Provide connectivity between sites with AutoVPN

The AutoVPN feature provides connectivity between riverbed sites. In each site there can be only one appliance acting as an AutoVPN endpoint. The selected appliance should ideally be the network gateway for the site or be placed inline to pass all traffic entering and exiting the Site. On sites without a riverbed gateway you might want to enable AutoVPN for the Access Point to join the full mesh VPN network. The AutoVPN connections use AES256-SHA1 encryption and IKEv2 where NAT traversal is always being active.

AutoVPN can be split into two general operating modes:

RouteVPN – a classic routed Layer 3 IPSec VPN between internal networks
SwitchVPN – a bridged Layer 2 IPSec VPN between sites (this extends Zones across sites boundaries as needed)

AutoVPN is unlikely to work from behind NATing devices without any incoming port forwarding to AutoVPN appliance
UDP encapsulation is per default enforced on Port 4500 (source and destination port). If necessary it is also possible to change the default AutoVPN port in SteelConnect > Sites > WAN/AutoVPN > AutoVPN Port.
To make sure AutoVPN is working properly behind a NAT device, you should configure port forwarding rule on the NAT device for the AutoVPN port to forward traffic to the AutoVPN appliance, as well as check that the NAT device does not try to terminate the IPSEC tunnel (commonly reffered to as "IPSEC Passthrough")

• RouteVPN (Layer3 Tunnel)
• SwitchVPN (Layer2 Tunnel)
• Deployment Examples
  • AutoVPN between Gateways
  • AutoVPN between Access Point and Gateway
  • AutoVPN between Access Points

RouteVPN (Layer3 Tunnel)

If a zone is part of the RouteVPN WAN it will automatically be added to the AutoVPN connectivity. Each Zone can be added to the RouteVPN membership in SteelConnect > Network Design > WANs > RouteVPN.

Traffic between the RouteVPN zones has to be granted via a rule added in riverbed SteelConnect > Rules > Outbound / Internal > New policy rule.

The status of a RouteVPN is shown in Dashboard Map as thick line instead of a thin line for SwitchVPN.

Green thick line = RouteVPN successfully established
Red thick line = RouteVPN can’t be established

SwitchVPN (Layer2 Tunnel)

Unlike RouteVPN, SwitchVPN does not need to be manually configured or enabled. Non-local zones will be imported automatically by the Site’s AutoVPN appliance because they are used by an Riverbed appliance somewhere in the site. This may be via a Port, an SSID broadcast, or an IP address configuration.

The status of SwitchVPN is shown in Dashboard Map as a thin line instead of a thick line for RouteVPN.

Green thin line = SwitchVPN successfully established
Red thin line = SwitchVPN can’t be established

Deployment Examples

AutoVPN between Gateways

Here is an example of SwitchVPN via an automatically imported remote Zone. The HQ Zone was imported automatically by using it in an SSID broadcast in Branch Office:

Such an SSID Broadcast can be configured in riverbed SteelConnect > WiFi > Broadcasts

Site:   Branch Office
SSID: choose your SSID
Default Zone: HQ -> VLAN 1003

AutoVPN between Access Point and Gateway

Another example could be a Home Office without a SteelConnect Gateway then you might want to enable AutoVPN for the Access Point in section Appliances > Access Points > AutoVPN. In that case the Access Point receives the remote zones via the AutoVPN feature.

AutoVPN between Access Points

It is also possible to establish an AutoVPN between Access Points. A typical use case could be two sites without a SteelConnect Gateway deployed. Then you have the possibility to enable AutoVPN on the Access Points to access each other Zones.

If you want to establish a Layer3 Tunnel between Branch Office Zone (VLAN 1006) and Home Office Zone (VLAN 1009) than add the zones to RouteVPN WAN membership in SteelConnect > Network Design > WANs > RouteVPN.

SteelConnect Access Point
SteelConnect Gateway
SteelConnect Manager