Aryaka SD-WAN Solution Guide
Integrate an Aryaka SD-WAN with Prisma Access.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
- Aryaka SmartConnect subscription
|
Aryaka and Prisma Access seamlessly integrate to deliver a joint solution of a
cloud-native global SD-WAN that includes private connectivity, WAN optimization, and
application acceleration capabilities with a next-generation security platform that
provides a consistent level of security in both physical and virtual environments.
Aryaka's SmartConnect delivers service level agreement (SLA)-based reliable global
connectivity and faster application performance for both on-premises and cloud/SaaS
applications, while Prisma Access adds a layer of advanced security controls required
for internet- and cloud-bound traffic.
The Aryaka edge device, Aryaka Network Access Point (ANAP), can seamlessly forward all
internet traffic from branch locations to Prisma Access using a secure IPSec tunnel.
Together, Aryaka and Prisma Access deliver a best-of-breed SD-WAN and security platform
for enterprises accessing mission-critical internally hosted applications, as well
accessing cloud applications using the internet.
This solution guide provides you with the tasks you perform to integrate a branch
location using Aryaka SmartConnect with Prisma Access.
Supported IKE and IPSec Cryptographic Profiles
You onboard your SD-WAN edge devices using a remote network connection between the
edge device at the branch site, HQ, or hub to Prisma Access. To do this you will
onboard a remote network, ensuring that you use supported IKE and IPSec
cryptographic settings.
The following table documents the IKE/IPSec crypto settings that are supported with
Prisma Access and the Aryaka SD-WAN. In addition, the supported architecture types
are listed at the end of the table. A check mark indicates that the profile or
architecture type is supported; a dash (—) indicates that it's not supported.
Default and Recommended settings are noted in the table.
| Crypto Profiles | Prisma Access | Aryaka SmartConnect |
|---|
| Tunnel Type | IPSec Tunnel |
√
|
√
|
| GRE Tunnel | — | — |
|
| Dynamic Routing (BGP) |
√
| — |
| Dynamic Routing (OSPF) | — | — |
|
|
| IPSec Phase 1 DH-Group | Group 1 |
√
| — |
| Group 2 | √ (Default) | √ (Default) |
|
|
|
|
| IPSec Phase 1 Auth If you use
IKEv2 with certificate-based authentication, only SHA1 is
supported in IKE crypto profiles (Phase 1). | MD5 |
√
|
√
|
|
|
|
|
| IPSec Phase 1 Encryption | DES |
√
| — |
|
| AES-128-CBC | √ (Default) | √ (Default) |
|
| AES-256-CBC | √ (Recommended) | — |
| IPSec Phase 1 Key Lifetime Default | | √ (8 Hours) | √ (8 Hours) |
| IPSec Phase 1 Peer
Authentication | Pre-Shared Key |
√
|
√
|
|
| IKE Peer Identification | FQDN |
√
|
√
|
|
|
| IKE Peer | As Static Peer |
√
|
√
|
|
|
|
| Ability to Negotiate
Tunnel | Per Subnet Pair |
√
| — |
|
|
| IPSec Phase 2 DH-Group | Group 1 |
√
| — |
| Group 2 | √ (Default) | √ (Default) |
|
|
|
|
|
| IPSec Phase 2 Auth | MD5 |
√
| — |
| SHA1 | √ (Default) | √ (Default) |
|
|
|
|
| IPSec Phase 2 Encryption | DES |
√
| — |
|
|
|
|
|
|
| AES-256-GCM | √ (Recommended) | — |
|
|
|
| IPSec Phase 2 Key Lifetime Default | | √ (1 Hour) | √ (1 Hour) |
| Tunnel Monitoring
Fallback | Dead Peer Detection (DPD) |
√
|
√
|
| ICMP | — | — |
| Bidirectional Forwarding Detection (BFD) | — | — |
| SD-WAN Architecture Type | With Regional Hub/Gateway/Data Center | N/A |
√
|
| No Regional Hub/Gateway/Data Center | NA |
√
|
