Certification Virtual Private Network

Owned by
CME Group
Apr 26, 2024
3 min read

This page provides an overview of the Certification environment Virtual Private Network (VPN).

CME Group does not require customers to use specific consultant vendors. If internal resources are not available, customers are responsible for engaging resources to establish and support connectivity to CME Group.

Contents

Technical Requirements

Internet Requirements

The CME Certification VPN is an Internet only solution providing combined access to F&O, BTEC and EBS Certification environments. Customers must provide a high-speed connection to the Internet. The connection must adhere to the following requirements:

  • Internet connection with a static public IP address, routable on the Internet
  • Internet service provider that supports VPN protocols
  • Non-cloud based due to lack of Generic Routing Encapsulation (GRE) support

Hardware Requirements

CME recommends that customers use a Cisco router with support for site-to-site VPN’s. CME will provide a sample configuration based on a Cisco router which the customer can tailor for their environment (details on the sample configuration to follow). However, it must be noted that customers are free to select the best vendor for their environment and that they will fully support both their chosen hardware and configuration used to enable the VPN on their side. CME Group is unable to provide configuration support.

The following diagram illustrates the VPN setup. MDP requires a device that supports GRE over IPsec. A GRE tunnel is utilized in order to deliver multicast traffic over the Internet to the customer. All GRE packets benefit from end-to-end encryption as they traverse inside the IPsec tunnel. GRE is a non-optional component of the CME Certification VPN regardless of the customers intentions to consume multicast.

Configuring VPN Connectivity

CME Certification VPN Design

The CME Certification VPN is a policy-based VPN solution with the following requirements:

  • IKEv2
  • Pre-shared key authentication
  • IKE Phase One:
    • Encryption: AES256
    • Hash: SHA256
    • Diffie-Hellman group: 14
    • Lifetime: 28800 seconds, no volume limit
    • Customer VPN device IKEv2 identity must match IP address used for peering
  • IKE Phase Two:
    • Encryption: AES256
    • Authentication: SHA256
    • Tunnel mode
    • PFS: Enabled, using Diffie-Hellman Group 14
    • Compression: No
    • Security association lifetime: 4608000 kilobytes/3600 seconds
    • Security association idletime: 60 seconds

Device Requirements

The device prerequisites vary slightly depending on whether existing devices will be leveraged. The following sections describe the three tunneling configuration options that can be used to create the VPN. 

  • Option 1 uses separate units for VPN and GRE tunneling
  • Option 2 uses a single unit for VPN and GRE tunneling
  • Option 3 uses a single unit for VPN tunneling
Option 1: Separate Units for VPN IPSEC and GRE Tunneling

Customers wishing to subscribe to market data that choose to utilize a device or service that does not support GRE tunnel encapsulation, will have to separate the IPsec and GRE termination between 2 endpoints.

Option 2: Combined Units for VPN IPSEC and GRE Tunneling

Customers wishing to subscribe to market data may choose to combine IPSEC and GRE termination into a single device or service.

Option 3: Single Unit for VPN IPSEC only

Customers not wishing to subscribe to market data do not require GRE capability.




How was your Client Systems Wiki Experience? Submit Feedback

Copyright © 2024 CME Group Inc. All rights reserved.