Contact Free trial Login

Anypoint VPN

Use Anypoint VPN to create a secure connection between your MuleSoft Virtual Private Cloud (VPC) and your own on-premises network. You can create multiple site-to-site VPNs if required.

The number of VPNs you can create depends on the VPN entitlements available to your account. Contact your MuleSoft account representative if you don’t know how many VPN entitlements you have on your account.

Anypoint VPN supports site-to-site Internet Protocol security (IPsec) connections. A physical or software appliance, called a VPN endpoint, is the terminator on your side of the connection. The MuleSoft side of the connection is an implementation of a virtual private gateway (VGW).

MuleSoft implementation capabilities may vary from other VGW offerings.

Anypoint VPN Features

IPsec Settings

Anypoint VPN supports any combination of the following IPsec settings:

  • IKE version 1

  • IKE version 2 for route-based VPNs only

  • AES 128 or 256-bit encryption

  • SHA or SHA-2 (256) hashing

  • Diffie-Hellman Phase1 groups 2, 14-18, 22, 23, 24

  • Diffie-Hellman Phase2 groups 2, 5, 14-18, 22, 23, 24

  • IKE (Phase 1) Lifetime: 8 hours

  • IPsec (Phase 2) Lifetime: 1 hour

Your endpoint must initiate traffic to establish and maintain the connection because the Anypoint VPN endpoint acts only as a responder.

Anypoint VPN Routing

Anypoint VPN supports dynamic or static routing for VPN connections.

  • Dynamic routing Your device uses Border Gateway Protocol (BGP) to advertise routes to Anypoint VPN. Use BGP routing if your device supports this protocol.

  • Static routing - Requires you to specify the routes (subnets) in your network that are accessible through Anypoint VPN.

    A maximum of 95 static routes are permitted per VPC, regardless of the number of VPN connections. Consolidate networks to the fewest number possible to avoid exceeding the limit.

Limitations

Anypoint VPN does not support these features and configurations:

  • Network Address Translation (NAT)

  • IPv6

  • IKEv2 with policy-based VPNs

  • A single VPC with both Direct Connect and Anypoint VPN connections

  • Advertising a default route (0.0.0.0/0) over BGP or static routing

Requirements for Static VPN Connections

To create a static VPN connection, your VPN endpoint must be able to:

  • Establish IKE Security Associations using a Pre-Shared Key (PSK)

  • Establish IPsec Security Associations in Tunnel mode

  • Utilize any combination of IPsec settings that MuleSoft supports

  • Fragment IP packets before encryption

  • Use one Security Association pair per tunnel

Fragmentation Before Encryption

You must fragment packets that are too large to transmit. Your VPN device must be able to fragment packets before encapsulation.

Security Association (SA)

Each VPN connection has two separate tunnels. Anypoint VPN supports one unique SA pair per tunnel (where a pair means one inbound, and one outbound). Some policy-based devices create an SA for each ACL entry. In this situation, you must consolidate your rules and then filter unwanted traffic.

Requirements for Dynamic VPN Connections

To create a dynamic VPN connection, in addition to the static VPN connection requirements, the VPN endpoint must be able to:

  • Establish BGP peering

  • Support route-based VPNs (bind tunnels to logical interfaces)

  • Use IPsec Dead Peer Detection

IPsec Dead Peer Detection

Dead Peer Detection (DPD) allows devices to rapidly identify when network conditions change. DPD is enabled on the MuleSoft endpoint.

Configure your endpoint with:

  • DPD Interval: 10

  • DPD Retries: 3

Recommendations

  • Adjust the maximum segment size of TCP packets entering the VPN tunnel
    VPN headers require additional space, which reduces the amount of space available for data.
    To limit the impact of this behavior, configure your endpoint with TCP MSS Adjustment: 1387 bytes.

  • Reset the DF flag on packets
    Packets might carry a Don’t Fragment (DF) flag, indicating that the packet must not be fragmented. Some VPN devices can override the DF flag and fragment packets unconditionally when required. If available, enable the setting Clear Don’t Fragment (DF) Bit.

Tested Network Devices

These are network devices that are known to work with the Anypoint VPN. If your device does not appear in the list of tested devices, see Requirements to see if your device meets the requirements for use with Anypoint VPN.

Hardware Software

Check Point Security Gateway

R77.10 or later

Cisco ASA

ASA 8.2 or later

Cisco IOS

Cisco IOS 12.4 or later

Dell SonicWALL

SonicOS 5.9 or later

Fortinet Fortigate 40+ Series

FortiOS 4.0 or later

Juniper J-Series Service Router

JunOS 9.5 or later

Juniper SRX-Series Services Gateway

JunOS 11.0 or later

Juniper SSG

ScreenOS 6.1 or 6.2 or later

Juniper ISG

ScreenOS 6.1 or 6.2 or later

Netgate pfSense

OS 2.2.5 or later

Palo Alto Networks

PANOS 4.1.2 or later

Yamaha

  • RT107e

  • RTX1200

  • RTX1210

  • RTX1500

  • RTX3000

  • SRT100

Microsoft Windows Server

  • 2008 R2 or later

  • 2012 R2 or later

Zyxel Zywall Series

  • 4.20 or later for statically routed Anypoint VPN connections

  • 4.30 or later for dynamically routed Anypoint VPN connections