Configure Site-to-Site Tunnel Interfaces in Concerto

Last updated
Save as PDF

For supported software information, click here.

A site-to-site tunnel interface is a network interface used to establish a secure and encrypted connection between two distinct networks. Site-to-site tunnels provide a way to encapsulate packets inside of a transport protocol. You configure a tunnel as a virtual interface that provides the services necessary to implement any standard point-to-point encapsulation scheme.

To configure a site-to-site tunnel interface in Concerto:

In Tenant view, select Configure > Secure SD-WAN > Network Interfaces.

The Interfaces screen displays with the WAN tab selected by default.
Select the Site-to-Site Tunnel tab. The screen displays site-to-site tunnel interfaces that are configured.
Click the Add icon. The workflow to add a site-to-site interface displays step 1, Site-to-Site Tunnel Settings.

Enter information for the following fields.

add-site-to-site-tunnel-settings-tab-v3-full-border.png

Field	Description
Category	Select a category: Site-to-Site Tunnel (Default) Subtenant Site-to-Site Tunnel
Sub-Category	Select a sub-category: IPsec (Default)—IPsec is a protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between computers. GRE—Generic Routing Encapsulation tunnels encapsulate multiple network-layer protocols inside point-to-point links. GRE tunnels are used to transmit packets from one network to another over the internet. EoGRE—Ethernet over GRE interfaces leverage existing low-end residential gateways to provide mobility services to mobile devices. Geneve—Generic Network Virtualization Encapsulation is an encapsulation protocol that enables network virtualization by encapsulating Layer 2 Ethernet frames within UDP packets, which are then transported over Layer 3 networks.
Transport (Group of Fields)	A site-to-site tunnel transport is a type of VPN configuration that allows communication between two appliances over the internet.
Connection Name	Select a connection name.
FQDN/IPv4 or IPv6 Address	(For the IPsec sub-category only.) Click FQDN and enter the fully qualified domain name, or click IPv4 or IPv6 and enter the address.
Peer Address	(For the GRE, EoGRE, and Geneve sub-categories.) Enter the tunnel remote end transport IPv4 or IPv6 address.
MTU	Enter the maximum transmission unit (MTU) supported on the interface.
Tunnel Interface Address	Configure the tunnel virtual interface local address. At least one IPv4 or IPv6 address must be configured.
IPv4 Address	Enter the IPv4 address of the tunnel virtual interface.
IPv6 Address	Enter the IPv6 address of the tunnel virtual interface.
Subtenant (Required)	(For the Subtenant Site-to-Site Tunnel category only.) Select a subtenant.
Is this interface for guest?	Disabled by default. Click the slider bar to enable the interface for guests. When enabled, the interface is designated for guest connectivity only. Guest user traffic is not mixed with Enterprise traffic. You can select a routing instance that has been designated for use by guests.
Routing Instance Name (Required)	Select a routing instance for the LAN interface. If you disable the guest user option, you can choose an Enterprise routing instance. If you enable the guest user options, choose a guest routing instance.

Click Next.
- If you selected IPsec for the Sub-Category field above, the next workflow step is 2, IKE/IPsec. Continue to Step 6, below, to complete this step.
- For all other sub-categories, the next workflow step is 2, Rewrite Rule. Skip to Step 8 to complete this step.

To configure IKE/IPsec, enter information for the following fields.

