SOLUTION BRIEF

1

Data Privacy ChallengesOrganizations of all sizes rely on IPsec VPNs to prevent snooping and data theft and to

address compliance. IPsec provides a cost-effective and secure way to transfer data over

IP networks.

While IPsec is a mature and well understood technology, new networking paradigms like

cloud computing, as well as escalating bandwidth requirements, are compelling large

enterprises and service providers to rethink their VPN strategies. As a result, organizations

need to develop VPN architectures that can:

• Support unprecedented IPsec throughput levels

• Leverage BGP routing for high availability and rapid scaling

• Spin up new IPsec tunnels and gateways on-demand in cloud environments

• Minimize power consumption and rack space requirements for data center efficiency

Organizations need a solution they can trust to deliver reliable IPsec connectivity, and one

that can interoperate with their existing routers and IPsec VPN gateways.

High-Speed IPsec Encryption with A10A10 Networks® Thunder® ADC line of Application Delivery Controllers includes IPsec

encryption capabilities that enable enterprises and service providers to build out large-scale

VPN deployments. By supporting up to 20,000 VPN tunnels per Thunder ADC platform and a

broad array of encryption algorithms and data integrity methods, organizations can deploy

Thunder ADC alongside their existing VPN equipment or build out new VPN networks with

Thunder ADC appliances.

Thunder ADC supports a comprehensive set of features in addition to IPsec VPN, including

advanced server load balancing, Network Address Translation (NAT), IPv4 and IPv6 routing,

and access control lists. By delivering a wide range of networking features, organizations can

support complex network designs and granularly control access to remote resources without

needing to deploy and manage numerous appliances. All of these features, in addition to

IPsec, are provided standard with Thunder ADC as part of A10’s all-inclusive licensing.

High Availability and Rapid ScalingFor many organizations, VPNs serve business critical functions such as data migration,

disaster recovery, remote user access, and connecting data centers to cloud networks.

Regardless of the use case, organizations depend on VPNs to run their business and these

VPNs must always be available.

THUNDER ADC IPSEC VPN Encrypt Traffic on a Massive Scale and in the Cloud

Challenge:To protect communications, organizations need to encrypt data at high speed and scale out VPN tunnel capacity on-demand.

Solution:A10 Networks empowers organizations to reduce their data center footprint and ensure data privacy with integrated, high-performance IPsec VPN and load balancing.

Benefits:

• Consolidate IPsec VPN, server load balancing and stateful firewall functionality

• Encrypt data at unparalleled speeds

• Reduce rack space and power requirements

• Scale capacity by launching new VPN gateways on-demand

2

Thunder ADC supports an array of clustering, high availability and

dynamic routing features that maximize uptime, not just for IPsec VPN

routes but also to ensure connectivity to servers and applications. High

availability and scaling features include:

• Route monitoring and failover – Using A10’s enhanced

Virtual Router Redundancy Protocol implementation, VRRP-a,

Thunder ADC can monitor route and VPN gateway failures

and rapidly failover traffic to a passive Thunder ADC appliance.

Supporting up to eight appliances in a cluster, VRRP-a can detect

unresponsive services, servers and applications and identify

infrastructure failures. With A10 Virtual Chassis System (aVCS®),

multiple A10 devices can function as a single virtual chassis, with

a single point of control and centralized statistics.

• Intelligent routing to increase VPN capacity – Thunder ADC

supports Border Gateway Protocol (BGP) routing, which not only

allows BGP routers to communicate across IPsec VPN tunnels

but also enables organizations to boost IPsec capacity simply by

deploying more Thunder ADC appliances. Using BGP, Thunder

ADC deployments can scale to support terabit bandwidth

requirements without complicated network designs or forklift

hardware upgrades, and they can deploy more Thunder ADC

appliances to increase IPsec throughput. VRRP-a integrates with

BGP to inject routes and ensure smooth route failovers. Thunder

ADC also supports Bidirectional Forwarding Detection (BFD) for

fast path failure detection and route convergence.

• Bandwidth aggregation by load balancing traffic over multiple paths – Thunder ADC leverages Equal-Cost Multipath

(ECMP) routing to increase total IPsec VPN bandwidth. ECMP,

combined with BGP, allows routers to support multiple network

routes simultaneously, allowing Thunder ADC to load balance

traffic across multiple paths to boost overall VPN capacity.

