Cisco Viptela SDWAN: IPSEC Tunnel Parameters

Today I am going to talk about the configuration of IPSEC tunnel parameters in Cisco Viptela SDWAN solution. Before we discuss on the IPSEC parameters lets talk about the purpose of IPSEC tunnel in the Cisco Viptela SDWAN Solution. 

IPSEC tunnel is used to send out the data traffic between the vEdges/cEdges and as most of you already knew about the how secure is IPSEC tunnel. The parameters used in IPSEC tunnel is generally are 

  1. Authentication and encryption
  2. Rekeying interval
  3. Replay window
Fig 1.1- IPSEC tunnel between sites over Internet

Authentication and encryption:
It is used where you defined that what kind of AES algorithm will be there for encryption of the data traffic within the network. In Cisco Viptela SDWAN, encryption—AES-256 algorithm used.

Note: We have ability to change the encryption on the IPsec tunnel to the AES-256 cipher in CBC (cipher block chaining mode, with HMAC-SHA1-96 keyed-hash message authentication or to null, to not encrypt the IPsec tunnel used for IKE key exchange traffic:

NDNA-vEdge(config-interface-ipsecnumber)# ipsec
NDNA-vEdge(config-ipsec)# cipher-suite aes256-cbc-sha1 

Rekeying interval:
It is very important and the default time is used as 4 hours. We can change the rekeying interval as well according to the need in our environment. The time change be changed from 30 seconds to 14 days. Here in this example we are using the rekeying interval of 14 days which is the maximum value.

NDNA-vEdge(config-interface-ipsecnumber)# ipsec
NDNA-vEdge(config-ipsec)# rekey 1209600 ( 14 days)

Replay window: 
It is another factor used and the used factor is 32 packets but we can change this value to the window size of 64, 128, 256, 512, 1024, 2048, 4096 packets as per  the requirement in our environment. Here in this example we are using the replay window value 64.

NDNA-vEdge(config-interface-ipsecnumber)# ipsec
NDNA-vEdge(config-ipsec)# replay-window 64