Netskope Help

Configure an IPsec Tunnel using a Workflow Template
  1. Go to Director > Workflows > Template > Templates.

  2. Add new workflow template by clicking on image9.tiff

    image10.tiff
  3. Configure your basic information on the General, Interfaces, and Routing tabs.

    image11.tiff
  4. Click on the Tunnels tab.

  5. Under Split tunnels, configure the DIA tunnel from your LAN VR for DNS queries.

    image12.tiff
  6. To configure site to site tunnels with Netskope, go to the Site to Site Tunnels section:

    1. Configure an appropriate name for the tunnel

    2. select peer-type as Unmanaged

    3. Select a WAN network

    4. Select customer LAN VRF

    5. Select + Add New from the Vpn Profile dropdown to configure a new VPN profile.

    image13.tiff
  7. Under Create Authentication Profile:

    1. Configure appropriate ‘VPN Profile Name’

    2. Select Ike Version ‘v2’

    3. Select Ike transform ‘aes128-sha512’

    4. Select IPSec Transform ‘esp-aes128-sha512’’

    5. Select No. of tunnels as 2

    6. Configure a ‘Peer Auth PSK Key’

    7. Configure Netskope WAN IP as ‘Peer Auth IP Identifier Identity’

    8. Select Tunnel Config as ‘policy based’

    image14.tiff
  8. Under Policy Configuration section, Click on image9.tiff to add new policy :

    1. Add a policy to accept http traffic , then click OK.

      image15.tiff
    2. Add a second policy to accept https traffic, then click OK.

      image16.tiff
  9. Click OK in the Create Authentication Profile window.

    image17.tiff
  10. Click on the green image9.tiff at the end of tunnel configuration to add the tunnel.

    image18.tif
  11. Complete the Inbound NAT, Services, and Management Servers configurations per your requirements, and then click on Recreate to create workflow template.

    Newimage18.tiff
  12. Go to Configuration > Templates > Device Templates and select the template you created in the previous step to enter the template configuration view.

    image19.tiff
  13. Go to Services > IPSec > VPN Profiles. Because 2 tunnels were selected, two separate VPN profiles have been created: Netskope-gw1 and Netskope gw2.

  14. Click on Netskope-gw1 to edit, and go to the IKE tab.

  15. Modify the DH group to Diffie-Hellman-Group 14 2048.

    image20.tiff
  16. Go to the IPSec tab, modify the DH group to Diffie-Hellman-Group 14 2048, and then click OK.

    image21.tiff
  17. Click on Netskope-gw2 and modify the Peer IP to that of the back-up tunnel endpoint.

    image22.tiff
  18. Go to IKE tab and modify the DH group to Diffie-Hellman-Group 14 2048 and Peer Auth Identity to the backup tunnel endpoint.

    image23.tiff
  19. Go to IPsec tab and modify the DH group to Diffie-Hellman-Group 14 2048, and then click OK.

    image24.tiff
  20. Go to Workflows > Devices > Devices and click OK to add a Device template based on the workflow template created in previous step. Enter the basic information under Basic > Device Service template and tabs.

  21. Under Tunnel Information, verify that tunnel information is auto-populated . If some information has to be provided by the user, update the information.

    image25.tiff
  22. Under Bind data section , enter your relevant bind data information and click OK.

    1. netskope-gw-1_Local_auth_ip_identifier__IKELIdentifier is the Versa source WAN IP for the primary tunnel.

    2. netskope-gw-1_Local_auth_key__IKELKey is the shared key for the primary tunnel.

    3. netskope-gw-2_Local_auth_ip_identifier__IKELIdentifier is the Versa source WAN IP for backup tunnel.

    4. netskope-gw-2_Local_auth_key__IKELKey is the shared key for the backup tunnel.

    image26.tiff
  23. Deploy the Device workflow configuration and onboard the device.

Verification
  1. Go to the Monitor tab, select Organization > Devices, and select a device.

  2. Click Services > IPSEC > IPSEC Security Association and select netskope-gw1 from the dropdown list to view tunnel status

    image27.tiff
  3. Select netskope-gw-2 to verify backup tunnel status.

    image28.png