Traffic encryption

Traffic encryption is a mechanism of securing the exchange of traffic between CPE devices through links. For example, you can encrypt traffic when sending data between devices over a link built on top of an unsecured internet connection.

The SD-WAN Controller automatically generates keys for encrypting and decrypting traffic and sends them to CPE devices. Traffic is encrypted on the source device with an encryption key before being sent to the link. The destination device receives traffic from the link and decrypts it with the decryption key.

The keys are regularly updated to deprive third parties of the opportunity to encrypt or decrypt the transmitted traffic if a key is intercepted. You can specify the length of time after which the keys are updated on CPE devices using the Dtopology.link.encryption.key.update.interval.minutes property of the SD-WAN Controller.

Traffic encryption is supported only on CPE devices running Kaspersky SD-WAN software.

If traffic encryption is enabled on a CPE device, all outbound links that involve this device send encrypted traffic (including new links that will be established later).

If traffic encryption is disabled on a CPE device, it sends unencrypted traffic. Note that if you disable traffic encryption on a device that previously encrypted its outgoing traffic, the keys generated by the SD-WAN Controller for encrypting and decrypting traffic are deleted from all associated devices.

Traffic encryption can also be enabled or disabled on links. For example, you can enable traffic encryption on a CPE device, but disable it on a link established with the participation of this device. When enabling or disabling traffic encryption on a link, you must configure both the outgoing and incoming links in the same way.