Print

VeloCloud SD-WAN Forcepoint - Integration Guide - Configure Tunnels on VeloCloud Edge Print

Configure Tunnels on VeloCloud Edge

Configure the SD-WAN layer of Orchestrator using an Edge as the endpoint for the tunnels between VeloCloud SD-WAN and Forcepoint Cloud Security Gateway. Ensure that you have configured the customer.

Configure Non SD-WAN Destination via Edge

You can define and configure a Non SD-WAN Destination instance as Forcepoint Cloud Security Gateway and establish a secure IPsec tunnel to the Forcepoint Cloud Security Gateway through a VeloCloud Edge.

Ensure that you have Administrator privileges to login to VeloCloud Edge Cloud Orchestrator.

To configure a Non SD-WAN Destination via Edge:

  1. Login to Orchestrator and navigate to Manage Customers.
  2. Select the link to a customer whose traffic would be routed to Forcepoint Cloud Security Gateway.
  3. In the Enterprise portal, select Configure > Network Services .
  4. In the Non SD-WAN Destinations via Edge pane, select New to create a new Non SD-WAN Destination.
  5. In the New Non SD-WAN Destination via Edge window, configure the following:
    Figure 1. Configuring Non SD-WAN Destinations via Edge
    Table 1. Non SD-WAN Destinations via Edge Option Descriptions
    Option Description
    Service Name Enter a descriptive name for the Non SD-WAN Destination.
    Service Type Select the type as Generic IKEv2 Router (Route Based VPN).
  6. Select Next.
  7. In the next window, configure the following settings:
    Figure 2. Configuring Parameters

     

    Figure 3. Configuring Parameters

     

  8. Select Advanced to configure the other IPsec tunnel parameters for the Primary and Secondary VPN Gateways as follows:
    Table 2. Advanced option Descriptions
    Option Description
    Encryption Select AES-256 as the AES algorithms key from the list, to encrypt data.
    DH Group Select the Diffie-Hellman (DH) Group algorithm as 14 used when exchanging the pre-shared key. The DH Group sets the strength of the algorithm in bits.
    PFS Select the Perfect Forward Secrecy (PFS) level as Deactivated.
    Hash Select the authentication algorithm for the VPN header as SHA 256 from the list.
    IKE SA Lifetime(min) Enter the IKE SA lifetime in minutes. The rekeying should be initiated for Edges before the time expires. The range is from 10 to 1440 minutes. The default value is 1440 minutes.
    IPsec SA Lifetime(min) Enter the IPsec SA lifetime in minutes. The rekeying should be initiated for Edges before the time expires. The range is from 3 to 480 minutes. The default value is 480 minutes.
    DPD Timeout Timer(sec) Enter the DPD timeout value. The DPD timeout value will be added to the internal DPD timer, as described below. Wait for a response from the DPD message before considering the peer to be dead (Dead Peer Detection). Prior to the 5.1.0 release, the default value is 20 seconds.
    For the 5.1.0 release and later, see the list below for the default value.
    • Library Name: Quicksec
    • Probe Interval: Exponential (0.5 sec, 1 sec, 2 sec, 4 sec, 8 sec, 16 sec)
    • Default Minimum DPD Interval: 47.5sec (Quicksec waits for 16 seconds after the last retry. Therefore, 0.5+1+2+4+8+16+16 = 47.5).
    • Default Minimum DPD interval + DPD Timeout(sec): 67.5 sec
    Note: Prior to the 5.1.0 release, you can deactivate DPD by configuring the DPD timeout timer to 0 seconds. However, for the 5.1.0 release and later, you cannot deactivate DPD by configuring the DPD timeout timer to 0 seconds. The DPD timeout value in seconds adds onto the default minimum value of 47.5 seconds).
  9. For the Secondary VPN Gateway, select Tunnel settings are same as Primary VPN to configure the tunnel settings similar to the Primary VPN Gateway. The Edge sets up two tunnels.
  10. Select the default values for other settings.
  11. Select Save Changes and close the window.

    The new Non SD-WAN Destination via Edge is displayed in the Network Services window:

    Figure 4. Network Services

Configure a profile to use the new Non SD-WAN Destination via Edge. See Configure Profile with Non SD-WAN Destination via Edge.

Configure Profile with Non SD-WAN Destination via Edge

You can configure a profile to establish a VPN connection between a branch and a Non SD-WAN Destination via Edge.

Ensure that you have created a Non SD-WAN Destination via Edge with the required IPsec tunnel parameters relevant to Forcepoint Cloud Security Gateway. To create a Non SD-WAN Destination via Edge, see Configure Non SD-WAN Destination via Edge.

