 1 11w1d01h
admin@controller2-cli> show orgs org Secondary-Provider sd-wan sla-monitor status | tab | nomore
LOCAL REMOTE
WAN WAN
PATH REMOTE SITE FWD LOCAL WAN REMOTE WAN LINK LINK PATH ADAPTIVE DAMP DAMP CONN LAST
SITE NAME HANDLE NAME CLASS LINK LINK ID ID MTU MONITORING STATE FLAPS STATE FLAPS FLAPPED
-----------------------------------------------------------------------------------------------------------------------------------------------
HA-Branch-1 7344388 HA-Branch-1 fc_ef control-1 Internet 1 1 1500 active disable 0 up 1 2w0d06h
7344644 HA-Branch-1 fc_ef control-1 Internet2 1 2 700 active disable 0 up 1 2w0d06h
HA-Branch-2 7540996 HA-Branch-2 fc_ef control-1 Internet2 1 1 1500 active disable 0 up 1 2w0d06h
7541252 HA-Branch-2 fc_ef control-1 Internet 1 2 700 active disable 0 up 1 2w0d06h
controller1 69888 controller1 fc_nc control-1 control-1 1 1 1500 disable disable 0 up 1 11w1d01hIn CLI, run the command show bgp neighbor brief <org-Control-VR> on both controllers to check the BGP status to the branches within the org.
admin@controller1-cli> show bgp neighbor brief routing-instance: Secondary-Provider-Control-VR Neighbor V MsgRcvd MsgSent Uptime State/PfxRcd PfxSent AS 10.0.0.6 4 444747 477546 11w1d01h 18 21 64512 10.0.0.33 4 246473 247476 2w0d06h 8 29 64512 10.0.0.35 4 73550 74345 2w0d06h 7 29 64512 admin@controller2-cli> show bgp neighbor brief routing-instance: Secondary-Provider-Control-VR Neighbor V MsgRcvd MsgSent Uptime State/PfxRcd PfxSent AS 10.0.0.2 4 260426 260080 11w1d01h 18 18 64512 10.0.0.33 4 246452 247542 2w0d06h 8 28 64512 10.0.0.35 4 73732 74560 2w0d06h 7 28 64512
Once you have verified that all branch devices have connectivity to both controllers, proceed to making configuration changes following the steps below.
Steps:
I. Update the IKE and/or IPSEC parameters for the PostStaging VPN profile of Controller1 and click 'OK' when all fields have been updated as desired.
- The following parameters can be modified for IKE security.
- Local Auth - Shared Key (PSK)
- Local Auth - Identity
- Transform
- DH Group (PFS)
- Remote Auth is dynamically (re)generated when the device workflow is redeployed in step IV.
- The following parameters can be modified for IPSEC security.
- Transform
- DH Group (PFS)
Picture 5: Example of configuration change of IPSEC parameters on Controller1 customer tenant PostStaging VPN profile
Transform changed
Once you click OK, the branch appliances will lose connectivity to the first controller, but will remain connected with the second controller. This allows for the sd-wan mesh to remain fully operational. The same commands from the pre-validation step can be used to validate the same in CLI.
Note: Controller and branch appliances will create ipsec, bgp and sdwan alarms for this failure.
II. Recreate the template workflows for the organization. Once deployed, the templates will automatically pick the IKE/IPSEC settings to match the controller1 configuration changes from the step above. Recreating a template will not change the branch to branch IKE/IPSEC settings.
Picture 6.1: Template workflow recreation.
Picture 6.2: Snip showing diff while redeploying workflow template
Note: If you are not using workflows, you can manually update all templates’ Controller1-Profile.
Picture 7: IPSEC settings for Controller1 VPN profile under respective customer org.
III. Under the configuration template, create a new Branch SDWAN Profile. Do not delete the existing pre-created default yet. You can use a service template or have to change this on all device templates manually.
Picture 8: Branch SDWAN Profile settings for branch templates.
IV. Commit the templates to the appliances. Once template is successfully applied to the branch appliance, it will regain connectivity with Controller1. Using the CLI command in pre-validation, verify the SLAs and BGP are up to all branches.
Picture 9: Commit template window for committing a template to branch(es).
V. Similar to step I, update the IKE and/or IPSEC parameters for the PostStaging VPN profile of Controller2 and click 'OK' when all fields have been updated as desired.
VI. Repeat Step II to recreate template. This time Controller2 associated IKE/IPSEC settings will get updated on the template.
VII. Under the configuration template, delete the original SDWAN Branch Profile b2b-sdwan, while keeping the newly created profile.
VIII. Under the configuration template, update the templates' controllers' ipsec profile field "Branch SDWAN Profile" with the newly create Branch SDWAN profile by selecting from the dropdown.
Picture 10: Changing the Branch SDWAN profile towards Controller1 on the template.
Picture 11: Changing the Branch SDWAN profile towards Controller2 on the template.
IX. Under the configuration template, update ike/ipsec parameters on controller2's ipsec profile towards controller1 within the respective org to match the controller1 PostStaging-Profile.
Picture 12: Changing the VPN Profile towards Controller1 on the controller2 configuration. In following example it is changed for customer tenant as on Controller1, we have changed the PostStaging VPN profile only for this customer tenant (Secondary Provider).
X. Repeat IV and commit the templates to the appliances. Once template is successfully applied to the branch appliance, it will regain connectivity with Controller2.