Cloud and On-demand Provisioning Organizations are moving their infrastructure to the cloud to optimize

computing efficiency and lower capital and operating expenses.

As they migrate to the cloud, they need their VPN infrastructure to

migrate with them. However, cloud architectures introduce new

requirements that do not exist in physical data center networks.

To realize the benefits of cloud computing, cloud architectures

must support automation, agility and on-demand scaling. And,

organizations must ensure that their VPN services support this new

cloud networking paradigm. VPN services should integrate seamlessly

with application networking services, SDN technologies and other

data center infrastructure. Organizations should be able to provision

VPN instances with the same cloud orchestration systems they use to

manage their cloud applications.

Thunder ADC empowers organizations to implement high-capacity

VPN services in the cloud. Supporting an array of form factors,

including high-performance virtual appliances, physical appliances

and hybrid virtual appliances, A10 provides organizations the flexibility

to build a VPN architecture that meets the unique requirements of

cloud networks.

Thunder ADC integrates with software defined network (SDN) fabrics

using Virtual Extensible LAN (VXLAN) and Network Virtualization

using Generic Routing Encapsulation (NVGRE) to support automated

network configuration and service chaining support. Integration with

cloud orchestration platforms such as Microsoft System Center Virtual

Machine Manager (SCVMM) and OpenStack, enables centralized

provisioning of VPN services. Pay-as-you-go licensing with utility and

rental billing models allows organizations to align VPN licensing with

the licensing models of other cloud-based services. aCloud Services

Architecture enables cloud data center operators to deliver advanced

application delivery and IPsec VPN services while improving agility.

The high availability, scalability and security features supported in

physical networks, such as dynamic routing and redundancy, are also

supported in cloud environments. This means that organizations can

leverage BGP routing and VRRP-a to scale out their VPN networks and

to maximize uptime.

InternetBGP Cloud

Thunder ADC 1 Thunder ADC 2

• IPsec VPN• Access Control Lists• BGP• BFD

Data Center

Multi-Site VPN

Thunder ADC n

Thunder ADC

VPN Site 2

Thunder ADC

VPN Site 1

Thunder ADC

VPN Site 3

Encrypted VPNTunnel

• IPsec VPN• Access Control Lists• BGP• BFD

Figure 1: Thunder ADC can connect to multiple VPN sites over a BGP cloud.

3

High-Performance Architecture Thunder ADC leverages unique software and hardware design

advantages to deliver exceptional IPsec performance. The A10

Networks Advanced Core Operating System (ACOS®) powers

Thunder ADC appliances. Built from the ground up to maximize

the performance of multicore CPU architectures, ACOS can linearly

scale compute processing as more CPU cores are added, providing

unparalleled performance in a compact form factor.

ACOS uses scalable symmetric multiprocessing (SSMP) to leverage

supercomputing techniques for parallel processing and to maximize

the performance of multicore architectures. Due to its highly scalable

64-bit operating system optimized for multicore architectures, Thunder

ADC hardware and A10 Networks vThunder® ADC line of virtual

appliances deliver unmatched IPsec VPN performance.

Select Thunder ADC hardware models include dedicated security

processors that accelerate IPsec encryption speed. Supporting up to four

quad-chip security processors on a rack-mountable appliance, Thunder

ADC provides fast IPsec encryption without forcing organizations to

deploy cumbersome and inefficient chassis-based systems.

• IPsec VPN• BGP• ECMP

• IPsec VPN• BGP• ECMP

Internet

Thunder ADC Thunder ADC

Router

Users Users

Firewall

Thunder ADC Thunder ADC Thunder ADC Thunder ADC

RouterFirewall

Figure 2: Users can forward traffic destined for the remote VPN site through the Thunder ADC appliance and send all other traffic directly to the Internet.

