Skip to main content
Versa Networks

Secure Communication for SD-WAN Devices and SASE Clients

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.png For supported software information, click here.

Versa Networks SD-WAN secure edge devices, also called Versa Operating SystemTM (VOSTM) devices, and the Versa SASE clients installed on end-user devices have built-in processes that run automatically. These processes establish the secure connections required to validate the secure edge and client devices and to authenticate the users who are allowed to access the enterprise's on-premises and cloud-hosted resources through the devices.

This article describes how the SD-WAN secure edge devices and SASE clients establish these secure connections, and it describes how to troubleshoot issues with establishing and maintaining the connections.

Secure Communication for Versa SD-WAN Devices

Secure Communication for Onboarding SD-WAN Secure Edge Devices

To allow secure communication between a Versa Networks SD-WAN secure edge (branch) device and the SD-WAN Controller node, the secure edge device establishes an IKEv2-based IPsec secure control plane connection with the Controller node. When you onboard secure edge devices using zero-touch provisioning (ZTP), ZTP ensures that the connection between the branch devices and the SD-WAN Controller nodes is secure. After this secure control plane tunnel is successfully established, branch-to-branch encrypted SD-WAN connections are automatically initiated without using IKE. This section discusses how the secure control plane tunnels are established between the SD-WAN secure edge devices and the SD-WAN Controller node.

To onboard on-premises and cloud-based SD-WAN devices, the VOS provisioning process occurs in two steps:

  • Establish a prestaging IPsec tunnel—This tunnel is used to retrieve the full VOS device configuration from the Versa Director node and to download the latest software version to the secure edge device if a software upgrade is required.
  • Establish a post-staging IPsec tunnel with VXLAN outer encapsulation.

The Versa SD-WAN solution supports genuine multitenancy, in which one component negotiates multiple independent IPsec tunnels. For simplicity, this article discusses a basic example for a single tenant.

In first step of the IKE-based IPsec negotiation, the ZTP process is triggered, as illustrated in the screenshot below. The IKE-based IPsec negotiation occurs in two phases:

  • Phase 1—IKEv2 establishes a channel for control communication and sets up a security association (SA) on both sides of the connection
  • Phase 2—IKEv2 sets up an IPsec SA that to use for data channel encryption. The data channel is used to transfer the full VOS device configuration and, if necessary, the new VOS software version to the secure edge device.

In Phase 1 of IKE-based IPsec negotiation, the SA exchanges two pairs of messages. The first pair, shown in the following screenshot, is sent as plain text and is used for the VOS device agree which security policy to use for the IKE SA. This SA pair includes the keying data, which uses the Diffie-Hellman algorithm to calculate the encryption key. A security parameter index (SPI) is assigned to identify the communication channel. In the example shown here, the connection uses the UDP protocol and port 500. If Network Address Translation–Traversal (NAT-T) is detected in the path, the UDP connection uses port 4500.

ikev2-sa-first-pair.png


The second pair of IKEv2 SA messages, shown in the following screenshot, is used to exchange identity information, and to encrypt and authenticate the payload of authentication data packet.

ikev2-sa-second-pair.png

After the IKEv2 negotiation is completed, Phase 1 of the negotiation is done, and Phase 2 begins. In Phase 2, an IPsec channel forms using the defined initiator and responder SPIs, and then the devices agree on the configured IPsec SA. Phase 2 negotiation and data flow are encrypted using the ESP protocol.

Verify the Onboarding Process

You can verify and monitor the onboarding process from the Tasks menu in the Director GUI. In Director view, click the tasks-icon.PNG Tasks icon in the top menu bar. The Tasks popup window displays:

tasks-window.PNG

If the Tasks window does not display the onboarding process or does not show that the onboarding process has started, there is an issue with the initial IKEv2 SA or the IPsec SA. To troubleshoot this issue, you start the ZTP process and then run the tcpdump tool on the public interface of a staging Controller node, filtering the public host IP address of the remote branch device. To run tcpdump:

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select Appliance in the left menu bar.
    3. Select the staging Controller device in the main pane. The view changes to Appliance view.
  2. Select the Monitor tab in the top menu bar.
  3. Select the Tools tab, and click Tcpdump.
  4. In the Interface field, select the interface.
  5. In the Filter field, enter the IP address of the remote branch device.
  6. Click Start. For more information, see Access Monitoring Tools.
  7. In the Results pane, verify that the the IKEv2 SA exchange has completed and that ESP packets have been sent. Check the Initiator and Responder SPI values to ensure that the ESP data plane traffic flows are in the same session.

    tcp-dump-example.PNG

To check the IKEv2 and IPsec SA validity and history:

  1. In Director view:
    1. Select the Configuration tab in the top menu bar.
    2. Select Devices > Devices in the horizontal menu bar.
    3. Select the staging Controller device in the main pane. The view changes to Appliance view.
  2. Select the Monitor tab in the top menu bar.
  3. Select the Services tab in the horizontal menu bar.
  4. Select IPsec > IKE History, and then select an entity to view its IKE history. For more information, see Monitor Device Services.

    monitor-ipsec.PNG
  5. Click the eye-icon.png Eye icon to view details about the negotiation.

To view the IKE SA:

  1. Select the Monitor tab in the top menu bar.
  2. Select the Services tab in the horizontal menu bar.
  3. Select IPsec > IKE Security Association, and then select an entity to view its IKE SAs. For more information, see Monitor Device Services.

    monitor-ipsec-ike-security-association.PNG
  4. Click the eye-icon.png Eye icon to view details about the SAs.

You can view more details in the IPsec logs. To review the logs, log in to the Controller or branch shell, and check the /var/log/versa/versa-ipsec.log file.

