Anypoint VPN

Use Anypoint VPN to create a secure connection between your MuleSoft Virtual Private Cloud (VPC) and your on-premises network. You can create multiple site-to-site VPNs if required.

The number of VPNs you can create depends on the VPN entitlements available to your account. Contact your MuleSoft account representative if you don’t know how many VPN entitlements you have on your account.

Anypoint VPN supports site-to-site Internet Protocol security (IPsec) connections. A physical or software appliance, called a VPN endpoint, is the terminator on your side of the connection. The MuleSoft side of the connection is an implementation of a virtual private gateway (VGW). The MuleSoft VGW is associated with a single MuleSoft VPC but can support up to 10 VPN connections.

MuleSoft implementation capabilities may vary from other VGW offerings.

Anypoint VPN Features

Each Anypoint VPN connection consists of two tunnels that enable you to connect to a single public IP address at a remote location. To configure connectivity to an additional public IP address at a remote location, you must create two VPN connections.

A single VPN provides increased availability for your MuleSoft VPC. Routine maintenance can briefly disable one of the two tunnels of your VPN connection. During this time, your VPN connection automatically fails over to the second tunnel so access is not interrupted. For this reason, both tunnels must be configured on your endpoint. Tunnel selection depends on your VPN endpoint capabilities and the routing type selection.

The MuleSoft VGW implementation supports a maximum throughput of 1.25 Gbps. Multiple VPN connections to the same VPC share the throughput capabilities of a single VGW. The VPN connection throughput depends on several factors, such as the capability of your VPN endpoint, the capacity of the connection, the average packet size, the protocol, and network latency between the gateways.

IPsec Settings

Anypoint VPN supports any combination of the following IPsec settings:

IKE version 1
IKE version 2 for route-based VPNs only
AES 128 or 256-bit encryption operating in the CBC and GCM
SHA or SHA-2 (256, 384, 512) hashing
Diffie-Hellman Phase 1 groups 2, 14-24
Diffie-Hellman Phase 2 groups 2, 5, 14-24
Timeouts for IKEv1
- IKE (Phase 1) Lifetime: 28800 seconds (8 hours)
- IPsec (Phase 2) Lifetime: 3600 seconds (1 hour)
Timeouts for IKEv2
- IKE (Phase 1) Lifetime: 28000 seconds (7 hours and 50 minutes)
- IPsec (Phase 2) Lifetime: 3000 seconds (50 minutes)

Some of these IPsec settings are not supported in Government Cloud. For specific Government Cloud VPN settings, see Anypoint VPN Settings.

Anypoint VPN Routing

Anypoint VPN supports dynamic or static routing for VPN connections.

Dynamic routing Your device uses Border Gateway Protocol (BGP) to advertise routes to Anypoint VPN. Use BGP routing if your device supports this protocol.
Static routing - Requires you to specify the routes (subnets) in your network that are accessible through Anypoint VPN.

A maximum of 95 route table entries is permitted per VPC, regardless of the number of VPN connections. Consolidate networks to the fewest number possible to avoid exceeding the limit.

Limitations

Anypoint VPN does not support these features and configurations:

Network Address Translation (NAT)
IPv6
IKEv2 with policy-based VPNs
A single VPC with both AWS Direct Connect and Anypoint VPN connections
Advertising a default route (0.0.0.0/0) over BGP or static routing

Requirements for Static VPN Connections

To create a static VPN connection, your VPN endpoint must be able to:

Establish IKE Security Associations using a Pre-Shared Key (PSK)
Establish IPsec Security Associations in Tunnel mode
Utilize any combination of IPsec settings that MuleSoft supports
Fragment IP packets before encryption

You must fragment packets that are too large to transmit. Your VPN device must be able to fragment packets before encapsulation.
Use one Security Association (SA) pair per tunnel

Anypoint VPN supports one unique SA pair per tunnel (a pair refers to one inbound and one outbound connection). Some policy-based devices create an SA for each ACL (access-control list) entry. In this situation, you must consolidate your rules and then filter unwanted traffic.
Use IPsec Dead Peer Detection (DPD)