  1. In the Enterprise portal, select Configure > Profiles .
  2. Select the Device Icon for a profile, or select a profile and select the Device tab.
  3. In the Device tab, navigate to the Cloud VPN section and select the slider to ON position.
  4. To establish a VPN connection between a Branch and Non SD-WAN Destination via Edge, select Enable under Branch to Non SD-WAN Destinations via Edge.
    Figure 5. Enabling the VPN Connection
  5. Select Forcepoint Tunnel as the Non SD-WAN Destination via Edge to establish VPN connection.
  6. Select Save Changes.

Create a Business Policy to route the traffic from the Non SD-WAN Destination tunnel to the Forcepoint Cloud Security Gateway. See Create Business Policy for Non SD-WAN Destination via Edge.

Create Business Policy for Non SD-WAN Destination via Edge

After you establish a VPN connection between a branch and a Non SD-WAN Destination via Edge, create a Business Policy to route the traffic from the Non SD-WAN Destination tunnel.

Ensure that you have established the VPN connection between branch and Non SD-WAN Destination via Edge. See Configure Profile with Non SD-WAN Destination via Edge.

  1. In the Enterprise portal, select Configure > Profiles .
  2. Select a profile from the list and select the Business Policy tab.
  3. Select New Rule or Actions > New Rule .
  4. Enter a name for the business rule.
  5. In the Match area, select Define and choose Internet as the Destination.
  6. Select the Application as Any to steer all the Internet traffic or select Web to steer only the HTTP/HTTPS traffic.
  7. In the Action area, select High as Priority and select Internet Backhaul as the Network Service.
  8. Choose Non SD-WAN Destination via Edge and select the Non SD-WAN Destination service created with the Forcepoint tunnel parameters.
    Figure 6. Configuring a Rule - Example 1

     

    Figure 7. Configuring a Rule - Example 2

     

    Figure 8. Configuring a Rule - Example 3

     

    Figure 9. Configuring a Rule - Example 4
  9. Choose the other actions as required and select OK.

    The Business Policy redirects the Internet-destined HTTP/HTTPS traffic to the Forcepoint Cloud Security Gateway using the IPSEC tunnel.

Configure the Tunnel parameters for a selected Edge. See Configure Edge with Tunnel Parameters.

Configure Edge with Tunnel Parameters

When you configure a profile to establish a VPN connection between a branch and a Non SD-WAN Destination via Edge, the settings are automatically applied to all the Edges that are associated with the profile. You can configure the Tunnel parameters for an individual Edge and choose the source of the Tunnel as the WAN IP address.

Ensure that you have established the VPN connection between branch and Non SD-WAN Destination via Edge. See Configure Profile with Non SD-WAN Destination via Edge.

To configure the tunnel parameters for an Edge:

  1. In the Enterprise portal, select Configure > Edges .
  2. Select Device for an Edge, or select an Edge and select the Device tab.
  3. In the Device tab, scroll down to the Cloud VPN section.
  4. Select Enable Edge Override and select Add in the Action column.
    Figure 10. Displaying Cloud VPN
  5. In the Add Tunnel window, configure the following parameters:
    Figure 11. Adding a Tunnel
    Table 3. Add tunnel Option Descriptions
    Option Description
    Public WAN Link Select the IP address of the Edge hosting the Tunnel endpoint connecting to Forcepoint Cloud Security Gateway.
    Local Identification Type Select the type as FQDN/Hostname from the list.
    PSK Enter the same Pre-Shared Key configured in the Forcepoint Cloud Security Gateway.
    Destination Primary Public IP Enter the Service IP address of the primary data center obtained from the Forcepoint Cloud Security Gateway configuration.
    Destination Secondary Public IP Enter the Service IP address of the secondary data center obtained from the Forcepoint Cloud Security Gateway configuration.
  6. Select Save Changes.

Verify that the tunnel is online by monitoring the Edges. See Monitor Non SD-WAN Destination via Edge.

Monitor Non SD-WAN Destination via Edge

You can monitor and verify the Non SD-WAN Destination Tunnel configuration using the Monitoring tab.

To monitor the Non SD-WAN Destination Tunnel configuration:

  1. In the Enterprise portal, select Monitor > Edges .
  2. The Edges page displays the configured Non SD-WAN Destination along with the status. The Forcepoint data center becomes the endpoint of redundant IPsec tunnels.
    Figure 12. Monitoring the Non SD-WAN Destination via Edge
..