Tray Platform / Connecting to on-prem systems / Network connectivity / Site-to-site VPN

Site-to-site VPN


You will need to deploy IT / network engineers in order to set up and configure your network to work with the site-to-site VPN, and to communicate with Tray.io when configuring your setup

This is a high security option but will also require the greatest overhead on the customer's part.

If you are interested in this solution please contact your customer success representative.

The above diagram illustrates the basic setup.

We will host the VPN server and deploy a Tray.io subnet in a region nearest to your geographic location.

To this subnet we will deploy a full set of all available Tray.io connectors so that they can, via the IPSec tunnel and your network device, communicate with the services (LDAP, MS SQL etc.) you have deployed in your subnet.

To ensure the best enterprise experience for our customers, we recommend that the Tray.io subnet we deploy (in your private IP space only) for you has an IP range of /24. This is because Tray.io runs concurrently and can have thousands of execution threads per workflow. There is effectively no limit on the scale of work you want to run in terms of asynchronous data processing (even if you are only deploying one service on-premise with fairly minimal use, this is still required as it is due to the number of connectors and executions running in your whole account)

The full setup then requires configuring the VPN tunnels (a second tunnel is used for failover and high availability) to connect to your internal network routing device (e.g. a Cisco ASA device, or a device running pfSense etc.). A sample configuration file is given below.

Once setup is complete, when making use of the services you have configured on-premise in the Tray.io workflow builder, all you need to do is add the internal IP address and port to the authentication dialog when you add that connector to a workflow.

The site-to-site VPN only needs installed once to make a connection to your on-premise subnet which may contain any number of services and instances of one service. This is in contrast to an 'agent' offering which would need an instance installed for each service you wish to run

This is not a VPN 'agent' and does not automatically set up any routing.

It also does not support DNS so your services should be hosted on static IPs within your network.

Setting up the IPSec VPN tunnel

You will need to contact us to ask for a tunnel to be set up to your network, whereby you will need to provide us with the following information:

  • The location of your network - This is so that we can deploy the VPN server as close as possible to your location. This reduces the data transfer latency between your services / databases and the Tray.io connectors.

  • The Tray.io subnet network range - We use a default 10.200.0.0/16 address space. If this clashes with your network, you can specify an alternative (the IP range must be private and must be /16 to allow for concurrent large-scale executions)

  • Your on-premise network range - This is your private address space that should be addressable from the connectors inside the Tray.io VPN network. This is where the services and databases you wish to maintain must be located. This can be anything such as 10.0.25.0/24or 192.168.0.0/16 as long as it is configured as a private address space.

    Each service you are hosting (e.g. MySQL Server, MongoDB etc.) should have its own address which falls within this private address range

  • Your on-premise public IP address - This is required for the connection and is used to generate the IPSec credentials between the two environments.

Once we have set this up we can assist you in setting up your device. Included in the required configuration will be the 2 tunnel IP addresses and 2 PSK secrets for each tunnel.

The exact configuration required will depend on your device.

A sample configuration file is given below. Sample files for other devices can be given on request.

Failover and high-availability

The On-Premise infrastructure has the ability to establish 2 tunnels for high-availability, redundancy, and maintenance reasons. In the event that one tunnel becomes unavailable, the other tunnel is available for use. This is why we provide two IPSec credentials and we recommend that our users configure both tunnels.

Encryption options

The following table lists the encryption standard options when configuring the VPN tunnel:

MethodStandard Options
IKEikev1, ikev2
Phase 1 Diffie-Hellman (DH) group numbers2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24
Phase 2 Diffie-Hellman (DH) group numbers2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24
Phase 1 encryption algorithmsAES128, AES256, AES128-GCM-16, AES256-GCM-16
Phase 2 encryption algorithmsAES128, AES256, AES128-GCM-16, AES256-GCM-16
Phase 1 integrity algorithmsSHA-1, SHA2-256, SHA2-384, SHA2-512
Phase 2 integrity algorithmsSHA-1, SHA2-256, SHA2-384, SHA2-512

Diffie-Hellman Perfect forward secrecy is supported.

