Create IPsec tunnels in Aruba EdgeConnect SD-WAN

Before you begin:

  1. Prepare for SD-WAN setup.

  2. Make sure you‚Äôve configured IPsec credentials in ‚ÄčSIA‚Äč. For instructions, see Configure IPsec credentials in ‚ÄčSIA‚Äč.

These are the high-level steps that are required to configure a primary and secondary tunnel between Aruba EdgeConnect and ‚ÄčSIA‚Äč.

To create IPsec tunnels in Aruba EdgeConnect:

  1. Configure the primary and secondary IPsec tunnels.

  2. Configure a Business Intent Overlay (BIO).

  3. Verify your configuration:

    1. Verify the ‚ÄčAkamai‚Äč service configuration

    2. Verify the status of the tunnels and IP SLA

    3. Verify traffic flows on EdgeConnect SD-WAN

ūüöß

If your organization uses ‚ÄčSIA‚Äč Client, make sure you disable the client in policies that are associated with the IPsec tunnel locations.

Configure the primary and secondary IPsec tunnels

Complete this procedure to configure the primary and secondary IPsec tunnels in Aruba Orchestrator.

Before you begin:

Make sure the WAN public IP address or addresses for your SD-WAN solution are configured as locations in SIA.

To configure the primary and secondary IPsec tunnels:

  1. Create an Akamai service:

    1. In Orchestrator, click Configuration > Cloud Services > Services Orchestration.

    2. Click Add Service.

    3. In the Add Service window, enter a name and prefix for your service. For example, you can use Akamai in the name and the prefix AKA.

    d. Click Save. The Akamai service is created and available on the Service Orchestration tab.

  2. Configure remote endpoints for the Akamai service:

    1. For the Akamai service, click the Remote Endpoint Configuration tab.

    2. Click +Remote Endpoint.

    3. Configure the secondary tunnel by completing these steps:

    FieldStep
    Name Enter Secondary-POP
    IP Address Enter secondary.ipsec.akaetp.net
    Interface Label Enter any

    Note: The any label indicates that Orchestrator will use all of the WAN interfaces that are available in the Interfaces Label for the tunnel configuration.

    Pre-shared Key Enter the pre-shared key that you created or generated.

    d. Click +Remote Endpoint to add another endpoint.

    e. Configure the primary tunnel by completing these steps:

Field Step
Name Enter Primary-POP
IP Address Enter primary.ipsec.akaetp.net
Interface Label Enter any
Pre-shared Key Enter the pre-shared key that you created or generated.
Backup Remote Endpoint Secondary-POP
  1. Configure interface labels:

    1. Click the Interface Labels tab.

    2. Select the WAN interface labels that your SD-WAN solution is using. The IPsec tunnel configuration is completed in the WAN interface or interfaces that you select. The WAN public IP address must be configured as locations in SIA.

    3. Click Save.

  2. Configure the tunnel settings. These settings are used to build the tunnel to the endpoints you configured:

    1. Click the Tunnels Settings tab.

    2. Click the General tab.

    3. Select IPSec as the mode.

    d. Click the IKE tab and configure the IKE settings.

    Field Step
    IKE Version Select IKE v2
    Authentication algorithm You can select SHA2-512. For a list of supported algorithms, see Supported cipher suites for IPsec.
    Encryption algorithm You can select AES-CBC-256. For a list of supported encryption algorithms, see Supported cipher suites for IPsec.
    Diffie-Hellman group Select 14.
    Rekey interval/lifetime Select 480 minutes
    Dead peer detection For the Delay time, enter 10 seconds. For the Retry count, enter 3.
    IKE identifier Enter the IKE identifier that you configured. For more information, see Configure IPsec credentials in ‚ÄčSIA‚Äč.

    e. Click the IPSec tab and configure IPSec settings:

    Field Step
    Authentication algorithm You can select SHA2-256. For a list of supported algorithms, see Supported cipher suites for IPsec
    Encryption algorithm You can select AES-CBC-256. For a list of supported algorithms, see Supported cipher suites for IPsec
    IPSec anti-replay window Select Disable.
    Rekey interval/lifetime Enter 120 minutes and 0 MegaBytes.
    Perfect forward secrecy group Select 14.

    f. Click Save.

  3. Configure IP SLA settings to monitor tunnel health using the HTTPs probe to sp-ipsla.silverpeak.cloud.

    1. Click the IP SLA tab.

    2. Turn on the Enable IP SLA rule orchestration toggle and complete these steps:

Field Step
Monitor Select HTTP/HTTPS.
Source interface Select Loopback.

Note: IP SLA uses this value to source probe traffic to the probe destination address. For the IP SLA profile to reach the SD-WAN appliance, there must be at least one interface on the application that uses this matching label.
Encryption algorithm You can select AES-CBC-256. For a list of supported algorithms, see Supported cipher suites for IPsec.
HTTP request timeout Enter 2 seconds.
  1. In the BIO Breakout tab:

    1. Make sure BIO Breakout is enabled. This setting means that the tunnels you created will be added to Business Intent Overlay (BIO).

    2. If you need to include an icon, upload a service icon.

    3. Click Save.

  2. In the Remote Endpoint Association tab, complete these steps to associate your endpoints to the EdgeConnect SD-WAN appliance.

