Extended encryption algorithms and VPN options supported in CROC Cloud
Cloud VPN now supports advanced security protocols and algorithms, so you can choose which tunnel options to use when creating a VPN connection.
The extended VPN support enables you to enhance security in line with your equipment capabilities. For example, now you can easily connect the cloud infrastructure and Mikrotik using IPSec in tunnel mode, and set up a connection between the cloud and Cisco ASA even if its firmware version does not support IPSec VTI.
In addition to IKEv1, we implemented IKEv2, the second version of Internet Key Exchange protocol. Besides pure AES, additional encryption options are now available, such as AES-CTR, AES-GCM, AES-CCM, Camellia, and ChaCha20-Poly1305. The SHA-256, SHA-384 and SHA-512 integrity algorithms have been added to SHA-1. Supported Diffie-Hellman group numbers include the entire range from 14 to 21, as well as 2 and 5 to ensure compatibility with legacy devices. The list of supported algorithms depends on the selected IKE version and negotiation phase. By the way, you can now control each phase lifetime as well.
When creating a connection in the tunnel mode, you can specify which customer and cloud subnets are allowed to use the encrypted tunnel. And the inside IP CIDR for a VPN tunnel can now be assigned from the expanded address space 169.254.252.0/22 instead of 169.254.255.0/24.
The new connection and VPN tunnel parameters are described in
VpnTunnelOptionsSpecification. They can be set through either API or web interface. To this end, all the new options are included in the customized boto library, while the VPN connection wizard now features new fields and an optional step Tunnel parameters.