Send and receive IP packets with Ivanti Tunnel

The following describes how IP packets are sent and received between the app attempting to connect to a backend resource and Standalone Sentry:

  1. The Android app posts the IP packets to the TUN interface.
  2. The Tunnel plugin/service receives the IP packets from the TUN interface.
  3. The packets are sent as payload of the TCP connection to Standalone Sentry.
  4. Standalone Sentry sends the IP packets to the end destination.
  5. Standalone Sentry receives IP packets from the end destination and sends the packets over the TCP connection to the Ivanti Tunnel plugin and posts it to the TUN interface.
  6. The app gets the payload through the TUN interface.

TCP and UDP are supported. IPv4 is supported.

Standalone Sentry supports only limited types of UDP traffic, such as DNS traffic. Audio and video traffic through Standalone Sentry is not supported. Therefore, Ivanti recommends configuring SplitUDPPortList to manage UDP traffic.

Ivanti Tunnel connectivity probe

Ivanti Tunnel sends probes with VPN traffic, after a specified period of idle time, to check if the Tunnel connection to the VPN server is open. If Ivanti Tunnel does not receive a response for at least one of the probe packets, Tunnel closes the current connection and initiates a new connection to the VPN server. The following key-value pairs are available to allow administrators to customize the settings: AtpProbeIdleSec, AtpProbeIntervalSec, AtpProbeCount. For information about the key-value pairs, see Custom data key-value pairs for Ivanti Tunnel for Android native and Samsung Knox Workspace.