DPD allows devices to rapidly identify when network conditions change. You can enable DPD on the MuleSoft endpoint using DPD Interval: 10 and DPD Retries: 3.
Allow asymmetric routing

Asymmetric routing occurs when routing policies send traffic from your network to the VPC through one tunnel and traffic returns from the VPC through the other tunnel. The MuleSoft VPN endpoint selects the tunnel using an internal algorithm, making the return path dynamic. If your device uses an active/active tunnel configuration, you must allow asymmetric routing for each Anypoint VPN connection.
For IPsec, enable perfect forward secrecy (PFS) with the above Phase 2 Diffie-Hellman groups

Requirements for Dynamic VPN Connections

To create a dynamic VPN connection, in addition to the static VPN connection requirements, the VPN endpoint must be able to:

Establish BGP peering
Support route-based VPNs (bind tunnels to logical interfaces)
For IPsec, enable perfect forward secrecy (PFS) with the above Phase 2 Diffie-Hellman groups

Recommendations

Adjust the maximum segment size of TCP packets entering the VPN tunnel.

VPN headers require additional space, which reduces the amount of space available for data.

To limit the impact of this behavior, configure your endpoint with TCP MSS Adjustment: 1387 bytes.
Reset the DF flag on packets.

Packets might carry a Don’t Fragment (DF) flag, indicating that the packet must not be fragmented. Some VPN devices can override the DF flag and fragment packets unconditionally when required. If available, enable the setting Clear Don’t Fragment (DF) Bit.

Tested Network Devices

The following network devices are known to work with the Anypoint VPN. If your device does not appear in the list of tested devices, check the requirements to verify that your device is suitable for use with Anypoint VPN.

Hardware	Software
Check Point Security Gateway	R77.10 or later
Cisco ASA	ASA 8.2 or later
Cisco IOS	Cisco IOS 12.4 or later
Dell SonicWALL	SonicOS 5.9 or later
Fortinet Fortigate 40+ Series	FortiOS 4.0 or later
Juniper J-Series Service Router	JunOS 9.5 or later
Juniper SRX-Series Services Gateway	JunOS 11.0 or later
Juniper SSG	ScreenOS 6.1 or 6.2 or later
Juniper ISG	ScreenOS 6.1 or 6.2 or later
Netgate pfSense	OS 2.2.5 or later
Palo Alto Networks	PANOS 4.1.2 or later
Yamaha	RT107e RTX1200 RTX1210 RTX1500 RTX3000 SRT100
Microsoft Windows Server	2008 R2 or later 2012 R2 or later
Zyxel Zywall Series	4.20 or later for statically routed Anypoint VPN connections 4.30 or later for dynamically routed Anypoint VPN connections

Hardware

Software

Check Point Security Gateway

R77.10 or later

Cisco ASA

ASA 8.2 or later

Cisco IOS

Cisco IOS 12.4 or later

Dell SonicWALL

SonicOS 5.9 or later

Fortinet Fortigate 40+ Series

FortiOS 4.0 or later

Juniper J-Series Service Router

JunOS 9.5 or later

Juniper SRX-Series Services Gateway

JunOS 11.0 or later

Juniper SSG

ScreenOS 6.1 or 6.2 or later

Juniper ISG

ScreenOS 6.1 or 6.2 or later

Netgate pfSense

OS 2.2.5 or later

Palo Alto Networks

PANOS 4.1.2 or later

Yamaha

RT107e
RTX1200
RTX1210
RTX1500
RTX3000
SRT100

Microsoft Windows Server

2008 R2 or later
2012 R2 or later

Zyxel Zywall Series

4.20 or later for statically routed Anypoint VPN connections
4.30 or later for dynamically routed Anypoint VPN connections

If there is no specific Device Configuration file downloadable from the Get VPN Config menu for any of the listed devices, use the Generic VPN configuration file.