Further options:

Phase 1 lifetime

The lifetime in seconds for phase 1 of the IKE negotiations.

Default: 28,800 (8 hours)

Phase 2 lifetime

The lifetime in seconds for phase 2 of the IKE negotiations. Must be less than the number of seconds for the phase 1 lifetime.

Default: 3,600 (1 hour)

Rekey fuzz

The percentage of the rekey window (determined by the rekey margin time) within which the rekey time is randomly selected.

Default: 100

Rekey margin time

The margin time in seconds before the phase 2 lifetime expires, during which the Tray.io side of the VPN connection performs an IKE rekey.

Default: 540 (9 minutes)

Replay window size packets

The number of packets in an IKE replay window.

Default: 1024

Startup action

The action to take when establishing the tunnel for a VPN connection. You can specify the following:

Start: Tray.io initiates the IKE negotiation to bring the tunnel up. Only supported if your customer gateway is configured with an IP address.

Add: Your customer gateway device must initiate the IKE negotiation to bring the tunnel up.

Ports

As per standard IPSec protocols the Tray.io VPN server runs UDP on ports 500 and 4500.

Sample configuration file

The following is a sample configuration file for a Cisco ASA 5500 device (9.7+):

! --------------------------------------------------------------------------------
! IPSec Tunnel #1
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
!
! The address of the external interface for your customer gateway must be a static address.
! Your customer gateway may reside behind a device performing network address translation (NAT).
! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T.
!
! Note that there are a global list of ISAKMP policies, each identified by
! sequence number. This policy is defined as #200, which may conflict with
! an existing policy using the same number. If so, we recommend changing
! the sequence number to avoid conflicts.
!
crypto ikev1 enable 'outside_interface'
crypto ikev1 policy 200
encryption aes
authentication pre-share
group 2
lifetime 28800
hash sha
! --------------------------------------------------------------------------------
! #2: IPSec Configuration
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
crypto ipsec ikev1 transform-set ipsec-prop-vpn-0exxxxxxxxxxx8-0 esp-aes esp-sha-hmac
! The IPSec profile references the IPSec transform set and further defines
! the Diffie-Hellman group and security association lifetime.
!
crypto ipsec profile ipsec-vpn-0exxxxxxxxxxx8-0
set pfs group2
set security-association lifetime seconds 3600
set ikev1 transform-set ipsec-prop-vpn-0exxxxxxxxxxx8-0
exit
! Additional parameters of the IPSec configuration are set here. Note that
! these parameters are global and therefore impact other IPSec
! associations.
! This option instructs the router to clear the "Don't Fragment"
! bit from packets that carry this bit and yet must be fragmented, enabling
! them to be fragmented.
!
!You will need to replace the outside_interface with the interface name of your ASA Firewall.
crypto ipsec df-bit clear-df 'outside_interface'
! This option causes the firewall to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
sysopt connection tcpmss 1379
! This configures the gateway's window for accepting out of order
! IPSec packets. A larger window can be helpful if too many packets
! are dropped due to reordering while in transit between gateways.
!
crypto ipsec security-association replay window-size 128
! This option instructs the router to fragment the unencrypted packets
! (prior to encryption).
!You will need to replace the outside_interface with the interface name of your ASA Firewall.
!
crypto ipsec fragmentation before-encryption 'outside_interface'
! --------------------------------------------------------------------------------
! The tunnel group sets the Pre Shared Key used to authenticate the
! tunnel endpoints.
!
tunnel-group 18.xxx.xxx.xxx type ipsec-l2l
tunnel-group 18.xxx.xxx.xxx ipsec-attributes
ikev1 pre-shared-key ZMxxxxxxxxxxxxxxxxxxxxxDs
!
! This option enables IPSec Dead Peer Detection, which causes semi-periodic
! messages to be sent to ensure a Security Association remains operational.
