Delivery services allow you to configure delivery services such as the Internet, Intranet, IPsec, and LAN GRE. The delivery services are defined globally and applied to WAN links at individual sites, as applicable.
Each WAN link can apply all or a subset of relevant services, and setup relative shares of bandwidth (%) among all the delivery services.
Virtual Path service is available on all the links by default. The other services can be added as needed.
Delivery Services are delivery mechanisms available on Citrix SD-WAN to steer different applications or traffic profiles using the right delivery methods based on business intent.
Delivery Services can be broadly categorized as following:
- Virtual Path Service: The dual-ended overlay SD-WAN tunnel that offers secure, reliable, and high-quality connectivity between two sites hosting SD-WAN appliances or virtual instances.
- Internet Service: Direct channel between an SD-WAN site and public internet, with no SD-WAN encapsulation involved. Citrix SD-WAN supports session load-balancing capability for internet-bound traffic across multiple Internet links.
Intranet Service: Underlay link based connectivity from an SD-WAN site to any non-SD-WAN site.
The traffic is unencapsulated or can use any non-virtual path encapsulation such as IPsec, GRE. You can set up multiple Intranet services.
Service configuration and bandwidth defaults
Under Service Configuration and Bandwidth Defaults tab, you can view an internet service is created by default. The branch traffic uses the transit sites to reach the internet. This section allows you to define new delivery services and default bandwidth allocation proportion (%) across all the delivery services. The bandwidth allocation needs across delivery services might vary based on the type of link involved.
For example, if you have many SaaS applications being used, you might consider allocating a relatively large proportion of bandwidth on your internet links for Internet service to enable direct internet breakout. On your MPLS links, you might choose to allocate more bandwidth for Virtual path service or Intranet Service depending on whether your SD-WAN sites have most of the traffic going to other SD-WAN sites or non-SD-WAN sites.
Based on your requirements, you can define global bandwidth share defaults across delivery services for each link type – Internet links, MPLS links, and Private Intranet links.
The default values can be overridden on individual links. While configuring WAN links, you can choose to use these global defaults or configure link specific service bandwidth settings. Configuration of a non-zero bandwidth share is required for any delivery service to be enabled and active on a link.
There are additional settings available for Internet and Intranet services, which can be customized by using the setting icon that displayed against each service.
Click + New Service and select a Service Type. Depending on the add-on delivery service that you would like to create, choose the required service type, and proceed with the configuration.
Internet Service is available by default as part of the Delivery services. You can configure the internet service route cost relative to other delivery services and set up internet transit sites.
You can add sites as Internet transit sites to enable Internet access to the sites. For sites those need direct internet connectivity, must have at least one link with Internet service enabled. That means, at least one link set to a non-zero bandwidth share %.
Each transit site can be assigned a route cost. The sites with internet service available access the internet directly since the direct route would be the lowest cost routing path. Sites without internet service can route to the internet through the configured transit sites. When the internet transit sites are configured, routes to the internet through these transit sites automatically get pushed to all the sites. Internet transit sites are the sites with Internet service enabled.
For example, if San Francisco and New York are configured as internet transit sites. Routes to the internet via San Francisco and New York automatically get pushed to all the sites.
A user can create multiple intranet services. Once the intranet service is created at the global level, you can reference it at the WAN Link level.
Provide a Service Name. Select desired Routing Domain and Firewall Zone.
Intranet networks: Add all the intranet IP addresses across the network, that other sites in the network might need to interact.
Intranet transit sites: Add sites as transit sites to enable all the non-intranet sites to access the configured intranet networks. Each transit site can be assigned a route cost. The available sites with intranet service, accesses the intranet networks directly since the direct route would be the lowest cost routing path. Sites without intranet service can route to the intranet networks through the configured transit sites. When the transit sites are configured, routes to intranet networks through these transit sites automatically get pushed to all the sites.
For example, assume 10.2.1.0/24 is an intranet network, and Austin and Dallas are configured as transit sites. Routes to that network address through Austin and Dallas automatically get pushed to all the sites.
You can configure SD-WAN appliances to terminate GRE tunnels on the LAN.
- Name: Name of the LAN GRE service.
- Routing Domain: The routing domain for the GRE tunnel.
- Firewall Zone: The firewall zone chosen for the tunnel. By default, the tunnel is placed into the Default_LAN_Zone.
- Keep alive: The period between sending keep alive messages. If configured to 0, no keep alive packets is sent, but the tunnel stays up.
- Keep alive Retries: The number of times that the Citrix SD-WAN Appliance sends keep alive packets without a response before it brings the tunnel-down.
- Checksum: Enable or disable Checksum for the tunnel’s GRE header.
- Site Name: The site to map the GRE tunnel.
- Source IP: The source IP address of the tunnel. This is one of the Virtual Interfaces configured at this site. The selected routing domain determines the available Source IP addresses.
- Public Source IP: The source IP if the tunnel traffic is going through NAT.
- Destination IP: The destination IP address of the tunnel.
- Tunnel IP/Prefix: The IP address and Prefix of the GRE Tunnel.
- Tunnel Gateway IP: The next hop IP Address to route the Tunnel traffic.
- LAN Gateway IP: The next hop IP Address to route the LAN traffic.
If you are configuring Zscaler service, configure LAN GRE. Provide a service name, select the routing domain, firewall zone, and add site bindings. For more information about Zscaler service, see Zscaler Integration by using GRE tunnels and IPsec tunnels.
Provide the following details to authenticate Zscaler:
- User Name: Enter the name of the user.
- Password: Enter the password.
Cloud Name: Enter the cloud name that is available in the URL that admins use to log into the Zscaler service.
