Configure WAN Connections

Configure a WAN Network

Click Configure in the left menu bar to open the Configure dashboard.
Hover over the device in the honeycomb and click Configure to open the site information window.
In the Configuration > Network screen, click the WAN icon to open the Network > WAN screen.

In the WAN configuration window, enter information for the following fields.

Field	Description
WAN1Port0	Slide the toggle button to switch a WAN interface on or off.
Transport	Select Internet as the transport domain for the WAN connection. You must select the transport domain before you deploy the device.
Tunnel Selection	For an Internet transport domain: Internet only (Globe icon)—Select for internet access only. SD-WAN and Internet (DIA) Split Tunnel (Combined Globe and Hub icon)—Select for SD-WAN and DIA. Note: For remote access VPN, select Internet only or SD-WAN and Internet (DIA) Split Tunnel.
Remote Access VPN Interface	Slide the toggle button to enable or disable remote access VPN. See Configure Remote Access VPN.
FQDN (Required)	Enter the public fully qualified domain name (FQDN).
VLAN ID (Required)	Enter the VLAN ID for the interface.
MTU (Required)	Enter the maximum transmission unit (MTU), in bytes. Range: 72 through 9000 bytes
Network Address (Group of Fields)
Address (Required)	Enter the AWS private IPv4 address for the WAN port. This IP address is retrieved from AWS. For example, the following screenshot shows the private IPv4 address in AWS.
Gateway (Required)	Enter the gateway address.
NATeD	Slide the NATeD toggle button to enable NAT firewall.
Public Address	Enter the public IPv4 address for the firewall WAN interface.
Name Servers (DNS) (Group of Fields)
Primary (Required)	Enter the IP address of the primary DNS name server.
Secondary (Required)	Enter the IP address of the secondary DNS name server.

Click Advance Configuration (Customized) to configure advanced WAN settings, and then enter information for the following fields.

Field	Description
Link Mode	Select the link mode: Auto—This is the default. Full duplex Half duplex Default: Auto
Link Speed	Select the link speed: Auto—Use for link speeds about 1 Gbps. This is the default. 10 Mbps 100 Mbps 1 Gbps Default: Auto
Gateway	Click On or Off to enable or disable the interface as a gateway. After you enable an interface to be a gateway, the branch becomes a gateway and sends default route to its peer branch or branches. Then select the gateway topology.
Uplink Bandwidth	Enter the actual uplink bandwidth purchased from the service provider. The uplink bandwidth is to the traffic from the branch to the outside network.
Downlink Bandwidth	Enter the actual bandwidth downlink purchased from the service provider. The downlink bandwidth is to the traffic from the outside network to the branch.
Interface Mode	Select the interface mode: Access Mode Trunk Mode
Traffic Shaping (Group of Fields)	Configure schedulers, which assign traffic with different drop-loss priority levels to different outbound queues.
Guaranteed Rate	Select the guaranteed transmission rate of data packets. You can define the rate as a percentage of the parent interface’s shaping rate or as the line rate. Range: 1 through 100 percent Default: None
Transmit Rate	Select the transmission rate for data packets. You can define this in percentage of the parent interface’s shaping rate or the line rate. Range: 1 through 100 percent Default: None
Ingress Traffic Shaper (Group of Fields)
Peak Rate	Enter the maximum ingress rate, in kilobits per second (Kbps). Range: 8 through 10000000 Kbps Default: None
Peak Burst Size	Enter the maximum burst size, in bytes per second. Range: 1000 through 4294967295 bytes per second Default: None
Link Monitoring (Group of Fields)
Next-Hop	Click the toggle button to enable dynamic link monitoring for next-hop reachability.
Remote IP	Enter a remote IP address for remote IP reachability through this WAN link to detect link failures. To change the network address configuration, you must first lock the device.
Interval	Enter the frequency, in seconds, at which to send ICMP packets to the IP address. Range: 1 through 60 seconds Default: 3 seconds
Threshold	Enter the maximum number of monitor packets to send to the IP address. If the IP address does not respond after this number of packets, the monitor object, and hence the IP address, is marked as down. Range: 1 through 60 Default: 5

Click Continue.
Click Save to save the settings.

Configure a Remote Access VPN

For customers who purchase a license that enables the Secure Access VPN feature in the branch devices and HA devices, you can configure a remote access VPN.

After you add a device, you can enable remote access VPN when configuring the WAN network.

Then, the Remote Access VPN tab is displayed in the device configuration window.

