Tunnel configuration
WALLIX One PAM gateway supports two routing modes: static and dynamic.
Static routing mode
NOTE
In static mode, if you want to modify the IPsec tunnel configuration, such as adding or removing a network, you must open a ticket with WALLIX Support.
A traffic selector is an agreement between IPsec peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses. Traffic selectors are created differently between Policy-based and Route-based VPN.
Policy-based traffic selector
With policy-based traffic selector, IPv4 networks are announced in the traffic selector of the IPsec protocol.
The 3 phase 2 subnets (IPsec host, WALLIX Bastion subnet and WALLIX AM subnet) provided by WALLIX in the shuttle file must be configured in the field corresponding to the remote IPv4 networks:
The list of your IPv4 networks must be specified in the field corresponding to the local IPv4 networks. You must also fill the Customer phase 2 subnets cells of the shuttle file to provide WALLIX with the list of your local networks.
Route-based traffic selector
The networks declared in the IPv4 networks must be 0.0.0.0/0 for both local and remote.
Static routes are added when the tunnel is established (phase 2). The prefixes exposed by WALLIX One PAM through the tunnel will be provided by WALLIX. You can restrict the traffic to the 3 subnets (IPsec host, WALLIX Bastion subnet and WALLIX AM subnet) provided by WALLIX in the shuttle file.
You must also fill the Customer phase 2 subnets cells of the shuttle file to provide WALLIX with the list of your local networks.
Dynamic routing mode
In dynamic routing mode, the BGP protocol is used to announce routes through the IPsec tunnel. With this method, you have complete autonomy over the management of your networks that will be accessible from WALLIX One PAM. You do not have to create a ticket with the WALLIX support team when adding new subnets. The networks are specified by you and automatically propagated in the IPsec tunnel.
Requirements
To establish IPsec tunnels in dynamic mode, you must have the following:
- a network hardware exposed to the Internet and capable of supporting the BGP protocol
- an ASN (Autonomous System Number)
- an address (for each tunnel deployed) for sharing BGP routes; a subnet chosen by the customer from the APIPA 169.254.0.0/16 network range, with a CIDR of /30 or /31. WALLIX One PAM will use the other available address. The customer must explicitly specify to the WALLIX Support Team whether they prefer to use the first available address or the next one.
Configuration
The networks declared in the IPv4 networks must be 0.0.0.0/0 for both local and remote.
BGP sessions will be established using an APIPA network (169.254.0.0/16) with a CIDR of 30 or 31.
This network is to be defined by you and must be unique among all your BGP peers on WALLIX One PAM.
You must share with WALLIX your ASN and the tunnel CIDR subnet you use, via the section Dynamic Routing section of the shuttle file.
Ciphers
Refer to the prerequisites for supported ciphers.
MTU
The size of packets passing through the IPsec tunnel should not exceed 1380 bytes.
Other parameters
| Parameters | Supported values |
|---|---|
| Phase 1 lifetime | Between 900 and 28800 seconds |
| Phase 2 lifetime | Between 900 and 3600 seconds |
| Traffic Selector | See Routing mode |
| Dead Per Detection Interval | Between 5 and 30 seconds |
| Dead Per Detection Timeout multiplicator | Between 2 and 5 |