Riverbed SteelConnect SD-WAN Solution Guide
Focus
Focus
Prisma Access

Riverbed SteelConnect SD-WAN Solution Guide

Table of Contents

Riverbed SteelConnect SD-WAN Solution Guide

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama)
To use this Solution Guide, you need a knowledge of the following software and hardware concepts:
  • SD-WAN routing principles
  • SteelConnect Manager (SCM)
  • SteelConnect appliances (in particular, SteelConnect gateways)
  • Panorama appliance configuration tasks
  • Prisma Access configuration tasks

Supported IKE and IPSec Cryptographic Profiles

Prisma Access supports standard IPSec tunnels from third-party SD-WAN edge devices using IKE and IPSec Crypto profiles.
The following table documents the IKE/IPSec crypto settings that are supported with Prisma Access and SteelConnect SD-WAN.
A check mark indicates that the profile or architecture type is supported; a dash (—) indicates that it's not supported. Default and Recommended settings are noted in the table.
Crypto ProfilesPrisma AccessSteelConnect SD-WAN
Tunnel TypeIPSec Tunnel
GRE Tunnel
RoutingStatic Routes
Dynamic Routing (BGP)
Dynamic Routing (OSPF)
IKE VersionsIKE v1
IKE v2
IPSec Phase 1 DH-GroupGroup 1
Group 2
(Default)
Group 5
Group 14
Group 19
Group 20
(Recommended)
IPSec Phase 1 Auth
If you use IKEv2 with certificate-based authentication, only SHA1 is supported in IKE crypto profiles (Phase 1).
MD5
SHA1
(Default)
SHA256
SHA384
SHA512
(Recommended)
IPSec Phase 1 EncryptionDES
3DES
(Default)
AES-128-CBC
(Default)
(Recommended)
AES-192-CBC
AES-256-CBC
(Recommended)
IPSec Phase 1 Key Lifetime Default
(8 Hours)
(3 Hours)
IPSec Phase 1 Peer AuthenticationPre-Shared Key
Certificate
IKE Peer IdentificationFQDN
IP Address
User FQDN
IKE PeerAs Static Peer
As Dynamic Peer
OptionsNAT Traversal
Passive Mode
Ability to Negotiate TunnelPer Subnet Pair
Per Pair of Hosts
Per Gateway Pair
IPSec Phase 2 DH-GroupGroup 1
Group 2
(Default)
(Default)
Group 5
Group 14
Group 19
Group 20
(Recommended)
No PFS
IPSec Phase 2 AuthMD5
SHA1
(Default)
SHA256
SHA384
SHA512
(Recommended)
(as well and GMAC AES256)
None
IPSec Phase 2 EncryptionDES
3DES
(Default)
AES-128-CBC
(Default)
AES-192-CBC
AES-256-CBC
(Default)
AES-128-CCM
AES-128-GCM
AES-256-GCM
(Recommended)
NULL
IPSec ProtocolESP
AH
IPSec Phase 2 Key Lifetime Default
(1 Hour)
(1 Hour)
Tunnel Monitoring FallbackDead Peer Detection (DPD)
ICMP
Bidirectional Forwarding Detection (BFD)
SD-WAN Architecture TypeWith Regional Hub/Gateway/Data CenterNA
No Regional Hub/Gateway/Data CenterNA

SD-WAN Deployment Architectures Supported by Riverbed

Riverbed supports the following deployment architectures for use with Prisma Access. A dash (—) indicates that the deployment isn't supported.
Use CaseArchitectureSupported?
Securing traffic from each branch site with 1 WAN link (Type 1)
Use an IPSec tunnel from each branch to Prisma Access. Use a Riverbed SD-WAN appliance device at the branch.
Yes
Securing branch and HQ sites with active/backup SD-WAN connections
No
Securing branch and HQ sites with active/active SD-WAN connections
No
Securing branch and HQ sites with SD-WAN edge devices in HA mode
Yes
Securing SD-WAN deployments with Regional Hub/POP architecture (Type 2)
Yes