The Remote Access VPN tab has the following options:

Secure Access Profiles—The secure access profiles configuration is common for both the organization and gateway. Hence, in device view, it is read only. You configure a secure access client in the Secure Access Default template.
IPsec Tunnel Address Pool—For a device on which remote access VPN is enabled, select this option to manually enter the WAN IPsec tunnel address pool information.

Before you enable remote access VPN for a device, you must configure a secure access template. For more information, see Configure a Secure Access Service (Remote Access VPN) Template.

Use the toggle switch to enable or disable remote access VPN, and then enter the device fully qualified domain name (FQDN). For remote access VPN, you must configure at least one port on the device with a static IP address, which is used to terminate the remote clients.

To configure a remote access VPN:

In the Add Device Details popup window, click Remote Access VPN toggle to enable the option. See Add Devices Using Titan Portal.
Configure the secure access default template. See Configure a Secure Access Service (Remote Access VPN) Template.

In the Network > WAN window, enter information for the following fields.

Field	Description
Remote Access VPN Interface	Click the toggle switch to enable or disable remote access VPN.
FQDN	Enter the FQDN of the device.
Network Address
Address	Enter the AWS private IPv4 address for the WAN port. This IP address is retrieved from AWS. For example, the following screenshot shows the private IPv4 address in AWS.
Gateway	Enter the IP address of the gateway.
Name Servers (DNS)
Primary	Enter the IP address of the primary DNS name server.
Secondary	Enter the IP address of the secondary DNS name server.

To configure the IPsec tunnel address pool WAN interfaces, select IPsec the Tunnel Address Pool tab, and enter information for the following fields.

Field	Description
Start Address	Enter the lowest IP address in the pool assigned to the VSA client.
End Address	Automatically assigned based on the lowest address.
Netmask	Automatically assigned based on the lowest address.

Click Publish.
Upload all necessary public key certificates and public CA certificate for the device. You can upload a CA certificate only on an activated device. For more information, see Configure a Secure Access Service (Remote Access VPN) Template.

Configure IPsec VPN Settings (Tunnels)

To create an IPsec tunnel to other appliances or applications, you use the IPsec VPN option on the Network > WAN screen. Titan Portal then adds the name of the tunnel to the drop-down menus for WAN static IP routes, steering rules, and firewall rules for route-based IPsec profiles. For policy-based and rule-based VPNs, no zone or menu options are available in static, steering, and security rules. Tunnels use preshared key (PSK) authentication and are built using IKEv1, IKEv2, or both IKEv1 or IKEv2. If you configure the tunnel using IKEv1, ensure that the shared key value for the local authentication and peer authentication are the same.

When you configure IPsec route-based profiles, by default, Titan Portal creates a security rule that allows IPsec traffic and the rule is displayed in the security rule list. For an IPsec profile, the security rule is created with the same name as IPsec route-based profile name. You cannot edit or delete a system-generated default rule for port forwarding or for an IPsec profile. However, you can disable or reorder a default rule to change its priority.

You can click + Add to configure multiple tunnels.

Note: To enable routing over an IPsec tunnel, you must add a static route towards the tunnel.

To configure an IPsec tunnel:

From the Network > WAN screen, click the IPsec VPN option to display the IPsec VPN fields.

In the IPsec VPN option drop-down menu, enter information for the following fields.

