Configure Secure Tunnel

Secure tunnel can be configured on:

Precrypted Traffic

You can send the precrypted traffic through secure tunnel. When secure tunnel for precryption is enabled, packets are framed and sent to the TLS socket. PCAPng format is used to send the packet.

When you enable the secure tunnel option for both regular and precryption packets, then two TLS secure tunnel sessions are created.

It is recommended to always enable secure tunnels for precrypted traffic to securely transfer the sensitive information.

For more information about PCAPng, refer to PCAPng Application.

Mirrored Traffic

You can enable the Secure Tunnel for mirrored traffic. By default, Secure Tunnel is disabled.

Refer to the following sections for Secure Tunnel Configuration:

■   Configure Secure Tunnel from UCT Container to GigaVUE V Series Node
■   Configure Secure Tunnel from GigaVUE V Series Node 1 to GigaVUE V Series Node 2

Prerequisites

While creating Secure Tunnel, you must provide the following details:

■   SSH key pair
■   CA certificate

Configure Secure Tunnel from UCT Container to GigaVUE V Series Node

To configure a secure tunnel in a UCT Container, you must configure one end of the tunnel to the UCT and the other end to a GigaVUE V Series node. You must configure CA certificates in UCT Container, and the private keys and SSL certificates in the GigaVUE V Series node. Refer to the following steps for configuration:

 

S. No

Task

 Refer to

1

Upload a Custom Certificate

You must upload a CA to UCT Container for establishing a connection with the GigaVUE V Series node.

To upload the CA using GigaVUE-FM follow the steps given below:

  1. Go to Inventory > Resources > Security > CA List.
  2. Click New, to add a new Certificate Authority. The Add Certificate Authority page appears.
  3. Enter or select the following information.

    Field

    		Action

    Alias

    Alias name of the CA.

    File Upload

    Choose the certificate from the desired location.

  4. Click Save.

For more information, refer to the section Adding Certificate Authority

2.

Upload a SSL Key

You must add a SSL key to GigaVUE V Series node. To add SSL Key, follow the steps in the section SSL DecryptSSL Decrypt

3

Selecting the SSL Key when you create a monitoring domain and configure the fabric components in GigaVUE‑FM.

To select the SSL Key follow the steps in the section

4

Selecting the CA certificate when you create a monitoring domain and configuring the fabric components in GigaVUE‑FM.

You should select the added Certificate Authority (CA) in UCT-V Controller. To select the CA certificate, follow the steps in the sectionUCT-C and GigaVUE‑FM Interaction

5.

Creating and adding the secure tunnel when you configure the traffic policy.

To create and add the secure tunnel while configuring in , in UCT Container refer to the Configure Traffic Policy

Configure Secure Tunnel from GigaVUE V Series Node 1 to GigaVUE V Series Node 2

You can create secure tunnel in the following ways:

■   Between GigaVUE V Series Node 1 to GigaVUE V Series Node 2
■   From GigaVUE V Series Node 1 to multiple GigaVUE V Series nodes.

You must have the following details before you start the configuration of secure tunnel from GigaVUE V Series Node 1 toGigaVUE V Series Node 2:

■   IP address of the tunnel destination endpoint (GigaVUE V Series Node 2).
■   SSH key pair (pem file).

To configure secure tunnel from GigaVUE V Series Node 1 toGigaVUE V Series Node 2, refer to the following steps:

S. No

Task

 Refer to

1.

Upload a Custom Authority (CA) Certificate

You must upload a Custom Certificate to UCT-V Controller for establishing a connection between the GigaVUE V Series node.

To upload the CA using GigaVUE-FM follow the steps given below:

  1. Go to Inventory > Resources > Security > CA List.
  2. Click New, to add a new Custom Authority. The Add Custom Authority page appears.
  3. Enter or select the following information.

    Field

    		Action

    Alias

    Alias name of the CA.

    File Upload

    Choose the certificate from the desired location.

  4. Click Save.
  5. Click Deploy All.

For more information, refer to the section Adding Certificate Authority

2.

Uploading a SSL Key

You must add a SSL key to GigaVUE V Series node. To add SSL Key, follow the steps in the section SSL DecryptSSL Decrypt

3

Creating a secure tunnel between UCT-Vand GigaVUE V Series Node 1.

You should enable the secure tunnel feature to establish a connection between the UCT-Vand GigaVUE V Series node 1. To enable the secure tunnel feature follow these steps:

1. In the Edit Monitoring Session page, click Options. The Apply template page appears.
2. Enable the Secure Tunnel button. You can enable secure tunnel for both mirrored and precrypted traffic.

