Cytracom ControlOne: Adding IPSec Connectors

 

Environment

Product: Cytracom ControlOne

Feature: IPSec Site-to-Site VPN Connectors

 

Overview

ControlOne Connectors enable IPSec-based site-to-site VPNs to securely connect remote networks, cloud services (AWS, Azure), or other third-party security appliances. The latest updates enhance visibility, troubleshooting, and usability with:

  • Improved listing view: A table format for better scalability when managing large numbers of Connectors.
  • Traffic utilization graphs: View real-time traffic on the main listing page and individual Connector details.
  • Enhanced time-picker: A more intuitive interface for selecting time ranges.
  • New live logging features: A Logs tab in each Connector for live streaming, filtering, and pausing/resuming logs to assist with debugging.

 

Why Use ControlOne Connectors?

Seamless Hybrid and Multi-Cloud Connectivity

  • Connect remote sites, data centers, and cloud providers (AWS, Azure, GCP) with secure IPSec tunnels.
  • Route traffic dynamically using ControlOne’s secure edge architecture.

Advanced Monitoring & Debugging

  • Traffic utilization graphs provide insights into tunnel usage and performance.
  • Live log streaming and filtering for real-time troubleshooting.

Security & Compliance

  • Encrypted communication with AES-based encryption, IKEv2 support, and strong authentication.
  • Granular access control to restrict tunnel access based on zones, subnets, or security policies.

 

Adding a New Connector

1. Navigate to the Connectors Page

  • Log in to the ControlOne Portal.
  • Click Connectors from the Navigation menu.

2. Create a New Connector

  • Click Add New button.
  • Enter a Connector Name.
  • Select the ControlOne Gateway to attach the Connector to.

Once created, the Connector appears in the list, and a configuration panel opens on the right-hand side.

 

Configuring the IPSec Tunnel

3. Configure Tunnel Settings

Setting

Description
Gateway

Select the ControlOne gateway for this tunnel. Changing the gateway updates the tunnel’s public endpoint IP.

Zones

Define ControlOne Zones accessible through this tunnel. The remote side will use Remote Networks or Remote Local Networks.

Local IPSec ID

Identifies the ControlOne IPSec peer. If unspecified, use the public IP of the ControlOne gateway.

Remote IPSec ID

Identifies the remote peer. If unspecified, use the public IP of the remote peer.

Remote Peer IP Address

The public IP address of the remote VPN device.

Remote Private IP Address

The subnets accessible from the remote network.

Secret Key (PSK)

The Pre-Shared Key used for authentication. Click Generate to create a new key or enter an existing PSK.

📊 New Traffic Utilization Graphs:

  • View real-time data transfer rates for each Connector.
  • Analyze network usage patterns directly in the ControlOne UI.

 

4. Configure Advanced IPSec Settings

Phase 1 (IKE Negotiation)

Setting Description
IKE Version

IKEv2 recommended for improved security and performance.

Encryption Algorithm

Encrypts Phase 1 data (e.g., AES-CBC, AES-GCM).

Hash Algorithm

Ensures data integrity. (e.g. SHA256)

Key Life

Defines how long the key remains valid.

Diffie-Hellman Group

Higher DH groups provide stronger security but require more processing.

Perfect Forward Secrecy (PFS)

Protects past sessions even if a key is compromised. Recommended.

Tunnel Behavior & Keep-Alive

Setting Description
Initiator vs. Responder

Defines whether ControlOne auto-starts or waits for peer initiation. Recommended: Initiator.

Dead Peer Detection (DPD)

Automatically checks tunnel health and restarts the tunnel if unreachable.

DPD Timeout

Defines how long before marking the tunnel down.

 

5. Debugging & Troubleshooting with Live Logs

New Logs Tab for Live Debugging

Each Connector now includes a Logs tab with the following capabilities:

  • Live Streaming: View real-time IPSec logs.
  • Search & Filter: Apply search terms for quick debugging.
  • Pause/Resume: Temporarily stop logging to analyze specific events.

 

Common Issues & Resolutions

Issue Possible Causes Resolution
Tunnel Not Connecting

- Incorrect IP/PSK settings

Verify remote peer settings

Traffic Not Passing

- Incorrect subnet definitions

Ensure correct Local/Remote subnets

Frequent Disconnect

- DPD timeout too low

Increase DPD timeout in Phase 1 settings

🚀 Pro Tip: Use live log filtering to search for specific error messages
(e.g., “NO_PROPOSAL_CHOSEN”) when troubleshooting.

 

6. Monitoring and Verifying Connectivity

Connection Status Indicators

  • Green (Connected): Tunnel is active.
  • Red (Disconnected): Check IPSec settings and logs.

Traffic Utilization Graphs

  • Located on the main Connectors page and inside each Connector’s detail view.
  • Helps identify traffic spikes, downtime, and bandwidth consumption.

Network Testing

  • Ping Test: Verify connectivity by pinging the remote peer’s private network.

 

Best Practices for IPSec Connectors

  1. Use IKEv2 for better security and stability.
  2. Enable Dead Peer Detection (DPD) to maintain tunnel reliability.
  3. Use Live Logs & Traffic Graphs to proactively monitor VPN health.
  4. Regularly audit Connectors to ensure correct subnets, security policies, and compliance.
  5. Test connectivity before deploying in production.

By leveraging ControlOne’s improved IPSec Connector management, including real-time traffic analytics and live debugging logs, MSPs can securely and efficiently manage their site-to-site VPN deployments with full visibility and control. 🚀

Was this article helpful?
0 out of 2 found this helpful