!
isakmp keepalive threshold 10 retry 10
exit
! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel.
!
! Association with the IPSec security association is done through the
! "tunnel protection" command.
!
!You will need to replace the outside_interface with the interface name of your ASA Firewall.
interface Tunnel1
nameif Tunnel-int-vpn-0exxxxxxxx8-0
ip address 169.xxx.xx.xxx 255.xxx.xxx.xxx
tunnel source interface 'outside_interface'
tunnel destination 18.xxx.xx.xxx
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vpn-0exxxxxxx8-0
no shutdown
exit
! ----------------------------------------------------------------------------
! #4 Static Route Configuration
!
! Your Customer Gateway needs to set a static route
route Tunnel-int-vpn-0exxxxxxxxxx38-0 10.200.0.0 255.255.0.0 169.xxx.xx.xxx 100
! --------------------------------------------------------------------------------
! IPSec Tunnel #2
! --------------------------------------------------------------------------------
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
crypto ikev1 enable 'outside_interface'
crypto ikev1 policy 201
encryption aes
authentication pre-share
group 2
lifetime 28800
hash sha
! --------------------------------------------------------------------------------
! #2: IPSec Configuration
!
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
crypto ipsec ikev1 transform-set ipsec-prop-vpn-0exxxxxxxxx8-1 esp-aes esp-sha-hmac
! The IPSec profile references the IPSec transform set and further defines
! the Diffie-Hellman group and security association lifetime.
!
crypto ipsec profile ipsec-vpn-0exxxxxxxxxxxx8-1
set pfs group2
set security-association lifetime seconds 3600
set ikev1 transform-set ipsec-prop-vpn-0exxxxxxxxxxxxxx8-1
exit
! Additional parameters of the IPSec configuration are set here. Note that
! these parameters are global and therefore impact other IPSec
! associations.
! This option instructs the router to clear the "Don't Fragment"
! bit from packets that carry this bit and yet must be fragmented, enabling
! them to be fragmented.
!
!You will need to replace the outside_interface with the interface name of your ASA Firewall.
crypto ipsec df-bit clear-df 'outside_interface'
! This option causes the firewall to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
sysopt connection tcpmss 1379
! This configures the gateway's window for accepting out of order
! IPSec packets. A larger window can be helpful if too many packets
! are dropped due to reordering while in transit between gateways.
!
crypto ipsec security-association replay window-size 128
! This option instructs the router to fragment the unencrypted packets
! (prior to encryption).
!You will need to replace the outside_interface with the interface name of your ASA Firewall.
!
crypto ipsec fragmentation before-encryption 'outside_interface'
! --------------------------------------------------------------------------------
! The tunnel group sets the Pre Shared Key used to authenticate the
! tunnel endpoints.
!
tunnel-group 18.xxx.xxx.xxx type ipsec-l2l
tunnel-group 18.xxx.xxx.xxx ipsec-attributes
ikev1 pre-shared-key pwkxxxxxxxxxxxxxxxxxxxQt
!
! This option enables IPSec Dead Peer Detection, which causes semi-periodic
! messages to be sent to ensure a Security Association remains operational.
!
isakmp keepalive threshold 10 retry 10
exit
! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel.
!
! Association with the IPSec security association is done through the
! "tunnel protection" command.
!
! The address of the interface is configured with the setup for your
! Customer Gateway.
!
!You will need to replace the outside_interface with the interface name of your ASA Firewall.
interface Tunnel2
nameif Tunnel-int-vpn-0exxxxxxxxxx8-1
ip address 169.xxx.xxx.xxx 255.xxx.xxx.xxx
tunnel source interface 'outside_interface'
tunnel destination 18.xxx.xxx.xxx
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vpn-0exxxxxxxxxxx8-1
no shutdown
exit
! ----------------------------------------------------------------------------
! #4 Static Route Configuration
!
! Your Customer Gateway needs to set a static route
route Tunnel-int-vpn-0exxxxxxxx8-1 10.200.0.0 255.xxx.x.x 169.xxx.xxx.xxx 200