47.1. Overview

47.1. Overview
	Chapter 47. AIPT2 - Abilis IP tunnel v.2

AIPT2 is the second version of the Abilis IP tunnel protocol. This new type of resource offers the possibility to create a tunnel with up to 6 paths, and use them for load balancing and/or for redundancy (former AIPT double path now AIPT2 multipath), as well as for backup purposes by means of dependency setting. It simplifies configurations and improves performances.

	Important
	AIPT2 works only with Abilis devices with software version > 8.6.

AIPT2 serves to achieve these goals:

Create virtually private networks on the Internet (VPN).
Connect two points in a 'strong' way (ie: faster or more reliable) using up to six lines, together.

One side of the AIPT2 tunnel must be configured as a ‘server’, the other as a ‘client’. The server side requires a valid address on the Internet (type 82.33.143.22 or FQDN), the client side is independent of the addresses. It is the client's responsibility to establish the connection to the desired server. If the server has multiple addresses, the list can be indicated.

The authentication of the client by the server takes place through protected/encrypted modes, making use of the client's Abilis-ID or a pair of "keys" (LOCKEY, REMKEY).

AIPT2 uses 256 bit AES encryption. The encrypted packets are sent on the available lines (paths) according to the chosen operating mode (PATHSMODE: BALANCE or REDUNDANT or MIXED). In the BALANCE operating mode the packets are distributed on the available paths, thus allowing a more rapid transmission of information. In the REDUNDANT operating mode, a copy of each packet is transmitted by means of each path designated for this service. How each path must work is indicated by the MPx parameter (MP1 for path 1, MP2 for path 2, ...).

The correct functionality of each path is controlled by AIPT2 by means of the periodic exchange of probe packets (LC link-check). When a path fails to give the requested service it is automatically taken out of service (and readmitted, when the operating conditions are good again).

The correct functionality of each path depends on how much the lines are loaded. In case of overload, there is a high loss of packets and this causes the deterioration of the performance of the AIPT2 connection, especially when the paths are used in BALANCE mode. To prevent this from happening at least in "normal" network conditions, the AIPT2 paths are speed-regulated, so as not to exceed the normal line capacity (OUTSPx parameters).

The configuration of the AIPT2 tunnels is complex, but fortunately in most cases only a few parameters have to be entered, the others remaining at default values.

In VPN networks with many similar peripheral points it is appropriate to use the PROVISIONING system, described here.

The main characteristics of AIPT2 are:

Simplified and more efficient architecture respect to AIPT. It is designed from the ground up for IP VPNs (IP in UDP tunnels).
Simplified configuration.
Strong authentication using passwords and/or ABILIS-ID (same as NPV).

Strong and fast ciphering with AES256 cipher, and use of hardware based AES cryptography when available.

Note

	Note
Hardware based AES increases performances between 3x and 10x. It's presence is visible by means of DEBUG AES LSN:1 command. It is also indicated in the processor characteristics shown with the D CPUID command. Not present: [13:40:55] ABILIS_CPX:`debug aes lsn:1` Supported hardware cryptographic features: [00000000] <none> Present, Intel: [13:39:16] ABILIS_CPX:`debug aes lsn:1` Supported hardware cryptographic features: [00000005] + Intel AESNI + Intel RDRAND [14:02:13] ABILIS_CPX:`d cpuid` ... Extended brand string: " Intel(R) Celeron(R) CPU N3150 @ 1.60GHz" ... AES Supports AESNI instruction extensions ... Present, VIA: [13:59:35] ABILIS_CPX:`debug aes lsn:1` Supported hardware cryptographic features: [0000000A] + VIA Padlock ACE + VIA Padlock RNG [14:01:02] ABILIS_CPX:`d cpuid` ... Advanced Cryptography Engine (ACE): present Advanced Cryptography Engine (ACE): enabled Advanced Cryptography Engine 2 (ACE2): not present Advanced Cryptography Engine 2 (ACE2): disabled ...

Hardware based AES increases performances between 3x and 10x. It's presence is visible by means of DEBUG AES LSN:1

command. It is also indicated in the processor characteristics shown with the D CPUID command.

Not present:

[13:40:55] ABILIS_CPX:debug aes lsn:1

Supported hardware cryptographic features: [00000000]
 <none>

Present, Intel:

[13:39:16] ABILIS_CPX:debug aes lsn:1

Supported hardware cryptographic features: [00000005]
 + Intel AESNI
 + Intel RDRAND


[14:02:13] ABILIS_CPX:d cpuid
...
Extended brand string: "      Intel(R) Celeron(R) CPU  N3150  @ 1.60GHz"
...
AES       Supports AESNI instruction extensions
...

Present, VIA:

[13:59:35] ABILIS_CPX:debug aes lsn:1

Supported hardware cryptographic features: [0000000A]
 + VIA Padlock ACE
 + VIA Padlock RNG   

[14:01:02] ABILIS_CPX:d cpuid
...
Advanced Cryptography Engine (ACE): present
Advanced Cryptography Engine (ACE): enabled
Advanced Cryptography Engine 2 (ACE2): not present
Advanced Cryptography Engine 2 (ACE2): disabled
...

