Netskope Help

Configure Tunnels on EdgeConnect

Follow the steps below to configure IPsec tunnels. You will need to create an IPsec VPN tunnel to the primary POP and an IPsec VPN tunnel to the failover POP.

Create a Tunnel to a Primary POP
  1. Log in to Silver Peak Unity Orchestrator.

  2. In the device tree on the left, select the EdgeConnect appliance where you want to configure the tunnel to Netskope.

  3. Open the Tunnels tab (click Configuration > Networking > Tunnels > Tunnels).

  4. Click the edit icon image6.png on the left of any row in the table.

  5. On the tunnels detail page, click Passthrough at the top of the table, and then click Add Tunnel.

    The Add Passthrough Tunnel dialog opens.

    image7.jpeg
  6. Enter or select the new tunnel parameters as follows:

    Parameter

    Description

    Alias

    Enter a descriptive name for the tunnel.

    Mode

    Select IPSec.

    Admin

    The administrative state of the tunnel. You can leave this at the default value of up.

    Local IP

    The IP address of the WAN interface that will originate the IPSec tunnel. Click into this field and select the IP address from those available.

    Remote IP

    Enter the IP address of the primary Netskope POP that you configured in Netskope.

    NAT

    This should be set to none.

    Peer/Service

    Enter the name of a new service that will use this tunnel. You will use this service for configuring breakout to Netskope under Business Intent Overlays.

    Auto Max BW Enabled

    Leave this checkbox selected to let the appliance auto-negotiate the maximum tunnel bandwidth.

    Max

    BW Kbps

    This field is not available when auto bandwidth is enabled.

    image8.jpeg
  7. Click IKE in the Add Passthrough Tunnel dialog.

  8. Enter or select the new tunnel parameters as follows:

    Set the IKE Version to IKE v2 first at the bottom because this will change some of the other fields availability.

    Parameter

    Description

    IKE Version

    Set to IKE v2.

    Preshared Key

    Enter the same preshared key that you created on Netskope.

    Authentication Algorithm

    Select SHA1.

    Encryption Algorithm

    Select the same algorithm as on Netskope (AES-128 or AES-256).

    Diffie-Hellman Group

    Select 14.

    Rekey Interval/Lifetime

    Leave the default value of 480.

    Dead Peer Detection

    Leave the delay time at its default value, and retry count cannot be changed.

    Local IKE Identifier

    Enter the Source Identity that you assigned to the tunnel on Netskope.

    Remote IKE Identifier

    Enter the IP address of the primary Netskope POP that you configured in Netskope.

    Phase 1 Mode

    This value cannot be changed.

    image9.jpeg
  9. Click the IPsec button at the top of the Add Passthrough Tunnel dialog.

  10. Enter or select the new tunnel parameters as follows:

    Parameter

    Description

    Authentication Algorithm

    Select SHA1.

    Encryption Algorithm

    Select AES-128.

    Enable IPsec Anti-Replay Window

    Leave this checkbox selected.

    Rekey Interval/Lifetime

    You can leave these values at their defaults.

    Perfect Forward Secrecy Group

    This can be left at the default value of 14.

    image10.jpeg
  11. When the settings for General, IKE, and IPSec are complete. Click Save to create the new tunnel.

Create a Tunnel to a Failover POP
  1. Click Add Tunnel to create a second tunnel to the failover POP.

  2. Use the same values that you used for the first tunnel except for the following:

    • Alias: Use a different name for the second Silver Peak tunnel.

    • Remote IP: Enter the IP address of the failover POP that you configured in Netskope.

    • Peer/Service: Create a new service name that will direct traffic to the failover POP.

    • Remote IKE Identifier: Use the IP address of the failover POP.