cancel
Showing results for 
Search instead for 
Did you mean: 

VPN DTLS

Jerome_CARRIER
Nimbostratus
Nimbostratus

Hi DevCentral,

 

I read that the performance when we use VPN (edge Client) can be improve if the DTLS is activated. Currently, we use only VPN through HTTPS. If I activate DTLS on the VPN profile and after creating a virtual server, how I can check if the tunnel is established with DTLS protocol ?

 

And currently, our F5 is behind a firewall. I have a rule to allow HTTPS from Internet to the public IP of our F5. I need to had a rule to allow UDP_4433 also between Internet and the F5 ?

 

BR

5 REPLIES 5

Simon_Blakely
F5 Employee
F5 Employee

In the EdgeClient

Details >> Connection Details

shows whether DTLS is being used.

 

It is also recorded in the APM logs.

 

> I need to had a rule to allow UDP_4433 also between Internet and the F5 ?

 

Yes.

Hello,

​Thank you for your answer. When the dtls will be activated on the profile and the VS created, is it mandatory to create a new Edge install package and deploy it on the users laptops or the existing client already deployed on user computer will detect automatically the new configuration and based the communication with dtls protocol?

BR

The client picks up the connection information when it connects, so you don't need to update the install package.

 

Make sure your client-ssl profile supports DTLSv1, as well.

 

K54955814:  How to create a DTLS Virtual Server for Network Access VPN

Jerome_CARRIER
Nimbostratus
Nimbostratus

0691T000008clOIQAY.jpg

 

we have this configuration about the client-ssl profile.. is-it correct ?

Looks good to me:

 

# tmm --clientciphers '!SSLv3:!DHE:ECDHE:RSA+HIGH:!3DES' ID SUITE BITS PROT CIPHER MAC KEYX 0: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 AES-GCM SHA256 ECDHE_RSA 1: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 AES SHA ECDHE_RSA 2: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 AES SHA ECDHE_RSA 3: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 AES SHA ECDHE_RSA 4: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 AES SHA256 ECDHE_RSA 5: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 ECDHE_RSA 6: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 AES SHA ECDHE_RSA 7: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 AES SHA ECDHE_RSA 8: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 AES SHA ECDHE_RSA 9: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 AES SHA384 ECDHE_RSA 10: 52392 ECDHE-RSA-CHACHA20-POLY1305-SHA256 256 TLS1.2 CHACHA20-POLY1305 NULL ECDHE_RSA 11: 157 AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 RSA 12: 53 AES256-SHA 256 TLS1 AES SHA RSA 13: 53 AES256-SHA 256 TLS1.1 AES SHA RSA 14: 53 AES256-SHA 256 TLS1.2 AES SHA RSA 15: 53 AES256-SHA 256 DTLS1 AES SHA RSA 16: 61 AES256-SHA256 256 TLS1.2 AES SHA256 RSA 17: 132 CAMELLIA256-SHA 256 TLS1 CAMELLIA SHA RSA 18: 132 CAMELLIA256-SHA 256 TLS1.1 CAMELLIA SHA RSA 19: 132 CAMELLIA256-SHA 256 TLS1.2 CAMELLIA SHA RSA

shows a DTLSv1 cipher.