Overview
When using workflows to deploy controllers, templates and devices, default encryption settings for IKE and IPSEC are applied. Depending on the enterprise security needs the defaults can be changed. This article will guide you through the steps needed to make the changes in two scenarios. One during the initial deployment itself and the other for an already operational network.
For Control plane, all branches to controller1 will leverage the same IKE/IPSEC settings. The settings can be same or different for all branches to controller2. The sd-wan data plane will need the same settings across the board. So, all branch to branch settings will remain the same for all branches.
This article is referenced based on to Versa software version 16.1R2, but the concept can be extended to 16.1R1, 20.2 or even later versions. All examples in this article are from service release 16.1R2-S10.
Default Settings
Since the default settings can change between code versions, we recommend reviewing the configuration after deploying the controllers and templates.
Picture1: IKE settings for Staging VPN profile under 'Provider' Org
Picture2: IPSEC settings for Staging VPN profile under 'Provider' Org
Picture3: IKE settings for PostStaging VPN profile under respective customer org.
Picture4: IPSEC settings for PostStaging VPN profile under respective customer org.
Scenario1
In this scenario it is assumed that the controllers, templates and device workflows are already deployed and some or all branch devices are also activated and actively reachable from Versa director.
Pre-Validation:
Since this is assumed to be a functional network, we need to have a pre-validation step.
Ensure that all branchs' SLAs are up from both controllers to all branches. During this process each branch will be single threaded towards a controller while the changes are applied in sequential steps.
In CLI, run the command show orgs org <org name> sd-wan sla-monitor status | tab on both controllers to check the SLA status to the branches within the org.
admin@VersaController1-cli> show orgs org Customer1 sd-wan sla-monitor status | tab
LOCAL REMOTE
WAN WAN
PATH FWD LOCAL WAN REMOTE WAN LINK LINK ADAPTIVE DAMP DAMP CONN LAST
SITE NAME HANDLE CLASS LINK LINK ID ID MONITORING STATE FLAPS STATE FLAPS FLAPPED
------------------------------------------------------------------------------------------------------------------------------------
Customer1-Branch1 6623488 fc_nc Internet Internet 1 1 disable disable 0 up 1 2w1d00h
Customer1-Branch2 6689024 fc_nc Internet Internet 1 1 disable disable 0 up 1 2w1d00h
Customer1-Branch3 6754560 fc_nc Internet Internet 1 1 disable disable 0 up 1 2w0d23h
Customer1-Branch4A 6820096 fc_nc Internet Internet 1 1 disable disable 0 up 1 2w0d23h
Customer1-Branch4B 6885888 fc_nc Internet Internet 1 2 disable disable 0 up 1 2w0d23h
VersaController2 135424 fc_nc Internet Internet 1 1 disable disable 0 up 1 2w1d05h
[ok][2019-10-29 23:51:34]
admin@VersaController2-cli> show orgs org Customer1 sd-wan sla-monitor status | tab
LOCAL REMOTE
WAN WAN
PATH FWD LOCAL WAN REMOTE WAN LINK LINK ADAPTIVE DAMP DAMP CONN LAST
SITE NAME HANDLE CLASS LINK LINK ID ID MONITORING STATE FLAPS STATE FLAPS FLAPPED
------------------------------------------------------------------------------------------------------------------------------------
Customer1-Branch1 6623488 fc_nc Internet Internet 1 1 disable disable 0 up 1 2w1d00h
Customer1-Branch2 6689024 fc_nc Internet Internet 1 1 disable disable 0 up 1 2w1d00h
Customer1-Branch3 6754560 fc_nc Internet Internet 1 1 disable disable 0 up 1 2w0d23h
Customer1-Branch4A 6820096 fc_nc Internet Internet 1 1 disable disable 0 up 1 2w0d23h
Customer1-Branch4B 6885888 fc_nc Internet Internet 1 2 disable disable 0 up 1 2w0d23h
VersaController1 69888 fc_nc Internet Internet 1 1 disable disable 0 up 1 2w1d05h
[ok][2019-10-29 23:51:59]In CLI, run the command show bgp neighbor brief <org-Control-VR> on both controllers to check the BGP status to the branches within the org.