Field	Description
Tunnel Type	Select the tunnel type: Route Based (Default) Policy Based. If you select this option, the Policy Configuration step is added to the workflow.
Tunnel Initiate	Select how to initiate creation of the tunnel: Automatic—Initiate automatically Responder Only—Initiate for responder
Authentication	Select the authentication type: Certificate (Default) PSK (preshared key). Note that the PSK cannot include any of the following five special characters: " < > # /.
Local Authentication Parameters (Group of Fields)	Enter local authentication information.
Identity Type	Enter the format for the identity type value: Email (Default) FQDN IP address
Identity Value	Enter a value in the format selected in the Identity Type field.
Shared Key	Enter the preshared key.
Remote Authentication Parameters (Group of Fields)
Identity Type	Enter the format for the identity type value: Email (Default) FQDN IP address
Identity Value	Enter a value in the format selected in the Identity Type field.
Shared Key	Enter the preshared key.
Advanced Settings
Internet Key Exchange (IKE) (Group of Fields)	A protocol to enable the exchange of encryption keys and establish a secure communication channel between the two devices.
Version	Select the IKE version: v1 v2 v2-or-v1
Transform	Select the IKE transform algorithm to use for data encryption: aes128-sha1 aes128-sha1 aes128-md5 aes256-sha1 aes256-md5 aes128-sha256 aes256-sha256 aes128-sha384 aes256-sha384 aes128-sha512 aes256-sha512
Diffie Hellman Group (DH Group)	Select the Diffie-Hellman (DH) group to determine the strength of the key used in the Diffie-Hellman key exchange process: Diffie-Hellman group 1—768-bit modulus Diffie-Hellman group 2—1024-bit modulus Diffie-Hellman group 5—1536-bit modulus Diffie-Hellman group 14—2048-bit modulus (Default) Diffie-Hellman group 15—3072-bit modulus Diffie-Hellman group 16—4096-bit modulus Diffie-Hellman group 19—256-bit elliptic curve Diffie-Hellman group 20—384-bit elliptic curve Diffie-Hellman group 21—521-bit elliptic curve Diffie-Hellman group 25—192-bit elliptic curve Diffie-Hellman group 26—224-bit elliptic curve
DPD Timeout	Enter how long to wait for traffic from the destination peer on the tunnel before sending a dead-peer-detection (DPD) request packet. Range: 0 through 36000 seconds Default: 30 seconds
IKE Rekey Time	Enter how often to regenerate the IKE key. Range: 3600 through 28800 seconds (1 through 8 hours) Default: 28800 seconds
IKE Rekey Time Unit	Enter the unit of time for the IKE rekey regeneration. Note that the IKE Rekey time range changes depending on the time unit you select. Seconds: 132 through 86400 Minutes: 2 through1440 Hours: 1 through 24
Internet Protocol Security (IPSec) (Group of Fields)	A protocol used for securing IP communications by authenticating and encrypting each IP packet of a communication session.
IPsec Transform	esp-aes128-sha1 esp-aes128-sha1 esp-aes128-ctr-sha1 esp-aes128-gcm esp-aes128-md5 esp-aes128-sha256 esp-aes128-sha384 esp-aes128-sha512 esp-aes256-gcm esp-aes256-md5 esp-aes256-sha1 esp-aes256-sha256 esp-aes256-sha384 esp-aes256-sha512 esp-null-md5
Perfect Forward Secrecy Group (PFS Group)	Select the Diffie-Hellman groups to use for PFS: No PFS (Default) Diffie-Hellman Group 1 - 768-bit modulus Diffie-Hellman Group 2 - 1024-bit modulus Diffie-Hellman Group 5 - 1536-bit modulus Diffie-Hellman Group 14 - 2048 bit modulus Diffie-Hellman Group 15 - 3072 bit modulus Diffie-Hellman Group 16 - 4096 bit modulus Diffie-Hellman Group 19 - 256 bit elliptic curve Diffie-Hellman Group 20 - 384 bit elliptic curve Diffie-Hellman Group 21 - 521 bit elliptic curve Diffie-Hellman Group 25 - 192 bit elliptic curve Diffie-Hellman Group 26 - 224 bit elliptic curve
Hello Interval	Enter the hello interval timeout. Range: 3 through 30 seconds Default: 10 seconds
IPSec Rekey Time	Enter how often to regenerate the IPsec key. Range: 3600 through 28800 seconds (1 through 8 hours) Default: 28800 seconds
IPSec Rekey Time Unit	Enter the unit of time for the IPsec rekey regeneration. Note that the IPsec Rekey time range changes depending on the time unit you select. Seconds: 132 through 86400 Minutes: 2 through1440 Hours: 1 through 24
Force NAT-T Configuration	Select Enable to force the tunnel to use NAT traversal. Select Disable to not use NAT traversal.

Click Next. If you selected the Policy Based tunnel type, the Policy Configuration screen displays. If you selected Route-Based tunnel type, go to step 10.

Enter information for the following fields.

Field	Description
Protocol	Select a protocol. The options are: TCP UDP ICMP
Source IP Address/Prefix (Required)	Enter the IP address of the traffic source, for example, 10.1.1.0/24.
Source Port	Enter the source port number. Range: 1 through 65535 Default: None
Destination IP Address/Prefix (Required)	Enter the IP address of the traffic destination.
Destination Port	Enter the destination port number. Range: 1 through 65535 Default: None
Precedence	If there are multiple matches for the above policies, indicate this tunnel’s precedence level. A number closer to 0 (zero) indicates a higher priority. Range: 0 through 512 Default: 0

Click Next to go to the Rewrite Rules step.
To configure rewrite rules, click the Rewrite Rules toggle to the Enabled setting, as shown below. Rewrite rules are disabled by default.
Select a rewrite rule in the drop-down list. Click + Create New to configure a new rewrite rule. See the Rewrite Rules section in Configure Reusable Objects.
Click Next to go to the Permissions workflow step. The screen displays permissions for all of the configured roles.
Select or unselect permissions for each role, as needed.
Click Next to go to the Review & Submit workflow step.
In the General section, enter a name for the interface in the Name field. You can also enter a description and tags. Under the Interface heading, select one of the following:
- Disabled—Disable the interface
- Enabled—Enable the interface
- Variable—Select this option to parameterize whether the interface is enabled or disabled. Enter a name for the variable, which is a Boolean value. You can then choose whether this interface is enabled or disabled on a device-by-device basis in the Deploy lifecycle.
Review the configuration. Click the Edit icon in any section to update the settings.
Click Submit to create the interface.