IPsec VPN SpecificationsKeying Methods

• IKEv1, IKEv2

Authentication Methods• RSA Signature, Pre-shared Key, PKI

Key Exchange Diffie-Hellman Groups• 1, 2, 5, 14, 15, 16, 18

Encryption Algorithms• DES, 3DES, AES-128, AES-192, AES-256

Data Integrity• DES, 3DES, AES-128, AES-192, AES-256

Maximum Number of IPsec Tunnels Supported• 20,000i

RFCs Supported• RFC 6071, 2407, 2408, 2409, 3526, 3706, 3947, 7296, 4307, IANA-

IKEv2, 4301, 4303, 4308, 3602, 3986, 4304, 4868 (partial), 2560, 5280, draft-nourse-scep

IPsec VPN Features• NAT traversal• Dead peer detection• Perfect Forward Secrecy (PFS) supportii

• Life bytes and time rekey• Extended Sequence Number (ESN)• L3V partition aware• Route-based VPN

• OSPF, BGP and Bidirectional Forwarding Detection (BFD) over IPsec tunnel

• ECMP support • Integration with server load balancing and Network Address

Translation (NAT• UDP encapsulation • TCP maximum segment size (MSS) clamping• Public key infrastructure (PKI) support with Simple Certificate

Enrollment Protocol (SCEP), Online Certificate Status Protocol (OCSP) and certificate revocation list (CRL) distribution points

• Prioritized Internet Key Exchange (IKE) packets for hardware-accelerated Flexible Traffic Accelerator (FTA) appliance models

• Software and hardware-based encryption, with dedicated security processors in select hardware models

Cloud Integration • Integration with cloud orchestration systems such as Microsoft

SCVMM, OpenStack and VMware vCloud Director• vThunder virtual appliance support• On-demand provisioning of data-driven and command-driven

tunnels

High Availability• Virtual Router Redundancy Protocol (VRRP-a)• Security Association (SA) sync and session sync• Active – Active topology support

• Sub-second failover with BFD and route health checki Actual maximum number of supported VPN tunnels may vary by appliance model.ii Available in ACOS 4.0.1

4

Corporate HeadquartersA10 Networks, Inc3 West Plumeria Ave.San Jose, CA 95134 USATel: +1 408 325-8668Fax: +1 408 325-8666www.a10networks.com

Part Number: A10-SB-19132-EN-01 Jan 2015

Worldwide OfficesNorth Americasales@a10networks.comEurope emea_sales@a10networks.comSouth America latam_sales@a10networks.comJapan jinfo@a10networks.comChina china_sales@a10networks.com

Taiwan taiwan@a10networks.comKorea korea@a10networks.comHong Kong HongKong@a10networks.comSouth Asia SouthAsia@a10networks.comAustralia/New Zealand anz_sales@a10networks.com

To learn more about the A10 Thunder Application Service Gateways and how it can enhance your business, contact A10 Networks at: www.a10networks.com/contact or call to talk to an A10 sales representative.

©2015 A10 Networks, Inc. All rights reserved. The A10 logo, A10 Lightning, A10 Networks, A10 Thunder, aCloud, ACOS, ACOS Policy Engine, ACOS Synergy, Affinity, aFleX, aFlow, aGalaxy, aVCS, AX, aXAPI, IDaccess, IDsentrie, IP-to-ID, SoftAX, SSL Insight, Thunder, Thunder TPS, UASG, VirtualN, and vThunder are trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are property of their respective owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Because of Thunder ADC’s high-performance and data center

optimized design, organizations can reduce the number of appliances

they need to provision, lowering capital and operating expenses as

well as reducing data center rack space and power costs.

SummaryOrganizations need a solution they can trust to deliver reliable IPsec

connectivity, and they also need one that can interoperate with their

existing routers and IPsec VPN gateways. Thunder ADC’s IPsec VPN

capability enables organizations to encrypt traffic at high speed and

support BGP routing and on-demand VPN provisioning. Using Thunder

ADC’s IPsec VPN technology, organizations can:

• Meet growing IPsec throughput requirements by leveraging

A10’s 64-bit ACOS platform and specialized security processors

• Consolidate IPsec VPN, server load balancing and stateful firewall

functionality on a single device

• Lower hardware, operating and maintenance costs with Thunder

ADC’s data center efficient design

• Support public, private and hybrid cloud provisioning and BGP

networking requirements

About A10 NetworksA10 Networks is a leader in application networking, providing a

range of high-performance application networking solutions that

help organizations ensure that their data center applications and

networks remain highly available, accelerated and secure. Founded

in 2004, A10 Networks is based in San Jose, California, and serves

customers globally with offices worldwide. For more information, visit:

www.a10networks.com