Secure Communication for Provisioning VOS Devices

After the initial device configuration, the VOS devices in the secure SD-WAN network are provisioned. The VOS software creates an SD-WAN control virtual router (VR) for each available tenant. This VR is a transport-agnostic routing instance that uses point-to-multipoint (P2MP) interfaces to dynamically build the SD-WAN overlay network.

Each branch device has two tunnel virtual interfaces (TVI) interfaces:

  • TVI for clear-text communication—The clear-text TVI tunnel exchanges the IPsec rekey negotiation parameters that maintain the encrypted tunnels. These exchanges are done in accordance with industry standards.
  • TVI for encrypted communication—The post-staging dynamic IPsec encrypted tunnel is established in a control VR.

For both clear-text and encrypted TVI tunnels, VXLAN encapsulation is added, with the VOS-specific values in the Protocol field. VXLAN encapsulation also facilitates NAT-T functionality, by encapsulating the ESP packet inside the UDP 4790 packet. The following example shows a sample post-staging VXLAN encapsulation.

post-staging-vxlan-encapsulation.PNG

After the VXLAN encapsulation is decoded, the payload remains encrypted with ESP. The following example shows the post-staging ESP encryption inside VXLAN.

post-staging-esp-encryption-inside-vxlan.PNG

When a post-staging IPsec tunnel is established between a VOS device and an SD-WAN Controller, the VOS device establishes IPsec encrypted tunnels to other existing on-premises and cloud-hosted VOS devices without using IKE. To ensure that this process is fast and secure, VOS devices use IPsec negotiation without using IKE for branch-to-branch SD-WAN connections. The SD-WAN Controller sends an MP-BGP update to supply the VOS device with the required SA data, including Diffie-Hellman keys. The SD-WAN Controller also implements and centrally controls the rekey mechanism. Branch-to-branch dynamic IPsec negotiation without IKE avoids human errors related to SA configuration in a large full-mesh topology.

Secure Communication for Versa SASE Client

For Releases 20.2.3 and later.

The Versa SASE client installed on an end-user devices establishes an SD-WAN secure connection to authorize users. After the users are authorized, they can access on-premises and cloud-hosted resources.

Activating a new SASE client user is done in two steps:

  1. The Versa SASE client registers on a Versa SASE portal. This registration is performed once, which is similar to the ZTP process for VOS devices and Versa cloud workloads, which is also performed only once.
  2. The Versa SASE client establishes a secure connection to the Versa SASE gateway. The following example shows the details for SASE portal registration.

sase-portal-registration.png

When a user connects to an organization for the first time using the Versa SASE client, the user must register on the SASE portal. After the registration is successful, the Versa SASE client receives a gateway policy configuration that allows the secure connection to access the organization's resources.

The registration process begins with a three-way handshake TCP connection to the Versa SASE portal, followed by TLS negotiation, which uses industry-standard protocols to establish an encrypted TLS connection. The end host validates the portal server certificate and sends the enterprise name and username to the server over an encrypted TLS connection.

Next, the SASE portal authenticates the user. The SASE portal first verifies the identity of the client and server, and then the it pushes the enterprise gateway policy configuration to the Versa SASE client so that the client can securely connect to the enterprise network. This configuration includes the available SASE gateways and a legitimate gateway root CA certificate. This exchange is encrypted, as shown in the following example.

application-data-over-tls-encryption.png

After the Versa SASE client successfully registers on the corporate SASE portal, the user can securely connect to the provisioned SASE gateways. These gateways can be SASE gateways hosted on-premises, multicloud gateways, or a combination of both. For the secure connection to a SASE gateway, during the registration process, the Versa SASE client validates the installed CA certification to ensure that the gateway is legitimate. The following screenshot shows that the Versa SASE client establishes a new secure TLS session with the SASE gateway.

sase-gateway-secure-connection-establishment.png

The screenshot above shows that even though the same VOS device provides both the SASE portal and gateway functions, the Versa SASE client establishes a new TCP session to the gateway. Then, a TLS session is established to encrypt further communication. The SASE gateway then sends its certificate, which is the certificate that was signed by the root CA certificate and that the Versa SASE client installed during the portal registration process. This signed certificate allows the SASE client to ensure the authenticity of the organization's gateway.

After the identify of the SASE gateway is confirmed, the client send its own authentication information. If the client authentication is successful, the Versa SASE gateway sends a one-time password (OTP) to the Versa SASE client. The following screenshot shows this process.

ike-based-ipsec-connection-with-sase-gateway.png

The next step is IKE negotiation, which uses the SASE gateway certificate to authenticate the gateway. The SASE client is authenticated using the OTP key that was generated and sent to the client. The key is sent in an encrypted format using the public key of the SASE gateway. The gateway decrypts this key using its own private key and compares it to the local copy of the OTP key from the SASE portal. After the gateway authenticates the Versa SASE client, the IKE negotiation is complete, and the IPsec Phase 2 negotiation creates a secure tunnel with the SASE gateway.

Troubleshoot the SASE Client

For Releases 20.2.3 and later.

Versa SASE client provides tools for troubleshooting issues during the registration or connection process.

To perform diagnostics and to troubleshoot the SASE client:

  1. In the SASE client home screen, click the vsa-settings-icon.png Settings icon.
  2. Click Troubleshoot, and then click Diagnostics to run diagnostics tests. These tests ensure that all necessary services are running on the host OS, and they generate a log file, in .zip format, that includes the test results.
  3. Click Export Logs to download the diagnostics log file. You can use the information in the log files to validate end host issues like such as the blocking of firewall or antivirus connections and the supported IPsec encryption methods. For more information, see Perform Diagnostics and Export Logs.


sase-client-troubleshooting-diagnostics.PNG

Supported Software Information

Releases 20.2 and later support all content described in this article, except:

  • Releases 20.2.3 and later add support for SASE clients.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.