Scenario2
In this scenario, it is assumed that the director, controllers and analytics are fully provisioned, and onboarded using controller workflow. Customer org or templates may or may not be deployed. Branches are not yet onboarded.
From Scenario1 above,
- Combine steps I and V into I.
- Combine III and VII into III
- Skip/Delete step IV and VI
Verification
Run the pre-validation commands on all devices within this customer organization to verify all devices are operational and communicating with each other.
In order to verify that the new IKE/IPSEC settings have taken effect for the control plane, run the CLI commands show orgs org-services <Customer Org Name> ipsec vpn-profile <Controller-Profile-Name> ike security-associations detail and show orgs org-services <Customer Org Name> ipsec vpn-profile <Controller-Profile-Name> security-associations detail on branches.
admin@HA-Branch-1-cli> show orgs org-services Secondary-Provider ipsec vpn-profile controller1-Profile ike security-associations detail
Tunnel-Id: 1183, VSN : 0
IKE Version: v2, Type: branch-sdwan
Authentication: hmac-sha256-128, Encryption: aes256-cbc, DH Group: mod19
Life Time: 28800 seconds, Remaining Life Time: 28729 seconds
Local Gateway: 10.0.0.32
Auth Type: psk, ID Type: email, ID String: HA-Branch-1@Secondary-Provider.com
SPI: 0x2007b49af95ea7f
Remote Gateway: 10.0.0.3
Auth Type: psk, ID Type: email, ID String: controller1@Secondary-Provider.com
SPI: 0x200da151e9c30cf
admin@HA-Branch-1-cli> show orgs org-services Secondary-Provider ipsec vpn-profile controller1-Profile security-associations detail
Local Gateway: 10.0.0.32
Auth Type: psk, ID Type: email, ID String: HA-Branch-1@Secondary-Provider.com
Remote Gateway: 10.0.0.3
Session Type: Control
Auth Type: psk, ID Type: email, ID String: controller1@Secondary-Provider.com
Inbound SPI: 0x2005c3e
Mode: tunnel, Protocol: esp
Authentication: hmac-sha512, Encryption: aes-cbc, Key Len: 256, PFS DH Group: mod-none
Life Time: 25667 seconds, Remaining Life Time: 25664 seconds
Life Time: 0 mbytes, Remaining Life Time: 0 mbytes
NAT Traversal: disable, Anti-replay: enable, Window Size: 65472
Traffic Selector:
Rule : ptvi515, Tunnel Routing Instance: Secondary-Provider-Control-VR
Source : /0, Proto: Any, Port: 0
Destination: /0, Proto: Any, Port: 0
Statistics:
# Packets : 0 [0 Packets/Sec]
# Bytes : 0 [0 Bytes/Sec]
# Packets decrypted : 0
# Packets dropped - Invalid : 0
# Packets dropped - Anti-replay : 0
# Packets dropped - Auth failed : 0
Outbound SPI: 0x2003612
Mode: tunnel, Protocol: esp
Authentication: hmac-sha512, Encryption: aes-cbc, Key Len: 256, PFS DH Group: mod-none
Life Time: 25667 seconds, Remaining Life Time: 25664 seconds
Life Time: 0 mbytes, Remaining Life Time: 0 mbytes
NAT Traversal: disable, Anti-replay: enable
Traffic Selector:
Rule : ptvi515, Tunnel Routing Instance: Secondary-Provider-Control-VR
Source : /0, Proto: Any, Port: 0
Destination: /0, Proto: Any, Port: 0
Statistics:
# Packets : 2 [0 Packets/Sec]
# Bytes : 80 [0 Bytes/Sec]
# Packets encrypted : 2
# Packets dropped - No SA info : 0
# Packets dropped - No mbuf : 0
# Packets dropped - Coalesce failed : 0
In order to verify that the sd-wan data plane dynamic runnels are up, run the CLI command show interfaces dynamic-tunnels.
admin@HA-Branch-1-cli> show interfaces dynamic-tunnels
REMOTE
LOCAL SITE TUNNEL REMOTE SITE
NAME INTERFACE TENANT VRF LOCAL IP REMOTE IP OPER ADMIN ID TYPE NAME
---------------------------------------------------------------------------------------------------------------------------------------------
dtvi-0/58 tvi-0/6.0 Secondary-Provider Secondary-Provider-Control-VR 10.0.0.32 10.0.0.3 up up 1 cleartext controller1
dtvi-0/59 tvi-0/6.0 Secondary-Provider Secondary-Provider-Control-VR 10.0.0.32 10.0.0.7 up up 2 cleartext controller2
dtvi-0/65 tvi-0/6.0 Secondary-Provider Secondary-Provider-Control-VR 10.0.0.32 10.0.0.34 up up 115 cleartext HA-Branch-2
dtvi-0/66 tvi-0/7.0 Secondary-Provider Secondary-Provider-Control-VR 10.0.0.33 10.0.0.35 up up 115 secure HA-Branch-2
ptvi1027 tvi-0/7.0 Secondary-Provider Secondary-Provider-Control-VR 10.0.0.33 10.0.0.6 up up 2 secure controller2
ptvi515 tvi-0/7.0 Secondary-Provider Secondary-Provider-Control-VR 10.0.0.33 10.0.0.2 up up 1 secure controller1