Reference Material
Reference Material
In this section, you can find details about different objects of Acreto platform, advanced configuration options and list off all supported setups.
Subsections of Reference Material
Connectivity check
As an Acreto user, check manually if your current connection is secured. There are two easy methods to verify that.
Method 1: ISP Check - Whats my IP
When you connect thru Acreto, your ISP (Internet Service Provider) is masked by Acreto. To check your current ISP go to Whatsmyip.com and check the ISP name:
If you can see ISP: Acreto - gratulation, your internet connection is secured by Acreto!
Method 2: ISP Check - IP Info
When you connect thru Acreto, your ISP (Internet Service Provider) is masked by Acreto. To check your current ISP go to IP InfoNI and check the ISP name:
If you can see org: “AS396298 Acreto” - gratulation, your internet connection is secured by Acreto!
IPsec Ciphers List
Overview
In this article, you will get a full list of IPsec ciphers supported by Acreto platform.
Problem statement
When configuring IPsec connectivity to a Gateway, you can encounter issues during negotiation of IPsec ciphers.
Info
Example errors in IPsec logs: NO_PROPOSAL_CHOSEN
Solutions
Solution 1: Use recommended ciphers
To see recommended ciphers, display details of your Gateway on the Acreto Platform and check Recommended Ciphers in the VPN Parameters section.
Note
An example of recommended ciphers:
- IKE: aes256gcm16-sha256-ecp256
- ESP: aes256gcm16-sha256-ecp256
Solution 2: Use all supported ciphers
This solution allows the Acreto IPSec tunnel to support all supported ciphers.
-
Ensure that checkbox “Allow all supported ciphers” in Gateway definition on Acreto platform is checked
-
Ensure your Ecosystem has been committed
-
On your end, select one of the supported ciphers
All combinations of allowed algorithms can be found here:
Below you can find a list of all ciphers supported by Acreto.
Encryption
- aes256gcm16
- aes256
- aes256ctr
- aes256ccm16
- aes128gcm16
- aes128[!]
Note
We consider aes128 as insecure, but we still have it supported for legacy systems, as per user request.
DH groups
- ecp384
- ecp256
- ecp512
- modp4096
- modp6144
- modp8192
- modp2048
- modp3072
Integrity
- sha384
- sha256
- sha512
FAQ - Frequently Asked Questions
Which SHA-2 ciphers are supported by Acreto IPsec?
We support the following ciphers from the SHA-2 family:
- SHA-256
- SHA-384
- SHA-512
See also
A list of default ciphers is created based on guidelines from:
- Commercial National Security Algorithm Suite (CNSA Suite)
- Recommendation for Key Management, Special Publication 800-57 Part 1 Rev. 5, NIST, 05/2020.
- Cryptographic Mechanisms: Recommendations and Key Lengths, TR-02102-1 v2020-01, BSI, 03/2020.
- strongSwan Security Recommendations
- www.keylength.com
Downloads
Downloads lists
Dictionary
Why should I use the dictionary
Dictionary contains explanations and basic information about any system element that exists in the Acreto solution. Each explanation should help you to understand the Acreto name convention and allows you to work with them easily and comfortably.
Subsections of Dictionary
Ecosystem
What is an Ecosystem
An Ecosystem is a dedicated security container for a specific application and all of its associated users, devices, services, and third parties that need to interoperate with that application.
Your organization can use multiple Ecosystems to secure different applications. For example, a bank could use a separate Ecosystem for each of the following:
- Teller & Platform systems
- Web Site & Mobile Banking
- ATM network
- Video Surveillance
- Keycard Access
- HVAC & Physical Plant
- Guest Wifi
- Banking Ledger Application
Any Device, Any Network, Anywhere
Because Ecosystems are network-agnostic, participating applications, technologies, users, and third parties can be located anywhere and even operate while mobile. Acreto Ecosystems support any type of network including LTE, 5G, Wifi, Ethernet, Satellite, Packet Radio and more. This makes it particularly well-suited for highly distributed and mobile applications.
Per Application Dedicated Infrastructure
Each Ecosystem is a completely independent and dedicated security infrastructure, separate from all other Ecosystems. Dedicated Ecosystem infrastructure components include:
- One or more enforcement engines
- Data flows and data paths
- Data set and policies
- Database
- Vault
Beta feature
Beta features are features that are not production-ready yet.
Beta features should be functional, but you can still encounter minor issues. You can also notice that some important elements of these features are still not delivered.
Note that we might change or remove beta features (including API endpoints, user interface, and your configuration and data) at any time.
Data plane user
Data plane user is a person or device connected to Acreto Ecosystem.
Gateway
What “Gateway” is?
Gateway is a device that allows you to connect your local network to Acreto and secure whole network traffic and end-user devices without configuring them one-by-one. Take a look at the images below to compare standard network connection with the network secured by Acreto with the Gateway method.
Gateway may be configured in IPsec or vGateway mode. Each of these configurations may be used for different purposes and in different network structures:
- choose vGateway when you want to download a preconfigured Acreto vGateway appliance and install it on a Raspberry Pi device or some virtualization platform (like KVM or VMware)
- choose IPSec if you prefer to manually configure your existing device (like router or Linux machine) which supports IPSec protocol
To create a Gateway, you need to:
- Create a Gateway object inside your Ecosystem
- Create one or more security policies to allow traffic from that Gateway to the Internet
IPv4 and IPv6 subnets
You can find list of IPv4 and IPv6 networks used by Acreto in the following files:
You should include all the IP addresses above in your firewall configuration.