This section offers profile level configuration settings. The Profile Configuration helps to create profiles those can be reused as shared configuration for other sites. The variety of profiles are applicable to multiple sites. Hence if you make any change in the value of any profile, the change will reflect to all the sites linked to that profile automatically. You no need to make the changes for each site.
Following are the available types of profiles:
- Dynamic Routing Profiles
- QOS Profiles
- WAN Profiles
- Site Profiles
- DHCP Profiles
- IPsec Security Profiles
The profiles are interdependent in nature.
To view profiles, navigate to Configuration > Profiles and select the profile you want to create.
Dynamic routing profiles
The Dynamic Routing Profiles section provides the following options:
- Import Route Profiles
- Export Route Profiles
The Add Import Filter Profile allows you to add an import filter profile with the Import Profile Name, Profile Availability, and Import Filters with the following fields:
- Protocol - Select the protocol from the drop-down menu.
- Routing Domain - To match routes from a specific routing domain, choose one of the configured Routing Domains from the drop-down menu.
- Source Router - Enter the IP address and netmask of configured network object that describes the route’s network.
- Destination IP - Enter the destination IP address.
- Prefix - To match routes by prefix, choose a match predicate from the drop-down menu and enter a Route prefix in the adjacent field.
- Next Hop - Enter the next hop destination.
- Route Tag - Fill the route tag.
- Cost - The method (predicate) and the SD-WAN Route Cost that are used to narrow the selection of routes exported.
You can also Include, Export Route to Citrix SD-WAN Appliances, and Use OSPF Route Cost for Citrix SD-WAN Cost and Service Type.
The Add Export Filter Profile allows you to add an export filter profile. This section lists the Export Profile Name, Profile Availability, and Export Filters with Network Address/Mask, Prefix, Cost, Service Type, and Gateway IP Address. You can also include the Export OSPF Route Type and Export OSPF Route Weight.
You can also edit or delete the existing profile as per their need by using the edit and delete option. You can see the existing profile by using the view option which is available under Action as an eye symbol, to add the filter profiles.
The Quality of Service (QoS) section helps to create QoS profile by using the Add QoS Profile option. The QoS profile provides improved service to certain traffic. The goal of QoS is to provide priority including traffic type (Real-time, Interactive, and Bulk classes) and dedicated bandwidth. The bandwidth breakups are available in % values. This also improved loss characteristics.
You can also view or delete the existing QoS profile.
You can add a WAN link Profile by using the WAN Link Profile option.
You need to fill the WAN link info such as Profile Name, Access Type, Internet Category, LAN to WAN Rate (Mbps) info and so on to create a WAN profile.
You can create a site profile by selecting Create New or Select Template option from the drop-down menu of Add Site Profile.
To create a site profile, you need to create Site Details, Interfaces, and WAN Links.
Assign an interface for the site by using the Add Interface option.
To add an interface, you need to fill the Interface Attributes, Physical Interface, and Virtual Interfaces fields. Once all the entries are filled you need to click Save and then Done option.
The WAN Link can be added by Add WAN Link option.
Fill WAN Link Attributes, Access Interfaces, and Services with Advanced Options.
DHCP profiles are a group of DHCP configurations that can be applied to individual IP address ranges or a single host.
Select a DHCP option. The option number is pre-configured. For custom options, the range is 224–254. Select a data type and enter a value for the option.
To add IPsec security profile, navigate to Configuration > Profiles > IPsec Security Profiles.
IPsec provides secure tunnels. Citrix SD-WAN supports IPsec virtual paths, enabling third-party devices to terminate IPsec VPN Tunnels on the LAN or WAN side of a Citrix SD-WAN appliance. You can secure site-to-site IPsec Tunnels terminating on an SD-WAN appliance by using a 140-2 Level 1 FIPS certified IPsec cryptographic binary.
Citrix SD-WAN also supports resilient IPsec tunneling using a differentiated virtual path tunneling mechanism.
IPsec profiles are used while configuring IPsec services as delivery service sets. For more information, see Delivery service set.
In the IPsec security profile page, enter the required values for the following IPsec Security Profile, IKE Settings, and IPsec Settings.
IPsec security profile information
- Profile Name: Provide a profile name.
- MTU: Enter the maximum IKE or IPsec packet size in bytes.
- Keep Alive: Select the check box to keep the tunnel active and enable route eligibility.
- IKE Version: Select an IKE protocol version from the drop-down list.
Mode: Select either Main mode or Aggressive mode from the drop-down list for the IKE Phase 1 negotiation mode.
- Main: No information is exposed to potential attackers during negotiation, but is slower than Aggressive mode.
- Aggressive: Some information (for example, the identity of the negotiating peers) is exposed to potential attackers during negotiation, but is faster than Main mode.
- Authentication: Choose the authentication type as Certificate or Pre-shared Key from the drop-down menu.
- Identity: Select the identity method from the drop-down list.
- Peer Identity: Select the peer identity method from the drop-down list.
- DH Group: Select the Diffie-Hellman (DH) group that are available for IKE key generation.
- Hash Algorithm: Choose a hashing algorithm from the drop-down list to authenticate IKE messages.
- Encryption Mode: Choose the Encryption Mode for IKE messages from the drop-down list.
- Lifetime (s): Enter the preferred duration (in seconds) for an IKE security association to exist.
- Lifetime (s) Max: Enter the maximum preferred duration (in seconds) to allow an IKE security association to exist.
- DPD timeout (s): Enter the Dead Peer Detection timeout (in seconds) for VPN connections.
Tunnel Type: Choose ESP, ESP+Auth, ESP+NULL, or AH as the tunnel encapsulation type from the drop-down list.
- ESP: Encrypts the user data only
- ESP+Auth: Encrypts the user data and includes an HMAC
- ESP+NULL: Packets are authenticated but not encrypted
- AH: Only includes an HMAC
- PFS Group: Choose Diffie–Hellman group to use for perfect forward secrecy key generation from the drop-down menu.
- Encryption Mode: Choose the Encryption Mode for IPsec messages from the drop-down menu.
- Hash Algorithm: The MD5, SHA1, and SHA-256 hashing algorithms are available for HMAC verification.
- Network Mismatch: Choose an action to take if a packet does not match the IPsec Tunnel’s Protected Networks from the drop-down menu.
- Lifetime (s): Enter the amount of time (in seconds) for an IPsec security association to exist.
- Lifetime (s) Max: Enter the maximum amount of time (in seconds) to allow an IPsec security association to exist.
- Lifetime (KB): Enter the amount of data (in kilobytes) for an IPsec security association to exist.
Lifetime (KB)Max: Enter the maximum amount of data (in kilobytes) to allow an IPsec security association to exist.