Introduction
VPN has long been a primary technology for securely transmitting communications over untrusted networks for businesses, government agencies, and departments.
Comment
However, configuring these technologies and managing various phases, modes, and encryption algorithms can be quite complex, especially across multiple devices. To address this challenge and make this easier, EnGenius Auto-VPN provides a swift and effortless method to achieve and maintain security effortlessly through the cloud to establish IPSec VPN connection across multiple devices.
What is site-to-site VPN?
Site-to-site VPN is primarily used to create a secure and encrypted connection between two or more locations of the same organization. This enables the seamless sharing of network resources across the connected sites. The technology relies on security appliances or firewalls at each location to establish these protected connections.
Figure 1. Site to Site VPN
One of the key benefits of a site-to-site VPN is that it allows client devices, such as laptops and desktops, to communicate through the VPN without the need for individual software installations or specific configuration changes on each device. This simplifies the process of maintaining a secure network across multiple locations, ensuring data privacy and integrity in inter-site communications.
Site-to-site VPN Topologies
Two primary site-to-site VPN topologies exist:
Mesh (as a Hub): This topology connects all of an organization’s sites directly to each other, allowing for seamless data exchange without routing through a central location.
Hub-and-Spoke: In this topology , all branch offices or satellite sites (spokes) communicate through a central office (hub) via VPN. Spokes do not have direct connections to each other but instead route all traffic through the hub.
Why is using a VPN difficult?
Managing multi-site VPNs with traditional architectures can be daunting as the network expands. This complexity is due to the need for manual setup and fine-tuning of VPN tunnels through intricate settings, a process fraught with time consumption and potential errors. Such setups require meticulous specification and configuration of various parameters, including both ends' IP addresses, pre-shared keys or digital certificates, authentication mechanisms, encryption protocols, and exportable subnets—each needing to be configured individually for every tunnel.
Figure 2. Complicated Site to Site VPN Configuration
Therefore, configuring and managing VPNs can pose significant challenges for IT teams. To mitigate these challenges, EnGenius has progressively introduced several technologies. Notably, EnGenius's cloud-based management platform offers an innovative solution, AutoVPN, by simplifying the configuration and management of multi-site VPNs, significantly reducing the manual effort and margin for error.
EnGenius Auto-VPN
EnGenius AutoVPN simplifies the process of creating and managing VPNs for multiple locations. It makes the setup process quicker and easier, especially for large businesses. It addresses and resolves many of the typical issues found in traditional VPN setups.
EnGenius Auto-VPN is its use of the EnGenius cloud as a mediator. It automatically handles the IP negotiation of VPN routes, authentication, encryption protocols, and key distribution among the EnGenius Security Gateways (ESGs) within an organization. This reliance on cloud technology significantly reduces the need for manual setup by IT administrators, minimizing the chance of human error. With AutoVPN, establishing secure IPSec VPN tunnels between sites is quicker and easier, allowing for a more efficient setup process.
As shown in Figure 3. Few clicks to setup the Site to Site VPN automatically, no detail VPN parameter settings required. e.g. WAN IP change will automatically updated to other VPN peers to keep VPN connected
Figure 3. EnGenius AutoVPN
Key Features of EnGenius AutoVPN:
Simplified Configuration: With just a few clicks through the EnGenius Cloud interface, AutoVPN eliminates the need for intricate manual setup. This user-friendly approach makes VPN configuration accessible even to those without extensive technical expertise.
Automatically handles network security changes: The EnGenius Cloud seamlessly configures VPN routes, authentication(SHA1), and encryption protocols (AES128), and key exchange (DiffeHellman) across all ESG appliances within an organization. This process facilitates the automatic establishment of hub-and-spoke or mesh IPSec VPN topologies.
Scalability/Rapid Deployment: AutoVPN's cloud-based management platform facilitates easy scalability, enabling businesses to expand their VPN networks seamlessly as they grow.
By integrating AutoVPN into your network, you embrace a future where managing multi-site VPNs no longer requires complex configurations or extensive technical knowledge, thereby empowering your IT team to focus on strategic initiatives rather than routine network maintenance tasks.
Important Points to Note:
AutoVPN feature supports models:
ESG series on EnGenius Cloud
XG-60 on FitXpress Cloud
How to configure EnGenius AutoVPN
EnGenius AutoVPN is a feature that simplifies the process of establishing a secure VPN connection between multiple remote locations without the need for complex configurations. Here's a basic guide on how to set it up:
Configuration Steps
To enable AutoVPN, navigate to Configure > Gateway > Site-to-Site VPN page and toggle the "Site-to-Site VPN" option to enabled.
Figure 4. Enable AutoVPN
Select the desired topology
There are two options for configuring the EnGenius Gateway's role in the Auto VPN topology.
Hub (Mesh): This EnGenius Security Gateway acts as a VPN Hub(Mesh) node and will establish VPN tunnels to all remote EnGenius VPN peers in the same organization that are also configured in this mode. It will also establish VPN tunnels to Spoke nodes that specify this gateway as their common Hub node.
Comment
Spoke: This EnGenius Security Gateway acts as a VPN Spoke node and will establish only one tunnel to the specified remote EnGenius Security Gateway which acts as this gateway’s Hub node. All Spoke nodes with a common Hub node can reach each other through Hub-and-Spoke tunnels unless blocked by Site-to-Site VPN firewall rules.
Choose which subnets (local networks) to export over VPN
Next, choose the local subnet to export to the Auto VPN domain. Users can effectively manage and export subnets in EnGenius Cloud by checking (include) or unchecking (exclude) the "Use VPN" checkbox next to the corresponding local LAN, ensuring seamless and conflict-free network connections. Here are the detailed steps.
Comment
Step 1. EnGenius Cloud will automatically display a list of all available local subnets, which includes:
LAN
IPSec VPN client
SecuPoint VPN client
Step 2. Select LAN for Export to export local LAN to the AutoVPN domain:
Users can export specific local LAN subnets by checking the "Use VPN" checkbox to the AutoVPN domain, making them visible and accessible to remote VPN sites.
Figure 6. Export specific local LAN subnets to the AutoVPN domain
Important Points to Note:
EnGenius Cloud will verify that the selected subnet's IP range does not conflict within the entire VPN domain.
If a conflict is detected after clicking the Apply button, EnGenius Cloud will issue a warning to the user.
4. Click “Apply” in the Site-to-Site VPN page
Then, you have successfully configured your network in either a mesh or hub-and-spoke topology. To monitor the status of all the VPN peer ESGs in your network, navigate to the VPN Status page by selecting MANAGE > VPN Status. Here, you'll find detailed status reports for each ESG device, including their exported subnets. This page also provides real-time insights into latency, connectivity, and routing decisions across the Auto VPN domain.
Figure 7. Monitor VPN Status
Figure 8. Monitor MAP view of VPN Status