-
RT107e
-
RTX1200
-
RTX1210
-
RTX1500
-
RTX3000
-
SRT100
Anypoint VPN
Use Anypoint VPN to create a secure connection between your MuleSoft Virtual Private Cloud (VPC) and your on-premises network. You can create multiple site-to-site VPNs if required.
The number of VPNs you can create depends on the VPN entitlements available to your account. Contact your MuleSoft account representative if you don’t know how many VPN entitlements you have on your account. |
Anypoint VPN supports site-to-site Internet Protocol security (IPsec) connections. A physical or software appliance, called a VPN endpoint, is the terminator on your side of the connection. The MuleSoft side of the connection is an implementation of a virtual private gateway (VGW). The MuleSoft VGW is associated with a single MuleSoft VPC but can support up to 10 VPN connections.
MuleSoft implementation capabilities may vary from other VGW offerings. |
Anypoint VPN Features
Each Anypoint VPN connection consists of two tunnels that enable you to connect to a single public IP address at a remote location. To configure connectivity to an additional public IP address at a remote location, you must create two VPN connections.
A single VPN provides increased availability for your MuleSoft VPC. Routine maintenance can briefly disable one of the two tunnels of your VPN connection. During this time, your VPN connection automatically fails over to the second tunnel so access is not interrupted. For this reason, both tunnels must be configured on your endpoint. Tunnel selection depends on your VPN endpoint capabilities and the routing type selection.
The MuleSoft VGW implementation supports a maximum throughput of 1.25 Gbps. Multiple VPN connections to the same VPC share the throughput capabilities of a single VGW. The VPN connection throughput depends on several factors, such as the capability of your VPN endpoint, the capacity of the connection, the average packet size, the protocol, and network latency between the gateways.
IPsec Settings
Anypoint VPN supports any combination of the following IPsec settings:
-
IKE version 1
-
IKE version 2 for route-based VPNs only
-
AES 128 or 256-bit encryption operating in the CBC and GCM
-
SHA or SHA-2 (256, 384, 512) hashing
-
Diffie-Hellman Phase 1 groups 2, 14-24
-
Diffie-Hellman Phase 2 groups 2, 5, 14-24
-
Timeouts for IKEv1
-
IKE (Phase 1) Lifetime: 28800 seconds (8 hours)
-
IPsec (Phase 2) Lifetime: 3600 seconds (1 hour)
-
-
Timeouts for IKEv2
-
IKE (Phase 1) Lifetime: 28000 seconds (7 hours and 50 minutes)
-
IPsec (Phase 2) Lifetime: 3000 seconds (50 minutes)
-
Some of these IPsec settings are not supported in Government Cloud. For specific Government Cloud VPN settings, see Anypoint VPN Settings. |
Anypoint VPN Routing
Anypoint VPN supports dynamic or static routing for VPN connections.
-
Dynamic routing Your device uses Border Gateway Protocol (BGP) to advertise routes to Anypoint VPN. Use BGP routing if your device supports this protocol.
-
Static routing - Requires you to specify the routes (subnets) in your network that are accessible through Anypoint VPN.
A maximum of 95 route table entries is permitted per VPC, regardless of the number of VPN connections. Consolidate networks to the fewest number possible to avoid exceeding the limit.
Requirements for Static VPN Connections
To create a static VPN connection, your VPN endpoint must be able to:
-
Establish IKE Security Associations using a Pre-Shared Key (PSK)
-
Establish IPsec Security Associations in Tunnel mode
-
Utilize any combination of IPsec settings that MuleSoft supports
-
Fragment IP packets before encryption
You must fragment packets that are too large to transmit. Your VPN device must be able to fragment packets before encapsulation.
-
Use one Security Association (SA) pair per tunnel
Anypoint VPN supports one unique SA pair per tunnel (a pair refers to one inbound and one outbound connection). Some policy-based devices create an SA for each ACL (access-control list) entry. In this situation, you must consolidate your rules and then filter unwanted traffic.
-
Use IPsec Dead Peer Detection (DPD)
DPD allows devices to rapidly identify when network conditions change. You can enable DPD on the MuleSoft endpoint using
DPD Interval: 10
andDPD Retries: 3
. -
Allow asymmetric routing
Asymmetric routing occurs when routing policies send traffic from your network to the VPC through one tunnel and traffic returns from the VPC through the other tunnel. The MuleSoft VPN endpoint selects the tunnel using an internal algorithm, making the return path dynamic. If your device uses an active/active tunnel configuration, you must allow asymmetric routing for each Anypoint VPN connection.
-
For IPsec, enable perfect forward secrecy (PFS) with the above Phase 2 Diffie-Hellman groups
Requirements for Dynamic VPN Connections
To create a dynamic VPN connection, in addition to the static VPN connection requirements, the VPN endpoint must be able to:
-
Establish BGP peering
-
Support route-based VPNs (bind tunnels to logical interfaces)
-
For IPsec, enable perfect forward secrecy (PFS) with the above Phase 2 Diffie-Hellman groups
Recommendations
-
Adjust the maximum segment size of TCP packets entering the VPN tunnel.
VPN headers require additional space, which reduces the amount of space available for data.
To limit the impact of this behavior, configure your endpoint with TCP MSS Adjustment: 1387 bytes.
-
Reset the
DF
flag on packets.Packets might carry a Don’t Fragment (
DF
) flag, indicating that the packet must not be fragmented. Some VPN devices can override theDF
flag and fragment packets unconditionally when required. If available, enable the settingClear Don’t Fragment (DF) Bit
.
Tested Network Devices
The following network devices are known to work with the Anypoint VPN. If your device does not appear in the list of tested devices, check the requirements to verify that your device is suitable for use with Anypoint VPN.
Hardware | Software |
---|---|
Check Point Security Gateway |
R77.10 or later |
Cisco ASA |
ASA 8.2 or later |
Cisco IOS |
Cisco IOS 12.4 or later |
Dell SonicWALL |
SonicOS 5.9 or later |
Fortinet Fortigate 40+ Series |
FortiOS 4.0 or later |
Juniper J-Series Service Router |
JunOS 9.5 or later |
Juniper SRX-Series Services Gateway |
JunOS 11.0 or later |
Juniper SSG |
ScreenOS 6.1 or 6.2 or later |
Juniper ISG |
ScreenOS 6.1 or 6.2 or later |
Netgate pfSense |
OS 2.2.5 or later |
Palo Alto Networks |
PANOS 4.1.2 or later |
Yamaha |
|
Microsoft Windows Server |
|
Zyxel Zywall Series |
|
If there is no specific Device Configuration file downloadable from the Get VPN Config menu for any of the listed devices, use the Generic VPN configuration file.