How the VPN Broker Domain works

The VPN Broker domain is a virtual network that contains the VPN Broker gateway and the VPN Broker members.

Also, the VPN Broker domain uses Internet Key Exchange (IKE) and Internet Protocol Security (IPsec) to establish secure VPN communications within VPN Broker elements. The settings used are:
  • For IKE:
    • Version: 2
    • Cipher: AES-256
    • Message Digest: SHA-256
    • D-H Group: 15 (3072-bit MODP Group)
    • Lifetime: 8 hrs
  • For IPsec:
    • Protocol: ESP
    • Cipher: AES-GCM-256
    • Compression: None
    • D-H Group for PFS: 15 (3072-bit MODP Group)
    • Lifetime: 2 hrs
Note:
  • The settings are not user configurable.
  • Authentication between VPN Broker Gateway and each VPN Broker Member is using an unique administrator specified shared secret.
  • Authentication for dynamically created tunnels between VPN Broker Members is by using a 3072-bit raw RSA keys that are generated locally at each VPN Broker Member.
  • VPN Broker Gateway relays public keys between members so that they can authenticate each other securely.

The following is an example of IP addresses and MAC addresses in the VPN Broker Domain.



1
The VPN Broker Domain is a virtual network.
The VPN Broker Domain is identified by a unique MAC address prefix. In this example, the MAC address prefix is 02:02:02.
2
Each VPN Broker Member has an IP address that is part of the virtual network defined in the VPN Broker Domain.
Each VPN Broker Member is identified by a unique partial MAC address.
3
The VPN Broker Gateway is identified by a unique VPN Broker Gateway ID number.

The MAC address prefix of the VPN Broker Domain is combined with the partial MAC address of each VPN Broker Member to form a complete MAC address for each VPN Broker Member.

Table 1. Example of how VPN Broker Member MAC addresses are formed
MAC address prefix of the VPN Broker Domain Partial MAC address of the VPN Broker Member Complete MAC address of the VPN Broker Member
02:02:02 00:01:00 02:02:02:00:01:00
00:01:01 02:02:02:00:01:01
00:01:02 02:02:02:00:01:02
00:01:03 02:02:02:00:01:03
00:01:04 02:02:02:00:01:04

The MAC address prefix of the VPN Broker Domain is combined with the VPN Broker Gateway ID number to form a complete MAC address for the VPN Broker Gateway.

In this example, the VPN Broker Gateway ID is 10. In the NGFW Manager, you enter the VPN Broker Gateway ID as a decimal number. However, the ID is converted internally to a hexadecimal number. For example, an ID of 10 is converted to 0A in the MAC address of the VPN Broker Gateway.

Table 2. Example of how VPN Broker Gateway MAC addresses are formed
MAC address prefix of the VPN Broker Domain VPN Broker Gateway ID Complete MAC address of the VPN Broker Gateway
02:02:02 10 02:02:02:00:00:0A