The bonded links formed with WAN Virtualization are not encrypted by default. For site-to-site VPNs using WAN Virtualization for seamless failover, encryption is already provided by the VPN gateways. Additionally, private WAN links (such as MPLS) do not require additional encryption for LAN-to-LAN traffic as the network is secure and encryption results in additional overhead.
The Ecessa ShieldLink, ClariLink, and WANWorX appliances can safeguard unencrypted LAN-to-LAN traffic with the use of site encryption. This creates an IPSec encrypted tunnel between the configured WAN Virtualization initiation point (local WAN IP) and end point (remote WAN IP) addresses.
Site Encryption Configuration (WAN Virtualization page)
In version 10.6.4, the IPSec VPN can be created on the WAN Virtualization / Channel Bonding page itself. Use the "Site Encryption" section of the WAN Virtualization Basic tab to create an IPSec security association to encrypt the tunnels. All tunnels will be automatically encrypted but tunnel encryption can be modified by going to the WAN Virtualization Advanced tab. Other changes (such as encryption options) can only be made in the VPN section of the user interface, however.
Site Encryption Configuration (VPN page)
This section will cover the settings required for the example network in the WAN Virtualization overview.
Log into the web interface of the Ecessa appliance. Go to VPN located under Advanced Setup in the left-hand menu.
On the VPN configuration page, select the Enable VPN check box and confirm the change. Click the Add IPSec button.
On the VPN Security Association configuration page, do the following:
- Enter the name of the Security Association.
- Select the WAN Virtualization or Channel Bonding as the connection type and select the appropriate WAN Virtualization site from the drop-down menu.
- By default, all links will be encrypted though any link may be unencrypted by de-selecting the Encrypt check box.
- Select the authentication type. For this example, pre-shared secret is used.
- Enter the desired encryption options. For this example, the default settings are used as ANY indicates encryption settings are to be negotiated.
Click the Activate button to save the changes.
The other site will also need to have site encryption enabled.