Netskope IPSec with Viptela vEdge

Netskope IPSec with Viptela vEdge

This document provides Instructions for integrating Cisco SD-WAN (Viptela) with Netskope to selectively steer traffic over an IPSec tunnel.

  1. In the Netskope UI, to create the IPSec VPN tunnels for Cisco SD-WAN (Viptela) in the Netskope UI, see Creating an IPSec Site.
  2. In the Viptela vEdge UI, go to Settings > Configuration Template > Feature > Basic Configuration.
    image2.png
  3. Configure these IPsec Tunnel interface parameters:
    • Interface Name: Enter a tunnel interface name.
    • Tunnel IP Address: The tunnel IP address can be any /30 IP address and it is not required to be routable. Currently, IP unnumbered is not supported on IPsec tunnels.
    • Source: Select the Source Interface or Source IP address.
    • Destination: Select the destination IP address.
  4. Go to the IKE page.
    image3.png
  5. Configure these IKE parameters:
    • IKE Version: 2
    • IKE Cipher Suite: AES-256-CBC-SHA2
    • IKE DH Group: 16 4096-bit modulus
    • Preshared key: Use the preshared key defined in the Netskope UI.
    • IKE Local ID : FQDN string.
    • IKE remote ID: FQDN string.
    • IPSec Cipher Suite: AES-256-CBC-SHA1
    • Perfect Forward Secrecy: Group-16 4096-bit modulus
  6. Go to Device > Basic Information.
    image4.png
  7. VPN Interface IPsec: Attach the interface feature template you just configured.
  8. In the Netskope UI, go back to the IPSec page (Settings > Security Cloud Platform > Traffic Steering > IPSec). Within 5 minutes you should see the new IPSec tunnel represented as Up (a green arrow in the Status column).
    image5.png
  9. Click on the Green Up Arrow to see the tunnel details.
    image6.png
  10. Status should be green in the Viptela UI as well.
    image7.png
  11. You can also see the status in the CLI using these commands:
    show ipsec ike sessions | tab
    show interface ipsec1 | tab
    image8.png
  12. View the IPsec Tunnel configuration pushed to the v-Edge appliance:
    AWS-vEdge4# show running-config vpn 0 interface ipsec1
    vpn 0
    interface ipsec1
    ip address 10.10.10.1/30
    tunnel-source-interface ge0/0
    tunnel-destination      8.36.116.114
    ike
    version      2
    rekey        14400
    cipher-suite aes256-cbc-sha2
    group        16
    authentication-type
    pre-shared-key
    pre-shared-secret <pre-shared-key>
    local-id          <local-id>
    remote-id         8.36.116.114
    ipsec
    rekey                   3600
    replay-window           512
    cipher-suite            aes256-cbc-sha1
    perfect-forward-secrecy group-16
    no shutdown
  13. In Viptela, configure a Route Policy to match whichever traffic you want to route toward Netskope.
Share this Doc

Netskope IPSec with Viptela vEdge

Or copy link

In this topic ...