4.

Selecting the added SSL Key while creating a monitoring domain and configuring the fabric components in GigaVUE‑FM in GigaVUE V Series Node 1

You must select the added SSL Key in GigaVUE V Series Node 1. To select the SSL key, follow the steps in the section Configure GigaVUE Fabric Components in GigaVUE-FM

5.

Selecting the added CA certificate while creating the monitoring domain

You should select the added Certificate Authority (CA) in UCT-V Controller. To select the CA certificate, follow the steps in the sectionConfigure GigaVUE Fabric Components in GigaVUE-FM

You can also push the CA manually by editing CA in Monitoring Domain page. To edit CA, go to Monitoring Domain > Actions > Edit CA.
     

6

Creating an Egress tunnel from GigaVUE V Series Node 1 with tunnel type as TLS-PCAPNG while creating the monitoring session.

You must create a tunnel for traffic to flow out from GigaVUE V Series Node 1 with tunnel type as TLS-PCAPNG while creating the monitoring session. Refer to Create a Monitoring Session to know about monitoring session.

 

To create the egress tunnel, follow these steps:

1. After creating a new monitoring session, or click Actions > Edit on an existing monitoring session, the GigaVUE-FM canvas appears.
2. In the canvas, select New > New Tunnel, drag and drop a new tunnel template to the workspace. The Add Tunnel Spec quick view appears.
3. On the New Tunnel quick view, enter or select the required information as described in the following table:

Field

 Action

Alias

The name of the tunnel endpoint.

Description

The description of the tunnel endpoint.

Type

Select TLS-PCAPNG for creating egress secure tunnel

Traffic Direction

Choose Out (Encapsulation) for creating an egress tunnel from the V Series node to the destination. Select or enter the following values:

o MTU- The default value is 1500.
o Time to Live - Enter the value of the time interval till which the session needs to be available. The value ranges from 1 to 255. The default value is 64.
o DSCP - Enter the Differentiated Services Code Point (DSCP) value.
o Flow Label - Enter the Flow Label value.
o Source L4 Port- Enter the Souce L4 Port value
o Destination L4 Port - Enter the Destination L4 Port value.
o Flow Label
o Cipher- Only SHA 256 is supported.
o TLS Version - Select TLS Version1.3.
o Selective Acknowledgments - Choose Enable to receive the acknowledgments.
o Sync Retries - Enter the value for number of times the sync has to be tried. The value ranges from 1 to 6.
o Delay Acknowledgments - Choose Enable to receive the acknowledgments when there is a delay.

IP Version

The version of the Internet Protocol. Only IPv4 is supported.

Remote Tunnel IP

Enter the interface IP address of the GigaVUE V Series Node 2 (Destination IP).
4. Click Save.

7.

Selecting the added SSL Key while creating a monitoring domain and configuring the fabric components in GigaVUE‑FM in GigaVUE V Series Node 2

You must select the added SSL Key in GigaVUE V Series Node 2. To select the SSL key, follow the steps in the section Configure GigaVUE Fabric Components in GigaVUE-FM

8

Create an ingress tunnel in the GigaVUE V Series node 2 with tunnel type as TLS-PCAPNG while creating the monitoring session for GigaVUE V Series node 2.

You must create a tunnel for traffic to flow out from GigaVUE V Series Node 2 with tunnel type as TLS-PCAPNG while creating the monitoring session. Refer to Create a Monitoring Session to know about monitoring session.

 

To create the ingress tunnel, follow these steps:

1. After creating a new monitoring session, or click Actions > Edit on an existing monitoring session, the GigaVUE-FM canvas appears.
2. In the canvas, select New > New Tunnel, drag and drop a new tunnel template to the workspace. The Add Tunnel Spec quick view appears.
3. On the New Tunnel quick view, enter or select the required information as described in the following table:

Field

 Action

Alias

The name of the tunnel endpoint.

Description

The description of the tunnel endpoint.

Type

Select TLS-PCAPNG for creating egress secure tunnel

Traffic Direction

Choose in (Encapsulation) for creating an egress tunnel from the V Series node to the destination. Select or enter the values as described in Step 6:

IP Version

The version of the Internet Protocol. Only IPv4 is supported.

Remote Tunnel IP

Enter the interface IP address of the GigaVUE V Series Node 1 (Destination IP).
4. Click Save.