Sorry, you need to enable JavaScript to visit this website.

ZTP IPSec Application

Managed VPN services are one of the most prominent and profitable services provided by communications service providers (CSPs) to their enterprise customers.

Altran elevates the service by providing an elegant zero-touch provisioning (ZTP) system, that is capable of managing the complexity of configuring the VPN tunnel between the CSP aggregation, the core network elements, and the remote gateway routers. Moreover, it allows for the secure and automated configuration of the VPN tunnel while ensuring the customer’s data privacy.

The solution consists of three components:

  • Enterprise Self-Care Portal: A portal used by the customer to handle the VPN tunnel configuration workflow.
  • ZTP IPSec Application: An application to interact with operator OSS/BSS systems, which is the heart of the solution, and interacts with the portal. The app also configures the service provider’s routers.
  • WAN Connection Manager Application: An application that configures the router that resides on the customer’s laptop or workstation.
ZTP IPSec Application

What Potential Business Problem or Issue Is the Product Solving for Atran Customers?

Managed the VPN service requires configuration and provisioning of the service provider’s network and the customer’s network. SDN technology automates the configuration workflow management of the CSP’s internal aggregation and core network components, such as edge compute and routers. However, there are challenges in configuring remote gateways:

  • Accessing the gateways
  • Updating credential management
  • Pushing hundreds of lines of configuration code to the gateway router to create IPSEC and BGP routing
  • The manual configuration process is time-consuming and prone to errors


While most CSPs offer managed VPN service, the Altran ZTP IPSec service goes beyond the standard offering in five key ways:

  • Highly flexible, extendable, and customizable.
  • Delivers easy support to new routers, or new models of existing supported routers.
  • Solves nagging business problems within the existing infrastructure.
  • Simplifies the transition of existing infrastructure to the SD-WAN.
  • Secured workflow ensures the confidentiality and privacy of customer data.

Key differentiators

The Altan ZTP IPSec application is a unique solution with many useful features:

  • Configuration of automated certificate enrollment with CA authority of operator-over-SCEP protocol for RSA-based IPSec tunnels.
  • Configuration of customer routers for GRE over IPSec tunnel with BGP for routers that do not support GRE IP over IPSec tunnel.
  • Support One-Router-Two-Tunnels (1R2T) and Two-Router-Four-Tunnels (2R4T) configurations for the customer. Both tunnels are active, but by using the BGP Self-AS prepending feature, one tunnel becomes less costly than the other tunnel.
  • Cisco IOX XE-based POP router pair configuration for multiple customers as active and standby.
  • API- and GUI-based OSS/BSS interface.
  • Secured interface between portal components and external components.
  • Cloud-native solution that can run on a virtual machine as well as a container.
  • Pre-share key as well as RSA-based IPSec tunnels.
  • List of customer routers.
  • Two-factor authentication and out-of-band delivery of authentication pin via email.
  • Additional security for certificate-based tunnels where the challenge password is shared out of band via email.
  • Highly available cluster configuration support.


Short Turnaround Time

  • Enables enterprise customers to activate the enterprise router configuration as soon as the operator-side configurations are ready.
  • Accelerates the time to bring up service, which results in quicker revenue realization.

Minimize Errors

  • Reduced scope of human-caused manual errors in bringing up service.

Ease of Use

  • Even non-certified network engineers can setup the enterprise-side router.
  • Extensive detailed error codes and logs are available to the operator for easy debugging of issues.


  • Highly secure with two-factor authentication and out-of-band delivery of the authentication pin via email.
  • Additional security for certificate-based tunnels where the challenge password is shared out-of-band via email.

Cost Saving

  • Both the operator and enterprise save operational costs that would be incurred without this solution.

Enterprise Data Confidentiality

  • Enterprise users can accept or reject the commands that would be used to configure the enterprise router.
  • Enterprise router credentials are not required to be known by the operator.


  • The architecture supports easy integration of the make and model of new routers.

    You can work with a company built for now. Or you can with one built for what comes next.