Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Contents

Table of Contents

...

Technical Requirements

Internet Requirements

The CME Certification VPN is an Internet only solution providing combined access to F&Ofutures and options, BTEC and EBS Certification environments. Customers must provide a high-speed connection to the Internet. The connection must adhere to the following requirements:

  • Internet connection with a static public IP address, routable on the Internet
  • Internet service provider that supports VPN protocols
  • Non-cloud based due to lack of Generic Routing Encapsulation (GRE) support

Hardware Requirements

CME recommends that customers use a Cisco router with support for site-to-site VPN’s. CME will provide a sample configuration based on a Cisco router which the customer can tailor for their environment (details on the sample configuration to follow). However, it must be noted that customers are free to select the best vendor for their environment and that they will fully support both their chosen hardware and configuration used to enable the VPN on their side. CME Group is unable to provide configuration support.

The following diagram illustrates the VPN setup. MDP requires a device that supports GRE over IPsec. A GRE tunnel is utilized in order to deliver multicast traffic over the Internet to the customer. All GRE packets benefit from end-to-end encryption as they traverse inside the IPsec tunnel. GRE is a non-optional component of the CME Certification VPN regardless of the customers intentions to consume multicast.

Configuring VPN Connectivity

CME Certification VPN Design

...

  • IKEv2
  • Pre-shared key authentication
  • IKE Phase One:
    • Encryption: AES256
    • Hash: SHA256
    • Diffie-Hellman group: 14
    • Lifetime: 28800 seconds, no volume limit
    • Customer VPN device IKEv2 identity must match IP address used for peering
  • IKE Phase Two:
    • Encryption: AES256
    • Authentication: SHA256
    • Tunnel mode
    • PFS: Enabled, using Diffie-Hellman Group 14
    • Compression: No
    • Security association lifetime: 4608000 kilobytes/3600 seconds
    • Security association idletime: 60 seconds

Device Requirements

The device prerequisites vary slightly depending on whether existing devices will be leveraged. The following sections describe the three tunneling configuration options that can be used to create the VPN. 

...