10-Apr-2020 00:49
Hi DevCentral,
I read that the performance when we use VPN (edge Client) can be improve if the DTLS is activated. Currently, we use only VPN through HTTPS. If I activate DTLS on the VPN profile and after creating a virtual server, how I can check if the tunnel is established with DTLS protocol ?
And currently, our F5 is behind a firewall. I have a rule to allow HTTPS from Internet to the public IP of our F5. I need to had a rule to allow UDP_4433 also between Internet and the F5 ?
BR
12-Apr-2020 14:42
In the EdgeClient
Details >> Connection Details
shows whether DTLS is being used.
It is also recorded in the APM logs.
> I need to had a rule to allow UDP_4433 also between Internet and the F5 ?
Yes.
13-Apr-2020 03:04
Hello,
Thank you for your answer. When the dtls will be activated on the profile and the VS created, is it mandatory to create a new Edge install package and deploy it on the users laptops or the existing client already deployed on user computer will detect automatically the new configuration and based the communication with dtls protocol?
BR
13-Apr-2020 22:27
The client picks up the connection information when it connects, so you don't need to update the install package.
Make sure your client-ssl profile supports DTLSv1, as well.
K54955814: How to create a DTLS Virtual Server for Network Access VPN
13-Apr-2020 23:15
we have this configuration about the client-ssl profile.. is-it correct ?
14-Apr-2020 15:35
Looks good to me:
# tmm --clientciphers '!SSLv3:!DHE:ECDHE:RSA+HIGH:!3DES'
ID SUITE BITS PROT CIPHER MAC KEYX
0: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 AES-GCM SHA256 ECDHE_RSA
1: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 AES SHA ECDHE_RSA
2: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 AES SHA ECDHE_RSA
3: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 AES SHA ECDHE_RSA
4: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 AES SHA256 ECDHE_RSA
5: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 ECDHE_RSA
6: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 AES SHA ECDHE_RSA
7: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 AES SHA ECDHE_RSA
8: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 AES SHA ECDHE_RSA
9: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 AES SHA384 ECDHE_RSA
10: 52392 ECDHE-RSA-CHACHA20-POLY1305-SHA256 256 TLS1.2 CHACHA20-POLY1305 NULL ECDHE_RSA
11: 157 AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 RSA
12: 53 AES256-SHA 256 TLS1 AES SHA RSA
13: 53 AES256-SHA 256 TLS1.1 AES SHA RSA
14: 53 AES256-SHA 256 TLS1.2 AES SHA RSA
15: 53 AES256-SHA 256 DTLS1 AES SHA RSA
16: 61 AES256-SHA256 256 TLS1.2 AES SHA256 RSA
17: 132 CAMELLIA256-SHA 256 TLS1 CAMELLIA SHA RSA
18: 132 CAMELLIA256-SHA 256 TLS1.1 CAMELLIA SHA RSA
19: 132 CAMELLIA256-SHA 256 TLS1.2 CAMELLIA SHA RSA
shows a DTLSv1 cipher.