Aryaka SD-WAN Solution Guide
Aryaka and Prisma Access seamlessly integrate
to deliver a joint solution of a cloud-native global SD-WAN that
includes private connectivity, WAN optimization, and application
acceleration capabilities with a next-generation security platform
that provides a consistent level of security in both physical and
virtual environments.
Aryaka's SmartConnect delivers service
level agreement (SLA)-based reliable global connectivity and significantly
faster application performance for both on-premise and cloud/SaaS
applications, while Prisma Access adds a layer of advanced security
controls required for internet- and cloud-bound traffic.
The
Aryaka edge device, Aryaka Network Access Point (ANAP), can seamlessly
forward all internet traffic from branch locations to Prisma Access
using a secure IPSec tunnel.
Together, Aryaka and Prisma Access
deliver a best-of-breed SD-WAN and security platform for enterprises
accessing mission-critical internally hosted applications, as well
accessing cloud applications using the internet.
This solution
guide provides you with the tasks you perform to integrate a branch
location using Aryaka SmartConnect with Prisma Access.
The
following sections describe how you use Aryaka SmartConnect with
Prisma Access to provide next-generation security on internet-bound traffic:
If
you have any issues after you complete these tasks, Troubleshoot the Aryaka Remote Network.
Supported IKE and IPSec Cryptographic Profiles
You onboard your SD-WAN edge devices using
a remote network connection between the edge device at the branch
site, HQ, or hub to Prisma Access. To do this you will Onboard a Remote Network (Cloud Management), ensuring
that you use supported IKE and IPSec cryptographic
settings detailed here.
The following table documents
the IKE/IPSec crypto settings that are supported with Prisma Access
and the Aryaka SD-WAN. In addition, the supported architecture types
are listed at the end of the table. A check mark indicates that
the profile or architecture type is supported; a dash (—) indicates
that it is not supported. Default and Recommended settings are noted
in the table.
Crypto Profiles | Prisma Access | Aryaka SmartConnect | |
|---|---|---|---|
Tunnel Type | IPSec Tunnel | √ | √ |
GRE Tunnel | — | — | |
Routing | Static Routes | √ | √ |
Dynamic Routing (BGP) | √ | — | |
Dynamic Routing (OSPF) | — | — | |
IKE Versions | IKE v1 | √ | √ |
IKE v2 | √ | — | |
IPSec Phase 1 DH-Group | Group 1 | √ | — |
Group 2 | √ | √ | |
Group 5 | √ | √ | |
Group 14 | √ | √ | |
Group 19 | √ | — | |
Group 20 | √ | — | |
IPSec Phase 1 Auth If
you use IKEv2 with certificate-based authentication, only SHA1 is
supported in IKE crypto profiles (Phase 1). | MD5 | √ | √ |
SHA1 | √ | √ | |
SHA256 | √ | √ | |
SHA384 | √ | √ | |
SHA512 | √ | √ | |
IPSec Phase 1 Encryption | DES | √ | — |
3DES | √ | √ | |
AES-128-CBC | √ | √ | |
AES-192-CBC | √ | — | |
AES-256-CBC | √ | — | |
IPSec Phase 1 Key Lifetime Default | √ | √ | |
IPSec Phase 1 Peer Authentication | Pre-Shared Key | √ | √ |
Certificate | √ | — | |
IKE Peer Identification | FQDN | √ | √ |
IP Address | √ | √ | |
User FQDN | √ | — | |
IKE Peer | As Static Peer | √ | √ |
As Dynamic Peer | √ | — | |
Options | NAT Traversal | √ | √ |
Passive Mode | √ | — | |
Ability to Negotiate Tunnel | Per Subnet Pair | √ | — |
Per Pair of Hosts | √ | — | |
Per Gateway Pair | √ | — | |
IPSec Phase 2 DH-Group | Group 1 | √ | — |
Group 2 | √ | √ | |
Group 5 | √ | √ | |
Group 14 | √ | √ | |
Group 19 | √ | — | |
Group 20 | √ | — | |
No PFS | √ | √ | |
IPSec Phase 2 Auth | MD5 | √ | — |
SHA1 | √ | √ | |
SHA256 | √ | √ | |
SHA384 | √ | √ | |
SHA512 | √ | √ | |
None | √ | √ | |
IPSec Phase 2 Encryption | DES | √ | — |
3DES | √ | √ | |
AES-128-CBC | √ | √ | |
AES-192-CBC | √ | — | |
AES-256-CBC | √ | — | |
AES-128-CCM | √ | — | |
AES-128-GCM | √ | — | |
AES-256-GCM | √ | — | |
NULL | √ | √ | |
IPSec Protocol | ESP | √ | √ |
AH | √ | — | |
IPSec Phase 2 Key Lifetime Default | √ | √ | |
Tunnel Monitoring Fallback | Dead Peer Detection (DPD) | √ | √ |
ICMP | — | — | |
Bidirectional Forwarding Detection (BFD) | — | — | |
SD-WAN Architecture Type | With Regional Hub/Gateway/Data Center | N/A | √ |
No Regional Hub/Gateway/Data Center | NA | √ | |
SD-WAN Deployment Architectures Supported by Aryaka
Aryaka's SD-WAN solution combines the overlay
and underlay network that includes a global private network, WAN
optimization, cloud connectivity and MyAryaka visibility that are
essential for an Enterprise WAN solution with superior application
performance. Aryaka owns and manages all aspects of the SD-WAN and
network connectivity end to end, which provides an agile and quick-to-deploy
solution.
The following figure shows a sample Aryaka deployment
topology. This sample deployment has two sites,
Site A
and Site
B
. The Aryaka Edge device or Aryaka Network Access Point (ANAP)
is a branch edge device that is included as part of the Aryaka SmartConnect
service. The Aryaka devices optimize, accelerate and encrypt site-to-site
traffic originating from the client side before they send the traffic
over a secure IPSec tunnel to the Aryaka global SD-WAN. The SD-WAN
then encrypts the internet-bound traffic and sends it over a secure
IPSec tunnel to Prisma Access to secure your traffic.
Use Case | Architecture | Supported? |
|---|---|---|
Securing traffic from each branch site with
1 WAN link (Type 1) Use an IPSec tunnel from each branch to Prisma
Access. Use a Aryaka SmartConnect device at the branch. |  | Yes |
Securing branch and HQ sites with active/backup SD-WAN connections |  | Yes |
Securing branch and HQ sites with active/active SD-WAN connections |  | No |
Securing branch and HQ sites with SD-WAN edge devices
in HA mode |  | Yes |
Securing SD-WAN deployments with Regional Hub/POP architecture (Type
2) |  | Yes |
