Print

VeloCloud SD-WAN 6.4 - Administration Guide - Edge to Edge Encryption Print

Edge to Edge Encryption

Starting with the 6.4.0 release, Enterprise Superusers, Enterprise Standard Admin, and Enterprise Network Admin can choose to activate or deactivate the encryption for their WAN links. This allows the Customer to turn off encryption of user data payloads through VCMP tunnels. This feature is applicable to both private and public WAN links. This only affects Edge to Edge traffic.

You can modify the Edge To Edge Encryption feature at both Profile and Edge levels. By default, the Edge inherits the encryption settings from the Profile.

This feature can also be configured through the Interface and Business Policy Rule settings of individual Edges or a Profile. Both of these configuration methods are considered when sending user data traffic to determine whether that traffic should be encrypted or unencrypted. For information on how to turn off this feature at Profile and Edge levels, see the topics Edge to Edge Encryption at the Profile level and .Edge to Edge Encryption at the Edge Level

The tables below list various configuration combinations and the resulting encryption states depending on each scenario:
Table 1. Interface
  Scenario 1 Scenario 2 Scenario 3 Scenario 4
Edge 1 (Sender) Interface: Encrypted Interface: Unencrypted Interface: Encrypted Interface: Unencrypted
Biz Policy: Encrypted Biz Policy: Encrypted Biz Policy: Encrypted Biz Policy: Encrypted
Edge 2 (Receiver) Interface: Encrypted Interface: Encrypted Interface: Unencrypted Interface: Unencrypted
Biz Policy: Encrypted Biz Policy: Encrypted Biz Policy: Encrypted Biz Policy: Encrypted
Result Encrypted Encrypted Encrypted Unencrypted
Table 2. Business Policy
  Scenario 1 Scenario 2 Scenario 3 Scenario 4
Edge 1 (Sender) Interface: Encrypted Interface: Encrypted Interface: Unencrypted Interface: Unencrypted
Biz Policy: Encrypted Biz Policy: Unencrypted Biz Policy: Encrypted Biz Policy: Unencrypted
Edge 2 (Receiver) Interface: Any Interface: Any Interface: Encrypted Interface: Unencrypted
Biz Policy: Any Biz Policy: Any Biz Policy: Any Biz Policy: Any
Result Encrypted Unencrypted Encrypted Unencrypted

Edge to Edge Encryption at the Profile level

 

The Edge to Edge Encryption feature activates by default. You can deactivate the encryption from either the Device settings screen or the Business Policy screen by following the below steps:

 

Profile - Device
  1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles . The Profiles page displays the existing Profiles.
  2. Click the link to a Profile or click the View link in the Device column of the Profile. Alternatively, you can select a Profile and click Modify to configure the Profile. The configuration options for the selected Profile are displayed in the Device tab.
  3. Under the Connectivity category, click Interfaces. The Edge models available in the selected Profile are displayed.
  4. Click an Edge model to view the interfaces available in the Edge.
  5. Click the WAN interface for which you wish to modify the encryption setting The following screen is displayed.
    Figure 1. Configuring a Device Profile
  6. By default, the Edge to Edge Encryption option is activated. Deselect the check box to turn off this feature. This results in Edge to Edge communication being transmitted without SD-WAN encryption. A warning message is displayed regarding the same.
  7. Select Save.
  8. On the Device Settings screen, select Save Changes.

    You can check the status on the Monitor > Events screen. A new event Configuration applied appears for all the Edges associated with the Profile, for which this feature is deactivated.

    You can also check the status on the Monitor > Events screen, by applying the Edge to Edge Encryption filter.

Edge to Edge Encryption at the Edge Level

The Edge to Edge Encryption feature for Edges is inherited from the Profile. You can modify the encryption from either the Device settings screen or the Business Policy screen by following the below steps:

  1. In the SD-WAN service of the Enterprise portal, go to Configure > Edges .
  2. Select the link to an Edge or select the View link in the Device column. The configuration options for the selected Edge display in the Device tab.
  3. Under the Connectivity section, expand Interfaces. Different types of interfaces available for the selected Edge are displayed.
  4. Select the link to the WAN interface for which you wish to modify the encryption setting.
    Figure 2. Configuring the Encryption at the Edge Level
  5. Select Override to override all the Profile level configurations.
    Note: The encryption between two Edges can be deactivated only when both Edges support this feature.
  6. Select Edge To Edge Encryption.
  7. Select Save.
  8. Starting from the 6.4.0 release, a new column named WAN Data Encryption is introduced in the WAN Link Configuration section. This column displays the encryption state of the WAN links.
    Figure 3. Displaying WAN Link Configuration
  9. On the Device settings screen, select Save Changes. A warning message is displayed with respect to the Edge service disruption. Select Accept.

Edge - Business Policy

  1. Select the link to an Edge, and then select the Business Policy tab. Alternatively, you can select the View link in the Biz. Pol column of the Edge.
  2. The existing pre-defined business policy rules are displayed.
    Figure 4. Configuring the Business Policy
  3. Starting from the 6.4.0 release, a new Edge To Edge Encryption column is introduced that displays the default state for the business policy rules. The state can be Encrypted, Unencrypted, or N/A.
    Note: N/A displays for direct business policy rules where tunnel encryption is never applicable.
  4. You can choose to deactivate this feature for certain business policy rules for which the traffic is already encrypted. Select the Business Policy rule, and go to the Action tab.
    Figure 5. Editing the Business Rule
  5. Deselect Edge To Edge Encryption, and then select Save. This causes any application traffic that matches the modified business policy rule to be sent unencrypted.

    For more information, see the topic Configure Business Policies.

..