VPN DTLS

Jerome_CARRIER · ‎10-Apr-2020

Hi DevCentral,

I read that the performance when we use VPN (edge Client) can be improve if the DTLS is activated. Currently, we use only VPN through HTTPS. If I activate DTLS on the VPN profile and after creating a virtual server, how I can check if the tunnel is established with DTLS protocol ?

And currently, our F5 is behind a firewall. I have a rule to allow HTTPS from Internet to the public IP of our F5. I need to had a rule to allow UDP_4433 also between Internet and the F5 ?

BR

Simon_Blakely · ‎12-Apr-2020

In the EdgeClient

Details >> Connection Details

shows whether DTLS is being used.

It is also recorded in the APM logs.

> I need to had a rule to allow UDP_4433 also between Internet and the F5 ?

Yes.

Jerome_CARRIER · ‎13-Apr-2020

Hello,

Thank you for your answer. When the dtls will be activated on the profile and the VS created, is it mandatory to create a new Edge install package and deploy it on the users laptops or the existing client already deployed on user computer will detect automatically the new configuration and based the communication with dtls protocol?

BR

Simon_Blakely · ‎13-Apr-2020

The client picks up the connection information when it connects, so you don't need to update the install package.

Make sure your client-ssl profile supports DTLSv1, as well.

K54955814: How to create a DTLS Virtual Server for Network Access VPN

Jerome_CARRIER · ‎13-Apr-2020

we have this configuration about the client-ssl profile.. is-it correct ?

Simon_Blakely · ‎14-Apr-2020

Looks good to me:

# tmm --clientciphers '!SSLv3:!DHE:ECDHE:RSA+HIGH:!3DES'
       ID  SUITE                            BITS PROT    CIPHER              MAC     KEYX
 0: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  AES-GCM             SHA256  ECDHE_RSA
 1: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1   AES                 SHA     ECDHE_RSA
 2: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  AES                 SHA     ECDHE_RSA
 3: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  AES                 SHA     ECDHE_RSA
 4: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  AES                 SHA256  ECDHE_RSA
 5: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  AES-GCM             SHA384  ECDHE_RSA
 6: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1   AES                 SHA     ECDHE_RSA
 7: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  AES                 SHA     ECDHE_RSA
 8: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  AES                 SHA     ECDHE_RSA
 9: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  AES                 SHA384  ECDHE_RSA
10: 52392  ECDHE-RSA-CHACHA20-POLY1305-SHA256   256  TLS1.2  CHACHA20-POLY1305   NULL    ECDHE_RSA
11:   157  AES256-GCM-SHA384                256  TLS1.2  AES-GCM             SHA384  RSA
12:    53  AES256-SHA                       256  TLS1   AES                 SHA     RSA
13:    53  AES256-SHA                       256  TLS1.1  AES                 SHA     RSA
14:    53  AES256-SHA                       256  TLS1.2  AES                 SHA     RSA
15:    53  AES256-SHA                       256  DTLS1  AES                 SHA     RSA
16:    61  AES256-SHA256                    256  TLS1.2  AES                 SHA256  RSA
17:   132  CAMELLIA256-SHA                  256  TLS1   CAMELLIA            SHA     RSA
18:   132  CAMELLIA256-SHA                  256  TLS1.1  CAMELLIA            SHA     RSA
19:   132  CAMELLIA256-SHA                  256  TLS1.2  CAMELLIA            SHA     RSA

shows a DTLSv1 cipher.