admin@VersaController1-cli> show bgp neighbor brief Customer1-Control-VR routing-instance: Customer1-Control-VR Neighbor V MsgRcvd MsgSent Uptime State/PfxRcd PfxSent AS 100.0.160.2 4 53406 53409 2w1d22h 29 44 64512 100.0.160.101 4 52674 53190 2w1d18h 6 44 64512 100.0.160.102 4 52694 53185 2w1d17h 6 44 64512 100.0.160.103 4 52655 53174 2w1d17h 5 44 64512 100.0.160.104 4 52594 53120 2w1d17h 5 44 64512 100.0.160.105 4 52540 53036 2w1d17h 5 44 64512 [ok][2019-10-30 17:31:05] admin@VersaController2-cli> show bgp neighbor brief Customer1-Control-VR routing-instance: Customer1-Control-VR Neighbor V MsgRcvd MsgSent Uptime State/PfxRcd PfxSent AS 100.0.160.101 4 52618 53169 2w1d18h 6 44 64512 100.0.160.102 4 52683 53209 2w1d17h 6 44 64512 100.0.160.103 4 52622 53213 2w1d17h 5 44 64512 100.0.160.104 4 52585 53129 2w1d17h 5 44 64512 100.0.160.105 4 52480 53024 2w1d17h 5 44 64512 100.0.160.1 4 53405 53402 2w1d22h 29 29 64512 [ok][2019-10-30 17:29:15]
Once you have verified that all branch devices have connectivity to both controllers, proceed to making configuration changes following the steps below.
Steps:
I. Update the IKE and/or IPSEC parameters for the PostStaging VPN profile of Controller1 and click 'OK' when all fields have been updated as desired.
- The following parameters can be modified for IKE security.
- Local Auth - Shared Key (PSK)
- Local Auth - Identity
- Transform
- DH Group (PFS)
- Remote Auth is dynamically (re)generated when the device workflow is redeployed in step IV.
- The following parameters can be modified for IPSEC security.
- Transform
- DH Group (PFS)
Once you click OK, the branch appliances will lose connectivity to the first controller, but will remain connected with the second controller. This allows for the sd-wan mesh to remain fully operational. UI screen examples are already shown in Picture3 and Picture4 above. The same commands from the pre-validation step can be used to validate the same in CLI.
Note: Controller and branch appliances will create ipsec, bgp and sdwan alarms for this failure.
II. Recreate the template workflows for the organization. Once deployed, the templates will automatically pick the IKE/IPSEC settings to match the controller1 configuration changes from the step above. Recreating a template will not change the branch to branch IKE/IPSEC settings.
Picture5: Template workflow recreation.
Note: If you are not using workflows, you can manually update all templates’ Controller1-Profile.
Picture6: IPSEC settings for Controller1 VPN profile under respective customer org.
III. Under the configuration template, create a new Branch SDWAN Profile. Do not delete the existing pre-created default yet.
Picture7: Branch SDWAN Profile settings for branch templates.
IV. Commit the templates to the appliances. Once template is successfully applied to the branch appliance, it will regain connectivity with Controller1. Using the CLI command in pre-validation, verify the SLAs and BGP are up to all branches.
Picture8: Commit template window for committing a template to branch(es).
V. Almost as a repeat to step I, update the IKE and/or IPSEC parameters for the PostStaging VPN profile of Controller2 and click 'OK' when all fields have been updated as desired.
VI. Repeat Step II to recreate template. This time Controller2 associated IKE/IPSEC settings will get updated on the template.
VII. Under the configuration template, delete the original SDWAN Branch Profile b2b-sdwan, while keeping the newly created profile.
VIII. Under the configuration template, update the templates' controllers' ipsec profile field "Branch SDWN Profile" with the newly create Branch SDWAN profile by selecting from the dropdown.
Picture9: Changing the Branch SDWAN profile towards Controller1 on the template.
Picture10: Changing the Branch SDWAN profile towards Controller2 on the template.
IX. Under the configuration template, update ike/ipsec parameters on controller2's ipsec profile towards controller1 within the respective org to match the controller1 PostStaging-Profile.
Picture11: Changing the VPN Profile towards Controller1 on the controller2 configuration.
X. Repeat IV and commit the templates to the appliances. Once template is successfully applied to the branch appliance, it will regain connectivity with Controller2.
Scenario2
In this scenario, it is assumed that the director, controllers and analytics are fully provisioned, and onboarded using controller workflow. Customer org or templates may or may not be deployed.
From Scenario1 above,
- Combine steps I and V into I.
- Combine III and VII into III
- Skip/Delete step IV and VI
Verification
Run the pre-validation commands on all devices within this customer organization to verify all devices are operational and communicating with each other.
In order to verify that the new IKE/IPSEC settings have taken effect for the control plane, run the CLI commands show orgs org-services <Customer Org Name> ipsec vpn-profile <Controller-Profile-Name> ike security-associations detail and show orgs org-services <Customer Org Name> ipsec vpn-profile <Controller-Profile-Name> security-associations detail on branches.
