Traffic encryption

Traffic encryption is a mechanism of securing the exchange of traffic between CPE devices through links. For example, you can encrypt traffic that is transmitted over unsecured connections.

Traffic encryption does not replace the need to use other information security measures, such as TLS, LDAPS, and other protocols that protect traffic within the overlay network.

The controller automatically generates keys for encrypting and decrypting traffic and sends the keys to CPE devices. Traffic is encrypted on the source CPE device using the encryption key. The destination CPE device decrypts the traffic using the decryption key.

The keys are regularly updated to deprive third parties of the opportunity to encrypt or decrypt the transmitted traffic if a key is intercepted. You can specify the length of time after which the keys are updated on CPE devices using the topology.link.encryption.key.update.interval.minutes controller property.

Traffic encryption is supported only on CPE devices running Kaspersky SD-WAN software.

If traffic encryption is enabled on a CPE device, all outbound links that involve this CPE device send encrypted traffic (including new links that will be established later). If traffic encryption is disabled on a CPE device, it sends unencrypted traffic. If you disable traffic encryption on a CPE device that had been encrypting its outgoing traffic, the keys generated by the SD-WAN Controller for encrypting and decrypting traffic are deleted from all related CPE devices.

You can also enable or disable traffic encryption on links. For example, you can enable traffic encryption on a CPE device, but disable it on a link built with the participation of this CPE device. When enabling or disabling traffic encryption on a link, you need to configure the opposite-direction link in the same way.

Enabling traffic encryption on a CPE device

You can enable or disable traffic encryption in a CPE template or on a CPE device. Traffic encryption settings specified in the CPE template are automatically propagated to all CPE devices that use this CPE template.

To enable traffic encryption on a CPE device:

1. Enable traffic encryption on the CPE device in one of the following ways:
   • If you want to enable traffic encryption in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and select the Tunnel encryption tab.
   • If you want to enable traffic encryption on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Tunnel encryption tab, and select the Override check box.

   The traffic encryption policy is displayed.

2. In the Default encryption policy drop-down list, select one of the following values:
   • Enabled
   • Disabled Default value.
3. In the upper part of the settings area, click Save to save the settings of the CPE template or CPE device.

Enabling traffic encryption on a link

When enabling or disabling traffic encryption on a link, you must configure the opposite-direction link in the same way.

To enable encryption of traffic on a link:

1. Enable traffic encryption on the link in one of the following ways:
   • If you want to enable traffic encryption for a link that was established from a CPE device, go to the SD-WAN → CPE section, click the CPE device, select the Links tab, and click Management → Set encryption next to the link.
   • If you want to enable traffic encryption for one of the links in the table of all links, go to the Infrastructure section, click Management → Configuration menu next to the controller, go to the Links section, and click Management → Set encryption next to the link.
   • If you want to enable traffic encryption for one of the links in the graphic topology with all links, go to the Infrastructure section, click Management → Configuration menu next to the controller, go to the Topology section, click the link, and click Set encryption.
2. This opens a window, in that window, select the Override check box. This check box is cleared by default.
3. Select the Enable encryption check box to enable traffic encryption for the link. This check box is cleared by default.
4. Click Save.

   Traffic encryption is enabled on the link.

5. If you enabled traffic encryption for a link established from the CPE device, click Save in the upper part of the settings area to save the CPE device settings.