Environment
• Product: Cytracom ControlOne
• Feature: IPSec Site-to-Site VPN Connectors
Overview
ControlOne Connectors enable IPSec-based site-to-site VPNs to securely connect remote networks, cloud services (AWS, Azure), or other third-party security appliances. The latest updates enhance visibility, troubleshooting, and usability with:
- Improved listing view: A table format for better scalability when managing large numbers of Connectors.
- Traffic utilization graphs: View real-time traffic on the main listing page and individual Connector details.
- Enhanced time-picker: A more intuitive interface for selecting time ranges.
- New live logging features: A Logs tab in each Connector for live streaming, filtering, and pausing/resuming logs to assist with debugging.
Why Use ControlOne Connectors?
Seamless Hybrid and Multi-Cloud Connectivity
- Connect remote sites, data centers, and cloud providers (AWS, Azure, GCP) with secure IPSec tunnels.
- Route traffic dynamically using ControlOne’s secure edge architecture.
Advanced Monitoring & Debugging
- Traffic utilization graphs provide insights into tunnel usage and performance.
- Live log streaming and filtering for real-time troubleshooting.
Security & Compliance
- Encrypted communication with AES-based encryption, IKEv2 support, and strong authentication.
- Granular access control to restrict tunnel access based on zones, subnets, or security policies.
Adding a New Connector
1. Navigate to the Connectors Page
- Log in to the ControlOne Portal.
- Click Connectors from the Navigation menu.
2. Create a New Connector
- Click Add New button.
- Enter a Connector Name.
- Select the ControlOne Gateway to attach the Connector to.
Once created, the Connector appears in the list, and a configuration panel opens on the right-hand side.
Configuring the IPSec Tunnel
3. Configure Tunnel Settings
Setting |
Description |
Gateway |
Select the ControlOne gateway for this tunnel. Changing the gateway updates the tunnel’s public endpoint IP. |
Zones |
Define ControlOne Zones accessible through this tunnel. The remote side will use Remote Networks or Remote Local Networks. |
Local IPSec ID |
Identifies the ControlOne IPSec peer. If unspecified, use the public IP of the ControlOne gateway. |
Remote IPSec ID |
Identifies the remote peer. If unspecified, use the public IP of the remote peer. |
Remote Peer IP Address |
The public IP address of the remote VPN device. |
Remote Private IP Address |
The subnets accessible from the remote network. |
Secret Key (PSK) |
The Pre-Shared Key used for authentication. Click Generate to create a new key or enter an existing PSK. |
📊 New Traffic Utilization Graphs:
- View real-time data transfer rates for each Connector.
- Analyze network usage patterns directly in the ControlOne UI.
4. Configure Advanced IPSec Settings
Phase 1 (IKE Negotiation)
Setting | Description |
IKE Version |
IKEv2 recommended for improved security and performance. |
Encryption Algorithm |
Encrypts Phase 1 data (e.g., AES-CBC, AES-GCM). |
Hash Algorithm |
Ensures data integrity. (e.g. SHA256) |
Key Life |
Defines how long the key remains valid. |
Diffie-Hellman Group |
Higher DH groups provide stronger security but require more processing. |
Perfect Forward Secrecy (PFS) |
Protects past sessions even if a key is compromised. Recommended. |
Tunnel Behavior & Keep-Alive
Setting | Description |
Initiator vs. Responder |
Defines whether ControlOne auto-starts or waits for peer initiation. Recommended: Initiator. |
Dead Peer Detection (DPD) |
Automatically checks tunnel health and restarts the tunnel if unreachable. |
DPD Timeout |
Defines how long before marking the tunnel down. |
5. Debugging & Troubleshooting with Live Logs
New Logs Tab for Live Debugging
Each Connector now includes a Logs tab with the following capabilities:
- Live Streaming: View real-time IPSec logs.
- Search & Filter: Apply search terms for quick debugging.
- Pause/Resume: Temporarily stop logging to analyze specific events.
Common Issues & Resolutions
Issue | Possible Causes | Resolution |
Tunnel Not Connecting |
- Incorrect IP/PSK settings |
Verify remote peer settings |
Traffic Not Passing |
- Incorrect subnet definitions |
Ensure correct Local/Remote subnets |
Frequent Disconnect |
- DPD timeout too low |
Increase DPD timeout in Phase 1 settings |
🚀 Pro Tip: Use live log filtering to search for specific error messages
(e.g., “NO_PROPOSAL_CHOSEN”) when troubleshooting.
6. Monitoring and Verifying Connectivity
Connection Status Indicators
- Green (Connected): Tunnel is active.
- Red (Disconnected): Check IPSec settings and logs.
Traffic Utilization Graphs
- Located on the main Connectors page and inside each Connector’s detail view.
- Helps identify traffic spikes, downtime, and bandwidth consumption.
Network Testing
- Ping Test: Verify connectivity by pinging the remote peer’s private network.
Best Practices for IPSec Connectors
- Use IKEv2 for better security and stability.
- Enable Dead Peer Detection (DPD) to maintain tunnel reliability.
- Use Live Logs & Traffic Graphs to proactively monitor VPN health.
- Regularly audit Connectors to ensure correct subnets, security policies, and compliance.
- Test connectivity before deploying in production.
By leveraging ControlOne’s improved IPSec Connector management, including real-time traffic analytics and live debugging logs, MSPs can securely and efficiently manage their site-to-site VPN deployments with full visibility and control. 🚀