admin@Customer1-Branch1-cli> show orgs org-services Customer1 ipsec vpn-profile VersaController1-Profile ike security-associations detail
Tunnel-Id: 2, VSN : 0
IKE Version: v2, Type: branch-sdwan
Authentication: hmac-sha256-128, Encryption: aes256-cbc, DH Group: mod19
Life Time: 28800 seconds, Remaining Life Time: 2967 seconds
Local Gateway: 10.0.128.101
Auth Type: psk, ID Type: email, ID String: [email protected]
SPI: 0xf68caabe0f220002
Remote Gateway: 10.0.128.1
Auth Type: psk, ID Type: email, ID String: [email protected]
SPI: 0x1bd13ae79fc70002
[ok][2019-10-30 21:39:58]
admin@Customer1-Branch1-cli> show orgs org-services Customer1 ipsec vpn-profile VersaController1-Profile security-associations detail
Local Gateway: 10.0.128.101
Auth Type: psk, ID Type: email, ID String: [email protected]
Remote Gateway: 10.0.128.1
Session Type: Control
Auth Type: psk, ID Type: email, ID String: [email protected]
Inbound SPI: 0x2000fc2
Mode: tunnel, Protocol: esp
Authentication: none, Encryption: aes-gcm, Key Len: 128, PFS DH Group: mod-none
Life Time: 24734 seconds, Remaining Life Time: 2747 seconds
Life Time: 0 mbytes, Remaining Life Time: 0 mbytes
NAT Traversal: disable, Anti-replay: enable, Window Size: 65472
Traffic Selector:
Rule : ptvi4, Tunnel Routing Instance: Customer1-Control-VR
Source : /0, Proto: Any, Port: 0
Destination: /0, Proto: Any, Port: 0
Statistics:
# Packets : 19817 (0 Packets/Sec)
# Bytes : 1567293 (71 Bytes/Sec)
# Packets decrypted : 19817
# Packets dropped - Invalid : 0
# Packets dropped - Anti-replay : 0
# Packets dropped - Auth failed : 0
Outbound SPI: 0x2003e70
Mode: tunnel, Protocol: esp
Authentication: none, Encryption: aes-gcm, Key Len: 128, PFS DH Group: mod-none
Life Time: 24734 seconds, Remaining Life Time: 2747 seconds
Life Time: 0 mbytes, Remaining Life Time: 0 mbytes
NAT Traversal: disable, Anti-replay: enable
Traffic Selector:
Rule : ptvi4, Tunnel Routing Instance: Customer1-Control-VR
Source : /0, Proto: Any, Port: 0
Destination: /0, Proto: Any, Port: 0
Statistics:
# Packets : 29372 (1 Packets/Sec)
# Bytes : 9615107 (0 Bytes/Sec)
# Packets encrypted : 29372
# Packets dropped - No SA info : 0
# Packets dropped - No mbuf : 0
# Packets dropped - Coalesce failed : 0
[ok][2019-10-30 21:40:21]In order to verify that the sd-wan data plane dynamic runnels are up, run the CLI command show interfaces dynamic-tunnels.
admin@Customer1-Branch1-cli> show interfaces dynamic-tunnels
REMOTE
LOCAL SITE TUNNEL
NAME INTERFACE TENANT VRF LOCAL IP REMOTE IP OPER ADMIN ID TYPE REMOTE SITE NAME
-----------------------------------------------------------------------------------------------------------------------------------------
ptvi-0/35 tvi-0/4.0 Customer1 Customer1-Control-VR 10.0.128.101 10.0.128.1 up up 1 cleartext VersaController1
ptvi-0/36 tvi-0/4.0 Customer1 Customer1-Control-VR 10.0.128.101 10.0.128.2 up up 2 cleartext VersaController2
ptvi-0/44 tvi-0/4.0 Customer1 Customer1-Control-VR 10.0.128.101 10.0.128.104 up up 104 cleartext Customer1-Branch4A
ptvi-0/45 tvi-0/5.0 Customer1 Customer1-Control-VR 10.0.160.101 10.0.160.104 up up 104 secure Customer1-Branch4A
ptvi-0/46 tvi-0/4.0 Customer1 Customer1-Control-VR 10.0.128.101 10.0.128.103 up up 103 cleartext Customer1-Branch3
ptvi-0/47 tvi-0/5.0 Customer1 Customer1-Control-VR 10.0.160.101 10.0.160.103 up up 103 secure Customer1-Branch3
ptvi-0/48 tvi-0/4.0 Customer1 Customer1-Control-VR 10.0.128.101 10.0.128.102 up up 102 cleartext Customer1-Branch2
ptvi-0/49 tvi-0/5.0 Customer1 Customer1-Control-VR 10.0.160.101 10.0.160.102 up up 102 secure Customer1-Branch2
ptvi-0/50 tvi-0/4.0 Customer1 Customer1-Control-VR 10.0.128.101 10.0.128.105 up up 105 cleartext Customer1-Branch4B
ptvi-0/51 tvi-0/5.0 Customer1 Customer1-Control-VR 10.0.160.101 10.0.160.105 up up 105 secure Customer1-Branch4B
ptvi4 tvi-0/5.0 Customer1 Customer1-Control-VR 10.0.160.101 10.0.160.1 up up 1 secure VersaController1
ptvi5 tvi-0/5.0 Customer1 Customer1-Control-VR 10.0.160.101 10.0.160.2 up up 2 secure VersaController2
[ok][2019-10-30 21:46:25]