To maximize operational efficiency, Zscaler built global multi-cloud infrastructure with high scalability. An organization is provisioned on one cloud and its traffic is processed by that cloud only.
API Key: Enter the API subscription Key. When an API subscription is applied to your organization, Zscaler enable the key.
- Click Save.
Citrix SD-WAN appliances can negotiate fixed IPsec tunnels with third-party peers on the LAN or WAN side. You can define the tunnel end-points and map sites to the tunnel end-points.
You can also select and apply an IPsec security profile that define the security protocol and IPsec settings.
To configure IPsec tunnel:
Specify the service details.
- Service Name: The name of the IPsec service.
- Service Type: Select the service that the IPsec tunnel uses.
- Routing Domain: For IPsec tunnels over LAN, select a routing domain. If the IPsec Tunnel uses an intranet service, the intranet service determines the routing domain.
- Firewall Zone: The firewall zone for the Tunnel. By default, the Tunnel is placed into the Default_LAN_Zone.
Add the tunnel end-point.
- Name: When Service Type is Intranet, choose an Intranet Service the tunnel protects. Otherwise, enter a name for the service.
- Peer IP: The IP address of the remote peer.
- IPsec Profile: IPsec security profile that define the security protocol and IPsec settings.
- Pre Shared Key: The pre shared key used for IKE authentication.
- Peer Pre Shared Key: The pre-shared key used for IKEv2 authentication.
- Identity Data: The data to be used as the local identity, when using manual identity or User FQDN type.
- Peer Identity Data: The data to be used as the peer identity, when using manual identity or User FQDN type.
- Certificate: If you choose Certificate as the IKE authentication, choose from the configured certificates.
Map sites to the tunnel end-points.
- Choose Endpoint: The end-point to be mapped to a site.
- Site Name: The site to be mapped to the end-point.
- Virtual Interface Name: The virtual interface at the site to be used as the end-point.
- Local IP: The local virtual IP address to use as the local tunnel end-point.
Create the protected network.
- Source Network IP/Prefix: The source IP address and Prefix of the network traffic that the IPsec tunnel protects.
- Destination Network IP/Prefix: The destination IP address and Prefix of the network traffic that the IPsec tunnel protects.
Ensure that the IPsec configurations are mirrored on the peer appliance.
For more information, see How to configure IPsec tunnels for virtual and dynamic paths.
IPsec encryption profiles
To add IPsec encryption profile, navigate to Configuration > Delivery Services > select IPsec Encryption Profiles tab.
IPsec provides secure tunnels. Citrix SD-WAN supports IPsec virtual paths, enabling third-party devices to terminate IPsec VPN Tunnels on the LAN or WAN side of a Citrix SD-WAN appliance. You can secure site-to-site IPsec Tunnels terminating on an SD-WAN appliance by using a 140-2 Level 1 FIPS certified IPsec cryptographic binary.
Citrix SD-WAN also supports resilient IPsec tunneling using a differentiated virtual path tunneling mechanism.
IPsec profiles are used while configuring IPsec services as delivery service sets. In the IPsec security profile page, enter the required values for the following IPsec Encryption Profile, IKE Settings, and IPsec Settings.
IPsec encryption profile information
- Profile Name: Provide a profile name.
- MTU: Enter the maximum IKE or IPsec packet size in bytes.
- Keep Alive: Select the check box to keep the tunnel active and enable route eligibility.
IKE Version: Select an IKE protocol version from the drop-down list.
Mode: Select either Main mode or Aggressive mode from the drop-down list for the IKE Phase 1 negotiation mode.
- Main: No information is exposed to potential attackers during negotiation, but is slower than Aggressive mode.
- Aggressive: Some information (for example, the identity of the negotiating peers) is exposed to potential attackers during negotiation, but is faster than Main mode.
- Authentication: Choose the authentication type as Certificate or Pre-shared Key from the drop-down menu.
- Identity: Select the identity method from the drop-down list.
- Peer Identity: Select the peer identity method from the drop-down list.
- DH Group: Select the Diffie-Hellman (DH) group that are available for IKE key generation.
- Hash Algorithm: Choose a hashing algorithm from the drop-down list to authenticate IKE messages.
- Encryption Mode: Choose the Encryption Mode for IKE messages from the drop-down list.
- Lifetime (s): Enter the preferred duration (in seconds) for an IKE security association to exist.
- Lifetime (s) Max: Enter the maximum preferred duration (in seconds) to allow an IKE security association to exist.
DPD timeout (s): Enter the Dead Peer Detection timeout (in seconds) for VPN connections.
Tunnel Type: Choose ESP, ESP+Auth, ESP+NULL, or AH as the tunnel encapsulation type from the drop-down list.
- ESP: Encrypts the user data only
- ESP+Auth: Encrypts the user data and includes an HMAC
- ESP+NULL: Packets are authenticated but not encrypted
- AH: Only includes an HMAC
- PFS Group: Choose Diffie–Hellman group to use for perfect forward secrecy key generation from the drop-down menu.
- Encryption Mode: Choose the Encryption Mode for IPsec messages from the drop-down menu.
- Hash Algorithm: The MD5, SHA1, and SHA-256 hashing algorithms are available for HMAC verification.
- Network Mismatch: Choose an action to take if a packet does not match the IPsec Tunnel’s Protected Networks from the drop-down menu.
- Lifetime (s): Enter the amount of time (in seconds) for an IPsec security association to exist.
- Lifetime (s) Max: Enter the maximum amount of time (in seconds) to allow an IPsec security association to exist.
- Lifetime (KB): Enter the amount of data (in kilobytes) for an IPsec security association to exist.
Lifetime (KB) Max: Enter the maximum amount of data (in kilobytes) to allow an IPsec security association to exist.