Embedded multipath redundancy.
Embedded load balancing among paths and multipaths.
Embedded paths backup by means of dependencies rules (client side).
Individual 'per path' speedlimit.
Opportunistic packet reordering for each IPCOS priority.
TCP-MSS-CLAMP feature to optimize TCP flows.
Ciphering and Data compression (data compression requires specific licence) controllable just on one side, the server.

	Important
	The tunnel packets, i.e. control and encapsulated payload, that AIPT2 sends out obey IPACL for all parameters except for `IPCOS` which is enforced by means of `C-IPCOS` and `D-IPCOS` parameters. On the contrary the clean payload, i.e. decapsulated packets, fully obey IPACL.

In the example below:

Path 1 is disabled;
Paths 4 and 5 are configured as a redundancy multipath, i.e. Packets are duplicated on both path;
Path 6 is activated when either path 2 or 3 goes DOWN;
Load balancing is performed across paths 2, 3, 4/5 as multipath, with path 6 taking place of 2 or 3 or both in case they go DOWN.

Server:

[21:56:35] ABILIS_CPX:d p ip-11

RES:Ip-11 ---------------------------------------------------------------------
       - Abilis IP tunnel v.2 (AIPT2) -----------------------------------------
Run    DESCR:
       LOCATION:
       OPSTATE:UP              LOG:NO            STATE-DETECT:NORMAL  TYPE:VPN
       IPADD:172.020.011.205   MASK:255.255.255.000   NEIGH:000.000.000.000
       REDIS:YES     HIDE:NO         RP:NONE            IPSEC:NO       VRRP:NO
       NAT:VPN                       DIFFSERV:NO        DDNS:NO
       OUTBUF:250    OUTQUEUE:FAIR   MTU:1500
       OUTSPL:NO
       INBUF:0                       mru:1500           SRCV:NO
       - TRFA section ---------------------------------------------------------
       TRFA:NO
       - IP Tunnel ------------------------------------------------------------
       ROLE:SERVER   CR:NO     COMP:NO       FRAGSIZE:1480  TRY:5     TOUT:5000
       LOCKEY:ip11             LOCPORT:4011  C-TOS:0-D      DLY-UP:10 THR-DN:30
       REMKEY:ip11                           C-IPCOS:HIGH   DLY-TOUT:3
       REMABILIS-ID:           RS-BUF:250    D-TOS:COPY     BURST:1
       NUMPATHS:6              REORDER:NO    D-IPCOS:COPY   BURST-DLY:100
       PATHSMODE:MIXED
       - IP Tunnel Paths ------------------------------------------------------
       x  MPx: OUTSPx: OUTx:  LOCIPx:         REMIPx:
                       GWx:                   SPL-OVHx:
       --+----+-------+------+---------------+---------------------------------
       1 |     NOMAX   AUTO   *               *
       2 |     NOMAX   AUTO   *               *
       3 |     NOMAX   AUTO   *               *
       4 |A    NOMAX   AUTO   *               *
       5 |A    NOMAX   AUTO   *               *
       6 |     NOMAX   AUTO   *               *

Client:

[21:53:49] ABILIS_CPX:d p ip-11

RES:Ip-11 ---------------------------------------------------------------------
       - Abilis IP tunnel v.2 (AIPT2) -----------------------------------------
Run    DESCR:
       LOCATION:
       OPSTATE:UP              LOG:NO            STATE-DETECT:NORMAL  TYPE:VPN
       IPADD:172.020.011.206   MASK:255.255.255.000   NEIGH:000.000.000.000
       REDIS:YES     HIDE:NO         RP:NONE            IPSEC:NO       VRRP:NO
       NAT:VPN                       DIFFSERV:NO        DDNS:NO
       OUTBUF:250    OUTQUEUE:FAIR   MTU:1500
       OUTSPL:NO
       INBUF:0                       mru:1500           SRCV:NO
       - TRFA section ---------------------------------------------------------
       TRFA:NO
       - IP Tunnel ------------------------------------------------------------
       ROLE:CLIENT                           FRAGSIZE:1480  TRY:5     TOUT:5000
       LOCKEY:ip11             LOCPORT:4011  C-TOS:0-D      DLY-UP:10 THR-DN:30
       REMKEY:ip11             REMPORT:4011  C-IPCOS:HIGH   DLY-TOUT:3
       REMABILIS-ID:           RS-BUF:250    D-TOS:0-N      BURST:1
       NUMPATHS:6              REORDER:AUTO  D-IPCOS:COPY   BURST-DLY:100
       PATHSMODE:MIXED
       - IP Tunnel Paths ------------------------------------------------------
       x  MPx: OUTSPx: OUTx:  LOCIPx:         REMIPx:
          DEPx:        GWx:                   SPL-OVHx:
       --+----+-------+------+---------------+---------------------------------
       1 |     NOMAX   AUTO   OUT-IP          #
       2 |     NOMAX   AUTO   OUT-IP          172.020.002.205
       3 |     NOMAX   AUTO   OUT-IP          172.020.003.205
       4 |A    NOMAX   AUTO   OUT-IP          172.020.004.205
       5 |A    NOMAX   AUTO   OUT-IP          172.020.005.205
       6 |     NOMAX   AUTO   OUT-IP          172.020.006.205
          2|3          #                      AUTO


Chapter 47. AIPT2 - Abilis IP tunnel v.2		47.2. AIPT2 resource parameters