Citrix SD-WAN WANOP

Configure cloud connector tunnel

To configure the Citrix Cloud Connector tunnel, use the configuration utility of both the Citrix VPX appliances to perform the following tasks:

  • Create an IPSec profile—An IPSec profile entity specifies the IPSec protocol parameters, such as IKE version, encryption algorithm, hash algorithm, and PSK, to be used by the IPSec protocol in the Citrix Cloud Connector tunnel.

  • Create an IP tunnel and associate the IPSec profile with it—An IP tunnel specifies the local IP address, remote IP address, protocol used to set up the Citrix Cloud Connector tunnel, and an IPSec profile entity. The created IP tunnel entity is also called the Citrix Cloud Connector tunnel entity.

  • Create a PBR rule and associate the IP tunnel with it—A PBR entity specifies a set of conditions and an IP tunnel (Citrix Cloud Connector tunnel) entity. The source IP address range and the destination IP range are the conditions for the PBR entity. You must set the source IP address range and the destination IP address range to specify the subnet whose traffic is to traverse the Citrix Cloud Connector tunnel. For example, consider a request packet that originates from a client on the subnet in the datacenter and is destined to a server on the subnet in the AWS cloud. If this packet matches the source and destination IP range of the PBR entity on the Citrix virtual appliance on the Citrix SD-WAN WANOP appliance in the datacenter, it is considered for Citrix SD-WAN WANOP processing, which sends the packet across the Citrix Cloud Connector tunnel associated with the PBR entity.

To create an IPSEC profile by using the command line interface:

At the command prompt, type:

  • **add ipsec profile** \<ipsec\_profile\_name\> -**encAlgo** AES -**hashAlgo** HMAC\_SHA1 -**lifetime** 500 -**psk** \<password\>

To create an IP tunnel and bind the IPSEC profile to it by using the command line interface:

At the command prompt, type:

  • **add iptunnel** \<tunnel\_name\> \<Remote CBC Public IP\> \<remote\_cbs\_Netmask\> \<lan\_subnet\_IP\> -**protocol** GRE -**ipsecProfileName** \<ipsec\_profile\>

To create a PBR rule and bind the IPSEC tunnel to it by using the command line interface:

At the command prompt, type:

  • **add ns pbr** \<pbr\_name\> ALLOW -**srcIP** = \<local\_lan\_subnet\> -**destIP** = \<remote\_lan\_subnet\> -**ipTunnel** \<tunnel\_name\>

  • apply ns pbrs

To create an IPSEC profile by using the configuration utility:

  1. Navigate to System > Citrix Cloud Connector > IPSec Profile.

  2. In the details pane, click Add.

  3. In the Add IPSec Profile dialog box, set the following parameters:

    • Name

    • Encryption Algorithm

    • Hash Algorithm

    • IKE Protocol Version (select V2)

  4. Use one of the following IPSec authentication methods to be used by the two peers to mutually authenticate.

    • For Pre-shared key authentication method, set the Pre-Shared Key Exists parameter.

    • For Digital certificates authentication method , set the following parameters:</span>

      • Public Key

      • Private Key

      • Peer Public Key

  5. Click Create, and then click Close.

To create an IP tunnel and bind the IPSEC profile to it by using the configuration utility:

  1. Navigate to System > Citrix Cloud Connector > IP Tunnels.

  2. On the IPv4 Tunnels tab, click Add.

  3. In the Add IP Tunnel dialog box, set the following parameters:
    • Name

    • Remote IP

    • Remote Mask

    • Local IP Type (In the Local IP Type drop down list, select Subnet IP).

    • Local IP (All the configured IPs of the selected IP type will be populated in the Local IP drop down list. Select the desired IP from the list.)

    • Protocol

    • IPSec Profile

  4. Click Create, and then click Close.

To create a PBR rule and bind the IPSEC tunnel to it by using the configuration utility:

  1. Navigate to System > Network > PBR.

  2. On the PBR tab, click Add.

  3. In the create PBR dialog box, set the following parameters:
    • Name

    • Action

    • Next Hop Type (Select IP Tunnel)

    • IP Tunnel Name

    • Source IP Low

    • Source IP High

    • Destination IP Low

    • Destination IP High

  4. Click Create, and then click Close.

    The new Citrix Cloud Connector tunnel configuration on the Citrix SD-WAN WANOP appliance in the datacenter appears on the Home tab of the Management Service user interface.

    The corresponding new Citrix Cloud Connector tunnel configuration on the Citrix VPX appliance in the AWS cloud appears on the configuration utility.

    The current status of the Citrix Cloud Connector tunnel is indicated in the Configured Citrix SD-WAN WANOP pane. A green dot indicates that the tunnel is up. A red dot indicates that the tunnel is down.

Configure cloud connector tunnel