Field	Description
Name	Enter the IPsec tunnel name. Titan Portal adds the tunnel name to the IPsec drop-down menu in the Static IP Route screen.
Redistribute	Click to make the IPsec tunnel eligible for redistribution into the VPN network when thee tunnel is used as the next hop for a static route.
VRF	Select a source VRF (routing instance).
Peer Type	Enter format for the peer value: hostname, fully qualified domain name (FQDN), or IP address.
Peer Type Value	Enter peer value using the format selected in Peer Type.
Local Authentication
Authentication Type	Displays the authentication type (PSK).
Identity Type	Enter format for the identity type value: email, FQDN, or IP address.
Identity Type Value	Enter value in the format selected in Identity Type.
Shared Key	Enter preshared key.
Peer Authentication
Authentication Type	Displays the authentication type (PSK).
Identity Type	Enter format for the identity type value: email, FQDN, or IP address.
Identity Type Value	Enter value in the format selected in Identity Type.
Shared Key	Enter the preshared key.
IKE Version	Select the IKE version: IKEv1 IKEv2 IKEv1 or IKEv2
Hash Algorithm	Select the hash algorithms to use: MD5—MD5 Message Digest Algorithm SHA-1—Secure Hash Algorithm 1 with 160-bit digest SHA-256—Secure Hash Algorithm 2 with 256-bit digest SHA-384—Secure Hash Algorithm 2 with 384-bit digest SHA-512—Secure Hash Algorithm 2 with 512-bit digest
Encryption	Select the encryption algorithms to use: 3DES—Triple DES encryption algorithm AES 128—AES CBC Encryption Algorithm with 128-bit key AES 256—AES CBC Encryption Algorithm with 256-bit key
DH Group	Select the Diffie-Hellman group to use: Diffie-Hellman Group 1—768-bit modulus Diffie-Hellman Group 2—1024-bit modulus Diffie-Hellman Group 5—1536-bit modulus Diffie-Hellman Group 14—2048-bit modulus Diffie-Hellman Group 15—3072-bit modulus Diffie-Hellman Group 16—4096-bit modulus Diffie-Hellman Group 19—256-bit elliptic curve Diffie-Hellman Group 20—384-bit elliptic curve Diffie-Hellman Group 21—521-bit elliptic curve Diffie-Hellman Group 25—192-bit elliptic curve Diffie-Hellman Group 26—224-bit elliptic curve
IKE Rekey Time	Enter the time interval for how often to regenerate the IKE key. Range: 3600 through 28800 seconds Default: 3600 seconds
IPsec Transforms	Specify the IPsec transform and Diffie-Hellman group.
Hash Algorithm	Select the hash algorithms to use: MD5—MD5 Message Digest Algorithm SHA-1—Secure Hash Algorithm 1 with 160-bit digest SHA-256—Secure Hash Algorithm 2 with 256-bit digest SHA-384—Secure Hash Algorithm 2 with 384-bit digest SHA-512—Secure Hash Algorithm 2 with 512-bit digest XCBC—Extended Cypher Block Chaining
Encryption	Select the encryption algorithm to use: 3DES—Triple DES encryption algorithm AES128—AES CBC encryption algorithm with 128-bit key AES128-CTR—AES counter mode encryption algorithm with 128-bit key AES128-GCM—AES GCM encryption algorithm with 128-bit key AES256—AES CBC encryption algorithm with 256-bit key AES256-GCM—AES GCM encryption algorithm with 128-bit key NULL
Perfect Forward Secrecy Group	Select the Diffie-Hellman groups to use for PFS: Diffie-Hellman Group 1—768-bit modulus Diffie-Hellman Group 2—1024-bit modulus. Diffie-Hellman Group 5—1536-bit modulus Diffie-Hellman Group 14—2048-bit modulus Diffie-Hellman Group 15—3072-bit modulus Diffie-Hellman Group 16—4096-bit modulus Diffie-Hellman Group 19—256-bit elliptic curve Diffie-Hellman Group 20—384-bit elliptic curve Diffie-Hellman Group 21—521-bit elliptic curve Diffie-Hellman Group 25—192-bit elliptic curve Diffie-Hellman Group 26—224-bit elliptic curve No PFS
IPsec Rekey Time	Enter the time interval for how often to regenerate the IPsec key. Range: 3600 through 28800 seconds Default: 3600 seconds
Tunnel Network (Route-Based Only)	Use a route-based tunnel configuration.
Tunnel IP Local Address	Enter the IP address of the local tunnel interface in CIDR format. If you do not specify a value, the IP address is automatically generated.
Tunnel IP Remote Address	Enter the IP address of the remote tunnel interface. If you do not specify a value, the IP address is automatically generated.
Policy-Based VPN	Click the Policy-Based VPN toggle to turn on VPN policies configuration options. If you select this option, click the Add Rule icon to add a policy. You can configure a tunnel either using route-based or policy-based options. In the Policy-Based VPN popup window, enter information for the following fields. Name—Enter a name for the policy. Protocol—Select a protocol: Any ICMP TCP UDP Source IP—Enter the IPv4 source address or prefix. Port—Enter the source port number. Destination IP—Enter the IPv4 destination address or prefix. Port—Enter the destination port number. Click Add.

To change the IPsec tunnel type from a route-based tunnel to a policy-based tunnel, or vice versa, you must delete the existing IPsec tunnel and then publish the configuration. Then, add the IPsec tunnel with required tunnel type, and publish the configuration again.

Click +Add IPsec Profile. This saves the tunnel to the IPsec VPN screen but not the Titan cloud.

Use the trash icon to delete a tunnel or the pencil icon to edit a tunnel. Click the Eye icon to display tunnel details.
Click Save to save the changes to the Titan cloud. Once saved, Titan Portal adds the IPsec tunnel name to the drop-down menus for WAN static IP routes, steering rules, and firewall rules. See Manage Firewall Policies.

Additional Information

Configure Miscellaneous Parameters
Configure Routing
Configure Security