CL2 Certification Virtual Private Network
This topic provides an overview of the CL2 Certification environment Virtual Private Network (VPN). The CL2 Cert VPN offering is implemented using a virtual private network (VPN) connection. A VPN is a secure, point-to-point connection between a client and the CME Group data centers. VPN traffic is carried over the Internet using secure tunneling technology.Â
CL2 Cert VPN enables customers to certify the following Certification services;
- EBS Central Post Trade (CPT)
- EBS Direct Bespoke LPI
- EBS Direct Generic LPI
- EBS Direct LCI
- BrokerTec Stream LPI
- BrokerTec Stream LCI
Customers with other CME certification services, e.g., CERT VPN or CERT Data Center, will not be able to use those services for CL2 EBS certifications.
CME Group does not require customers to use specific consultant vendors. If internal resources are not available, customers are responsible for engaging resources to establish and support connectivity to CME Group.
Contents
Technical Requirements
Internet Requirements
Customers must provide a high-speed connection to the Internet. The connection must meet the following requirements:
- Internet connection with a static public IP address, routable on the Internet
- Internet service provider that supports VPN protocols
- Non-cloud based due to lack of Generic Routing Encapsulation (GRE) support
Hardware Requirements
CME Group recommends that customers use a Cisco router with support for site-to-site VPN’s. CME Group will provide a sample configuration based on a Cisco router which the customer can tailor for their environment (details on the sample configuration to follow). However, it must be noted that customers are free to select the best vendor for their environment and that they will fully support both their chosen hardware and configuration used to enable the VPN on their side. CME Group is unable to provide configuration support.
Configuring VPN Connectivity
CME Certification VPN Design
The CME Certification VPN is a policy-based VPN solution with the following requirements:
- IKEv2
- Pre-shared key authentication
- IKE Phase One:
- Encryption: AES256
- Hash: SHA256
- Diffie-Hellman group: 14
- Lifetime: 28800 seconds, no volume limit
- Customer VPN device IKEv2 identity must match IP address used for peering
- IKE Phase Two:
- Encryption: AES256
- Authentication: SHA256
- Tunnel mode
- PFS: Enabled, using Diffie-Hellman Group 14
- Compression: No
- Security association lifetime: 4608000 kilobytes/3600 seconds
- Security association idletime: 60 seconds
Device Requirements
VPN IPSEC only
How was your Client Systems Wiki Experience? Submit Feedback
Copyright © 2024 CME Group Inc. All rights reserved.