Riverbed SteelConnect SD-WAN Solution Guide
Focus
Focus
Prisma Access

Riverbed SteelConnect SD-WAN Solution Guide

Table of Contents

Riverbed SteelConnect SD-WAN Solution Guide

Where Can I Use This?
What Do I Need?
  • Prisma Access (Panorama Managed)
To use this Solution Guide, you need a knowledge of the following software and hardware concepts:
  • SD-WAN routing principles
  • SteelConnect Manager (SCM)
  • SteelConnect appliances (in particular, SteelConnect gateways)
  • Panorama appliance configuration tasks
  • Prisma Access configuration tasks

Supported IKE and IPSec Cryptographic Profiles

Prisma Access supports standard IPSec tunnels from third-party SD-WAN edge devices using IKE and IPSec Crypto profiles.
The following table documents the IKE/IPSec crypto settings that are supported with Prisma Access and SteelConnect SD-WAN.
A check mark indicates that the profile or architecture type is supported; a dash (—) indicates that it's not supported. Default and Recommended settings are noted in the table.
Crypto Profiles
Prisma Access
SteelConnect SD-WAN
Tunnel Type
IPSec Tunnel
GRE Tunnel
Routing
Static Routes
Dynamic Routing (BGP)
Dynamic Routing (OSPF)
IKE Versions
IKE v1
IKE v2
IPSec Phase 1 DH-Group
Group 1
Group 2
(Default)
Group 5
Group 14
Group 19
Group 20
(Recommended)
IPSec Phase 1 Auth
If you use IKEv2 with certificate-based authentication, only SHA1 is supported in IKE crypto profiles (Phase 1).
MD5
SHA1
(Default)
SHA256
SHA384
SHA512
(Recommended)
IPSec Phase 1 Encryption
DES
3DES
(Default)
AES-128-CBC
(Default)
(Recommended)
AES-192-CBC
AES-256-CBC
(Recommended)
IPSec Phase 1 Key Lifetime Default
(8 Hours)
(3 Hours)
IPSec Phase 1 Peer Authentication
Pre-Shared Key
Certificate
IKE Peer Identification
FQDN
IP Address
User FQDN
IKE Peer
As Static Peer
As Dynamic Peer
Options
NAT Traversal
Passive Mode
Ability to Negotiate Tunnel
Per Subnet Pair
Per Pair of Hosts
Per Gateway Pair
IPSec Phase 2 DH-Group
Group 1
Group 2
(Default)
(Default)
Group 5
Group 14
Group 19
Group 20
(Recommended)
No PFS
IPSec Phase 2 Auth
MD5
SHA1
(Default)
SHA256
SHA384
SHA512
(Recommended)
(as well and GMAC AES256)
None
IPSec Phase 2 Encryption
DES
3DES
(Default)
AES-128-CBC
(Default)
AES-192-CBC
AES-256-CBC
(Default)
AES-128-CCM
AES-128-GCM
AES-256-GCM
(Recommended)
NULL
IPSec Protocol
ESP
AH
IPSec Phase 2 Key Lifetime Default
(1 Hour)
(1 Hour)
Tunnel Monitoring Fallback
Dead Peer Detection (DPD)
ICMP
Bidirectional Forwarding Detection (BFD)
SD-WAN Architecture Type
With Regional Hub/Gateway/Data Center
NA
No Regional Hub/Gateway/Data Center
NA

SD-WAN Deployment Architectures Supported by Riverbed

Riverbed supports the following deployment architectures for use with Prisma Access. A dash (—) indicates that the deployment isn't supported.
Use Case
Architecture
Supported?
Securing traffic from each branch site with 1 WAN link (Type 1)
Use an IPSec tunnel from each branch to Prisma Access. Use a Riverbed SD-WAN appliance device at the branch.
Yes
Securing branch and HQ sites with active/backup SD-WAN connections
No
Securing branch and HQ sites with active/active SD-WAN connections
No
Securing branch and HQ sites with SD-WAN edge devices in HA mode
Yes
Securing SD-WAN deployments with Regional Hub/POP architecture (Type 2)
Yes

Recommended For You