Traffic encryption

Traffic encryption is a mechanism of securing the exchange of traffic between CPE devices through links. For example, you can encrypt traffic that is transmitted over unsecured links.

Traffic encryption does not replace the need to use other information security measures, such as TLS, LDAPS, and other protocols that protect traffic within the overlay network.

The controller automatically generates keys for encrypting and decrypting traffic and sends the keys to CPE devices. Traffic is encrypted on the source CPE device using the encryption key. The destination CPE device decrypts the traffic using the decryption key.

The keys are regularly updated to deprive third parties of the opportunity to encrypt or decrypt the transmitted traffic if a key is intercepted. You can specify the length of time after which the keys are updated on CPE devices using the topology.link.encryption.key.update.interval.minutes controller property.

Traffic encryption is supported only on CPE devices running Kaspersky SD-WAN software.

You can enable traffic encryption on a CPE device or on a link. A CPE device with traffic encryption enabled forwards encrypted traffic over all of its links, including new links that will be established in the future. When traffic encryption is enabled on a link, the CPE device transmits encrypted traffic over that link. When traffic encryption is disabled, the keys generated by the controller for encrypting and decrypting traffic are deleted from all attached CPE devices. By default, traffic encryption is disabled on CPE devices and links.

For example, you can enable traffic encryption on a CPE device and disable traffic encryption on one of the links of that CPE device. In this case, the CPE device transmits encrypted traffic over all its links, except for the link on which traffic encryption is disabled.

Enabling traffic encryption on a CPE device

A CPE device with traffic encryption enabled forwards encrypted traffic over all of its links, including new links that will be established in the future. You can enable or disable traffic encryption in a CPE template or on a CPE device. Traffic encryption settings specified in the CPE template are automatically propagated to all CPE devices that use this CPE template.

To enable traffic encryption on a CPE device:

1. Enable traffic encryption on the CPE device in one of the following ways:
   • If you want to enable traffic encryption in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and select the Link encryption tab.
   • If you want to enable traffic encryption on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Link encryption tab, and select the Override check box.

   The traffic encryption policy is displayed.

2. In the Enable encryption drop-down list, select Enabled. The default value is Disabled.
3. In the upper part of the settings area, click Save to save the settings of the CPE template or CPE device.

Enabling traffic encryption on a link

When traffic encryption is enabled on a link, the CPE device transmits encrypted traffic over that link.

To enable encryption of traffic on a link:

1. Enable traffic encryption on the link in one of the following ways:
   • If you want to enable traffic encryption for a link that was established from a CPE device, go to the SD-WAN → CPE section, click the CPE device, select the Links tab, and click Management → Set encryption next to the link.
   • If you want to enable traffic encryption for one of the links in the table of all links, go to the Infrastructure section, click Management → Configuration menu next to the controller, go to the Links section, and click Management → Set encryption next to the link.
   • If you want to enable traffic encryption for one of the links in the graphic topology with all links, go to the Infrastructure section, click Management → Configuration menu next to the controller, go to the Topology section, click the link, and click Set encryption.
2. This opens a window, in that window, select the Override check box. This check box is cleared by default.
3. Select the Enable encryption check box to enable traffic encryption for the link. This check box is cleared by default.
4. Click Save.

   Traffic encryption is enabled on the link.

5. If you enabled traffic encryption for a link established from the CPE device, click Save in the upper part of the settings area to save the CPE device settings.