    1. In the list of appliances, select the appliances that you want to associate with the endpoints.

    2. Click Remote Endpoint Associate.

    3. Select Add for the Primary-POP endpoint. This associates both the primary and second endpoints to the EdgeConnect appliance.

  3. Click Save. Orchestrator pushes the required IPsec tunnel and IP SLA configuration to the EdgeConnect appliances.

Next Steps:

Direct traffic to the Akamai service with Business Intent Overlay. For instructions, see Configure a Business Intent Overlay (BIO).

Configure a Business Intent Overlay (BIO)

A Business Intent Overlay (BIO) specifies how web traffic is routed. Complete these steps to direct traffic from Aruba to ‚ÄčSIA‚Äč.

This procedure describes how to modify an existing overlay. However, you can create a new overlay with similar steps. For detailed instructions on creating a new overlay, see the Aruba Orchestrator documentation.

To configure a business intent overlay:

  1. From the Orchestrator navigation menu, select Configuration > Business Intent Overlays. A list of Business Intent Overlays appears.

  2. Click the Breakout Traffic to Internet & Cloud Services area for the overlay that you want to use. The Overlay Configuration appears.

  1. Click the edit icon for the Match field.

  2. Modify the match criteria to use protocol TCP and port 80 and 443.

  3. In the Breakout Traffic to Internet & Cloud Service tab, drag the Akamai policy from Available Policies to Preferred Policy Order. Make sure the Akamai policy appears at the top of the Preferred Policy Order.

  1. Determine the backup options. If you select Backhaul Via Overlay, Break Out Locally, or both as backup options, this means that traffic is redirected using these policies in case the tunnels to Akamai (‚ÄčSIA‚Äč) are down. If you don‚Äôt want to use a backup option, remove them from the Preferred Policy Order. If you remove backup options, internet-bound traffic is dropped in case the Akamai service is down.

  2. In the Break Out Locally Using These Interfaces area, drag and drop all the primary WANs to the Primary section. Drag and drop all backup interfaces to the Backup section. If you add more than one interface to the Primary section, traffic is load balanced between the two WAN interfaces.

  1. To complete the setting changes, click OK.

  2. Click Save and Apply Changes to Overlays.

Next step:

Verify your configuration:

  1. Verify that the service configuration was pushed to devices. For more information, see Verify the ‚ÄčAkamai‚Äč service configuration.

  2. Verify the tunnel status and the IP SLA status. For instructions, see Verify the status of the tunnels and IP SLA.

  3. Verify traffic flows on EdgeConnect SD-WAN appliances. For instructions, see Verify traffic flows on EdgeConnect SD-WAN.

Verify the ‚ÄčAkamai‚Äč service configuration

Complete this procedure to verify that the Akamai service you created in Service Orchestrator was pushed to the EdgeConnect SD-WAN appliances.

To verify the service configuration:

  1. In the navigation menu, select Orchestrator > Tools > Audit Logs.

  2. In the Search field, enter the prefix that you used for the service. For example, AKA. For more information, see Configure the primary and secondary IPsec tunnels.

  3. Confirm that the passthrough tunnel has successfully been pushed to the device. A passthrough tunnel configuration is pushed if a label in the Interface Labels also exists on the EdgeConnect SD-WAN appliance.

  4. Confirm that the fully-qualified domain names (FQDNs) for NSLOOKUP were applied successfully. FQDNs are used for the primary and secondary tunnels. As a result, the EdgeConnect SD-WAN must be able to resolve them.

  1. Confirm that the IP SLA rules were pushed to the appliance. The IP SLA rules are pushed if these conditions are met:

Verify the status of the tunnels and IP SLA

Complete this procedure to verify the status of the tunnels and the IP SLA.

To verify the status of the tunnel and the IP SLA:

  1. In the navigation menu, select Configuration > Cloud Services > Service Orchestration.

  2. Click the Service Orchestration tab.

  3. Make sure the Connection Status is Up. This indicates the IPsec tunnel is functioning and the IP SLA probes are working.

  1. Confirm the status of the tunnels:

    1. Next to the Akamai service that’s shown on the Service Orchestration tab, click Tunnels.

      A new tab appears with the Tunnel data.

    2. Click the Passthrough tab to view data for the passthrough tunnel.

    3. Use the Search field to search for the service. For example, AKA.

    4. Confirm that the status is up.

  2. Confirm the IP SLA status:

    1. Next to the Akamai service that shown on the Service Orchestration tab, click IP SLA.

      A new tab appears with IP SLA data.

    2. Use the Search field to search for the service. For example, AKA.

    3. Confirm that the status is up.

Verify traffic flows on EdgeConnect SD-WAN

Complete these steps to confirm whether traffic is directed to the Akamai service tunnels on the EdgeConnect SD-WAN appliances.

To verify traffic flows:

  1. In the navigation menu, select Monitoring > Flows > Active & Recent Flows.

  2. Use the provided filter options to filter based on IP address and port of the overlay. Confirm the inbound and outbound tunnels show something like ‚ÄúAKA_Primary-POP_INET1‚ÄĚ based on the prefix and the name you provided for the primary tunnel. This confirms that there are inbound and outbound connections through the Akamai service tunnels.