Reference Material

Reference Material

In this section, you can find details about different objects of Acreto platform, advanced configuration options and list off all supported setups.

Subsections of Reference Material

Connectivity check

As an Acreto user, check manually if your current connection is secured. There are two easy methods to verify that.

Method 1: ISP Check - Whats my IP

When you connect thru Acreto, your ISP (Internet Service Provider) is masked by Acreto. To check your current ISP go to Whatsmyip.com and check the ISP name:

If you can see ISP: Acreto - gratulation, your internet connection is secured by Acreto!

Method 2: ISP Check - IP Info

When you connect thru Acreto, your ISP (Internet Service Provider) is masked by Acreto. To check your current ISP go to IP InfoNI and check the ISP name:

If you can see org: “AS396298 Acreto” - gratulation, your internet connection is secured by Acreto!

IPsec Ciphers List

Overview

In this article, you will get a full list of IPsec ciphers supported by Acreto platform.

Problem statement

When configuring IPsec connectivity to a Gateway, you can encounter issues during negotiation of IPsec ciphers.

Info

Example errors in IPsec logs: NO_PROPOSAL_CHOSEN

Solutions

To see recommended ciphers, display details of your Gateway on the Acreto Platform and check Recommended Ciphers in the VPN Parameters section.

Note

An example of recommended ciphers:

  • IKE: aes256gcm16-sha256-ecp256
  • ESP: aes256gcm16-sha256-ecp256

Show recommended ciphers Show recommended ciphers

Show recommended ciphers Show recommended ciphers

Animated GIF - how to checj recommended ciphers Animated GIF - how to checj recommended ciphers

Solution 2: Use all supported ciphers

This solution allows the Acreto IPSec tunnel to support all supported ciphers.

  1. Ensure that checkbox “Allow all supported ciphers” in Gateway definition on Acreto platform is checked

    Allow all supported ciphers Allow all supported ciphers

    Allow all supported ciphers Allow all supported ciphers

  2. Ensure your Ecosystem has been committed

  3. On your end, select one of the supported ciphers

All combinations of allowed algorithms can be found here:

Below you can find a list of all ciphers supported by Acreto.

Encryption

  • aes256gcm16
  • aes256
  • aes256ctr
  • aes256ccm16
  • aes128gcm16
  • aes128[!]
Note

We consider aes128 as insecure, but we still have it supported for legacy systems, as per user request.

DH groups

  • ecp384
  • ecp256
  • ecp512
  • modp4096
  • modp6144
  • modp8192
  • modp2048
  • modp3072

Integrity

  • sha384
  • sha256
  • sha512

FAQ - Frequently Asked Questions

Which SHA-2 ciphers are supported by Acreto IPsec?

We support the following ciphers from the SHA-2 family:

  • SHA-256
  • SHA-384
  • SHA-512

See also

A list of default ciphers is created based on guidelines from:

Downloads

Downloads lists

Dictionary

Why should I use the dictionary

Dictionary contains explanations and basic information about any system element that exists in the Acreto solution. Each explanation should help you to understand the Acreto name convention and allows you to work with them easily and comfortably.

Subsections of Dictionary

Ecosystem

What is an Ecosystem

An Ecosystem is a dedicated security container for a specific application and all of its associated users, devices, services, and third parties that need to interoperate with that application.

Your organization can use multiple Ecosystems to secure different applications. For example, a bank could use a separate Ecosystem for each of the following:

  • Teller & Platform systems
  • Web Site & Mobile Banking
  • ATM network
  • Video Surveillance
  • Keycard Access
  • HVAC & Physical Plant
  • Guest Wifi
  • Banking Ledger Application

Any Device, Any Network, Anywhere

Because Ecosystems are network-agnostic, participating applications, technologies, users, and third parties can be located anywhere and even operate while mobile. Acreto Ecosystems support any type of network including LTE, 5G, Wifi, Ethernet, Satellite, Packet Radio and more. This makes it particularly well-suited for highly distributed and mobile applications.

Per Application Dedicated Infrastructure

Each Ecosystem is a completely independent and dedicated security infrastructure, separate from all other Ecosystems. Dedicated Ecosystem infrastructure components include:

  • One or more enforcement engines
  • Data flows and data paths
  • Data set and policies
  • Database
  • Vault

Beta feature

Beta features are features that are not production-ready yet.

Beta features should be functional, but you can still encounter minor issues. You can also notice that some important elements of these features are still not delivered.

Note that we might change or remove beta features (including API endpoints, user interface, and your configuration and data) at any time.

Data plane user

Data plane user is a person or device connected to Acreto Ecosystem.

Gateway

What “Gateway” is?

Gateway is a device that allows you to connect your local network to Acreto and secure whole network traffic and end-user devices without configuring them one-by-one. Take a look at the images below to compare standard network connection with the network secured by Acreto with the Gateway method.

Gateway may be configured in IPsec or vGateway mode. Each of these configurations may be used for different purposes and in different network structures:

  • choose vGateway when you want to download a preconfigured Acreto vGateway appliance and install it on a Raspberry Pi device or some virtualization platform (like KVM or VMware)
  • choose IPSec if you prefer to manually configure your existing device (like router or Linux machine) which supports IPSec protocol

To create a Gateway, you need to:

  1. Create a Gateway object inside your Ecosystem
  2. Create one or more security policies to allow traffic from that Gateway to the Internet

IPv4 and IPv6 subnets

You can find list of IPv4 and IPv6 networks used by Acreto in the following files:

You should include all the IP addresses above in your firewall configuration.