Certification Virtual Private Network
This page provides an overview of the Certification environment Virtual Private Network (VPN).
CME Group does not require customers to use specific consultant vendors. If internal resources are not available, customers are responsible for engaging resources to establish and support connectivity to CME Group.
Contents
Technical Requirements
Internet Requirements
The CME Certification VPN is an Internet only solution providing combined access to futures and options, BTEC and EBS Certification environments. Customers must provide a high-speed connection to the Internet. The connection must adhere to the following requirements:
- Internet connection with a static public IP address, routable on the Internet
- Internet service provider that supports VPN protocols
- Non-cloud based due to lack of Generic Routing Encapsulation (GRE) support
Hardware Requirements
CME recommends that customers use a Cisco router with support for site-to-site VPN’s. CME will provide a sample configuration based on a Cisco router which the customer can tailor for their environment (details on the sample configuration to follow). However, it must be noted that customers are free to select the best vendor for their environment and that they will fully support both their chosen hardware and configuration used to enable the VPN on their side. CME Group is unable to provide configuration support.
The following diagram illustrates the VPN setup. MDP requires a device that supports GRE over IPsec. A GRE tunnel is utilized in order to deliver multicast traffic over the Internet to the customer. All GRE packets benefit from end-to-end encryption as they traverse inside the IPsec tunnel. GRE is a non-optional component of the CME Certification VPN regardless of the customers intentions to consume multicast.
Configuring VPN Connectivity
CME Certification VPN Design
The CME Certification VPN is a policy-based VPN solution with the following requirements:
- IKEv2
- Pre-shared key authentication
- IKE Phase One:
- Encryption: AES256
- Hash: SHA256
- Diffie-Hellman group: 14
- Lifetime: 28800 seconds, no volume limit
- Customer VPN device IKEv2 identity must match IP address used for peering
- IKE Phase Two:
- Encryption: AES256
- Authentication: SHA256
- Tunnel mode
- PFS: Enabled, using Diffie-Hellman Group 14
- Compression: No
- Security association lifetime: 4608000 kilobytes/3600 seconds
- Security association idletime: 60 seconds
Device Requirements
The device prerequisites vary slightly depending on whether existing devices will be leveraged. The following sections describe the three tunneling configuration options that can be used to create the VPN.
- Option 1 uses separate units for VPN and GRE tunneling
- Option 2 uses a single unit for VPN and GRE tunneling
- Option 3 uses a single unit for VPN tunneling
Option 1: Separate Units for VPN IPSEC and GRE Tunneling
Customers wishing to subscribe to market data that choose to utilize a device or service that does not support GRE tunnel encapsulation, will have to separate the IPsec and GRE termination between 2 endpoints.
Option 2: Combined Units for VPN IPSEC and GRE Tunneling
Customers wishing to subscribe to market data may choose to combine IPSEC and GRE termination into a single device or service.
Option 3: Single Unit for VPN IPSEC only
Customers not wishing to subscribe to market data do not require GRE capability.
How was your Client Systems Wiki Experience? Submit Feedback
Copyright © 2024 CME Group Inc. All rights reserved.