How IPsec UDP Helps Scale and Secure SD-WAN Fabrics

IPsec is a critical element in building a scalable and secure SD-WAN fabric. The right IPsec is key to making it happen.

Robert Sturt published an article title “SD-WAN vs. VPN: How do they compare?” While Robert tried to illustrate when and how to use SD-WAN vs. VPN, the objective of this blog is to look deeper into existing IPsec approaches and challenges in building and securing an SD-WAN fabric, and how IPsec UDP can help address these challenges. At the end of this blog, I have included a link to a Silver Peak white paper that provides a detailed explanation of IPsec options.

We’ll look at three IPsec options:

  1. IKE (Internet Key Exchange) pre-shared keys
  2. IKE PKI (Public Key Infrastructure) based authorization
  3. IKE-less IPsec UDP

When building an SD-WAN fabric, IPsec tunnels are configured to serve as the connections between end points (branch offices, headquarter, data center, public clouds). It requires managing key distribution and rotation or rekey, and tunnel setup/teardown for thousands of tunnels in a scalable, secure and timely manner without loss of network or site availability. This process tends to be complex, time-consuming and error-prone.

Furthermore, deploying NAT (Network Address Translation) with IKE can fail if multiple devices are used at the branch office as they may have their own VPN requirements. Another challenge is that IKE uses well-known ports that makes it easy to block or rate-limit by carriers.

Why IPsec UDP “IKE-Less”

IKE-less provides flexibility, security and robustness. It uses standards-based IPsec encryption with standard UDP encapsulation. Encryption keys are never repeated and are directionally unique. In a Silver Peak Unity EdgeConnect™ SD-WAN implementation, Unity Orchestrator™ manages the encryption keys and rotations automatically which reduces the tunnel setup time without a loss of service. In addition, IKE-less allows NAT’ing to connect reliably to multiple devices at the branch including LTE WAN circuits. Since IKE-less uses different ports over IPsec, it is difficult to limit or block the traffic using upstream firewalls.

The following table lists a full comparison between the different IPsec options.

IPsec UPD Comparison Matrix

To learn more how IPsec UPD works, be sure to download and read the IPsec UDP Mode white paper authored by Anusha Vaidyanathan, director of security product management at Silver Peak.