Aryaka SD-WAN Solution Guide
Aryaka and Prisma Access seamlessly integrate
to deliver a joint solution of a cloud-native global SD-WAN that
includes private connectivity, WAN optimization, and application
acceleration capabilities with a next-generation security platform
that provides a consistent level of security in both physical and virtual
environments.
Aryaka's SmartConnect delivers service level
agreement (SLA)-based reliable global connectivity and significantly
faster application performance for both on-premise and cloud/SaaS
applications, while Prisma Access adds a layer of advanced security
controls required for internet- and cloud-bound traffic.
The
Aryaka edge device, Aryaka Network Access Point (ANAP), can seamlessly forward
all internet traffic from branch locations to Prisma Access using
a secure IPSec tunnel.
Together, Aryaka and Prisma Access
deliver a best-of-breed SD-WAN and security platform for enterprises
accessing mission-critical internally hosted applications, as well
accessing cloud applications using the internet.
This solution
guide provides you with the tasks you perform to integrate a branch
location using Aryaka SmartConnect with Prisma Access.
The
following sections describe how you use Aryaka SmartConnect with
Prisma Access to provide next-generation security on internet-bound
traffic:
If
you have any issues after you complete these tasks, Troubleshoot the Aryaka Remote Network.
Supported IKE and IPSec Cryptographic Profiles
You onboard your SD-WAN edge devices using
a remote network connection between the edge device at the branch
site, HQ, or hub to Prisma Access. Use Panorama to create a remote
network connection and create IKE and IPSec crypto profiles; then,
set up an IPSec tunnel between the SD-WAN edge device and Prisma
Access, using the same crypto profiles you used in Panorama.
The
following table documents the IKE/IPSec crypto settings that are
supported with Prisma Access and the Aryaka SD-WAN. In addition,
the supported architecture types are listed at the end of the table.
A check mark indicates that the profile or architecture type is
supported; a dash (—) indicates that it is not supported. Default and
Recommended settings are noted in the table.
Crypto Profiles | Prisma Access | Aryaka SmartConnect | |
|---|---|---|---|
Tunnel Type | IPSec Tunnel |  | |
GRE Tunnel | — | — | |
Routing | Static Routes | | |
Dynamic Routing (BGP) | | — | |
Dynamic Routing (OSPF) | — | — | |
IKE Versions | IKE v1 | | |
IKE v2 | | — | |
IPSec Phase 1 DH-Group | Group 1 | | — |
Group 2 | | | |
Group 5 | | | |
Group 14 | | | |
Group 19 | | — | |
Group 20 | | — | |
IPSec Phase 1 Auth If
you use IKEv2 with certificate-based authentication, only SHA1 is
supported in IKE crypto profiles (Phase 1). | MD5 | | |
SHA1 | | | |
SHA256 | | | |
SHA384 | | | |
SHA512 | | | |
IPSec Phase 1 Encryption | DES | | — |
3DES | | | |
AES-128-CBC | | | |
AES-192-CBC | | — | |
AES-256-CBC | | — | |
IPSec Phase 1 Key Lifetime Default | | | |
IPSec Phase 1 Peer Authentication | Pre-Shared Key | | |
Certificate | | — | |
IKE Peer Identification | FQDN | | |
IP Address | | | |
User FQDN | | — | |
IKE Peer | As Static Peer | | |
As Dynamic Peer | | — | |
Options | NAT Traversal | | |
Passive Mode | | — | |
Ability to Negotiate Tunnel | Per Subnet Pair | | — |
Per Pair of Hosts | | — | |
Per Gateway Pair | | — | |
IPSec Phase 2 DH-Group | Group 1 | | — |
Group 2 | | | |
Group 5 | | | |
Group 14 | | | |
Group 19 | | — | |
Group 20 | | — | |
No PFS | | | |
IPSec Phase 2 Auth | MD5 | | — |
SHA1 | | | |
SHA256 | | | |
SHA384 | | | |
SHA512 | | | |
None | | | |
IPSec Phase 2 Encryption | DES | | — |
3DES | | | |
AES-128-CBC | | | |
AES-192-CBC | | — | |
AES-256-CBC | | — | |
AES-128-CCM | | — | |
AES-128-GCM | | — | |
AES-256-GCM | | — | |
NULL | | | |
IPSec Protocol | ESP | | |
AH | | — | |
IPSec Phase 2 Key Lifetime Default | | | |
Tunnel Monitoring Fallback | Dead Peer Detection (DPD) | | |
ICMP | — | — | |
Bidirectional Forwarding Detection (BFD) | — | — | |
SD-WAN Architecture Type | With Regional Hub/Gateway/Data Center | N/A | |
No Regional Hub/Gateway/Data Center | NA | | |
SD-WAN Deployment Architectures Supported by Aryaka
Aryaka's SD-WAN solution combines the overlay
and underlay network that includes a global private network, WAN
optimization, cloud connectivity and MyAryaka visibility that are
essential for an Enterprise WAN solution with superior application
performance. Aryaka owns and manages all aspects of the SD-WAN and
network connectivity end to end, which provides an agile and quick-to-deploy
solution.
The following figure shows a sample Aryaka deployment
topology. This sample deployment has two sites,
Site A
and Site
B
. The Aryaka Edge device or Aryaka Network Access Point (ANAP)
is a branch edge device that is included as part of the Aryaka SmartConnect
service. The Aryaka devices optimize, accelerate and encrypt site-to-site
traffic originating from the client side before they send the traffic
over a secure IPSec tunnel to the Aryaka global SD-WAN. The SD-WAN
then encrypts the internet-bound traffic and sends it over a secure
IPSec tunnel to Prisma Access to secure your traffic.
Use Case | Architecture | Supported? |
|---|---|---|
Securing traffic from each branch site with
1 WAN link (Type 1) Use an IPSec tunnel from each branch to Prisma
Access. Use a Aryaka SmartConnect device at the branch. |  | Yes |
Securing branch and HQ sites with active/backup SD-WAN connections |  | Yes |
Securing branch and HQ sites with active/active SD-WAN connections |  | No |
Securing branch and HQ sites with SD-WAN edge devices
in HA mode |  | Yes |
Securing SD-WAN deployments with Regional Hub/POP architecture (Type
2) |  | Yes |
