Forum Discussion

Jerome_CARRIER's avatar
Jerome_CARRIER
Icon for Nimbostratus rankNimbostratus
Apr 10, 2020

VPN DTLS

Hi DevCentral,

 

I read that the performance when we use VPN (edge Client) can be improve if the DTLS is activated. Currently, we use only VPN through HTTPS. If I activate DTLS on the VPN profile and after creating a virtual server, how I can check if the tunnel is established with DTLS protocol ?

 

And currently, our F5 is behind a firewall. I have a rule to allow HTTPS from Internet to the public IP of our F5. I need to had a rule to allow UDP_4433 also between Internet and the F5 ?

 

BR

5 Replies

  • In the EdgeClient

    Details >> Connection Details

    shows whether DTLS is being used.

     

    It is also recorded in the APM logs.

     

    > I need to had a rule to allow UDP_4433 also between Internet and the F5 ?

     

    Yes.

    • Jerome_CARRIER's avatar
      Jerome_CARRIER
      Icon for Nimbostratus rankNimbostratus

      Hello,

      ​Thank you for your answer. When the dtls will be activated on the profile and the VS created, is it mandatory to create a new Edge install package and deploy it on the users laptops or the existing client already deployed on user computer will detect automatically the new configuration and based the communication with dtls protocol?

      BR

    • Simon_Blakely's avatar
      Simon_Blakely
      Icon for Employee rankEmployee

      Looks good to me:

      # tmm --clientciphers '!SSLv3:!DHE:ECDHE:RSA+HIGH:!3DES'
             ID  SUITE                            BITS PROT    CIPHER              MAC     KEYX
       0: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  AES-GCM             SHA256  ECDHE_RSA
       1: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1   AES                 SHA     ECDHE_RSA
       2: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  AES                 SHA     ECDHE_RSA
       3: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  AES                 SHA     ECDHE_RSA
       4: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  AES                 SHA256  ECDHE_RSA
       5: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  AES-GCM             SHA384  ECDHE_RSA
       6: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1   AES                 SHA     ECDHE_RSA
       7: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  AES                 SHA     ECDHE_RSA
       8: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  AES                 SHA     ECDHE_RSA
       9: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  AES                 SHA384  ECDHE_RSA
      10: 52392  ECDHE-RSA-CHACHA20-POLY1305-SHA256   256  TLS1.2  CHACHA20-POLY1305   NULL    ECDHE_RSA
      11:   157  AES256-GCM-SHA384                256  TLS1.2  AES-GCM             SHA384  RSA
      12:    53  AES256-SHA                       256  TLS1   AES                 SHA     RSA
      13:    53  AES256-SHA                       256  TLS1.1  AES                 SHA     RSA
      14:    53  AES256-SHA                       256  TLS1.2  AES                 SHA     RSA
      15:    53  AES256-SHA                       256  DTLS1  AES                 SHA     RSA
      16:    61  AES256-SHA256                    256  TLS1.2  AES                 SHA256  RSA
      17:   132  CAMELLIA256-SHA                  256  TLS1   CAMELLIA            SHA     RSA
      18:   132  CAMELLIA256-SHA                  256  TLS1.1  CAMELLIA            SHA     RSA
      19:   132  CAMELLIA256-SHA                  256  TLS1.2  CAMELLIA            SHA     RSA

      shows a DTLSv1 cipher.