Creating an IPSec Site
Creating an IPSec Site
To create an IPSec site:
-
Go to Settings > Security Cloud Platform > IPSec.
-
Click New IPSec Site and then Create New.
-
In the New IPSec Site window, for Site Name, enter a name for the IPSec site.
-
In the Basic Settings tab:
-
Source Identity: Enter a unique IP address, fully-qualified domain name (FQDN), or an ID in email address format. For example, 1.1.1.1 or sourcelocation@company.com. The router or firewall uses the source identity for authentication during Internet Key Exchange (IKE). This doesn’t need to be a real DNS record.
-
Primary Netskope POP: Select the closest primary Netskope point of presence (POP) in your country. For optimal performance, Netskope recommends:
-
Using the geographically closest POPs.
-
Configuring at least two POPs for each egress location in your network.
-
Ensure your POPs don’t fall on a new release deployment day. See Recommendation for PoP selection for IPsec/GRE tunnels.
-
-
Failover Netskope POP: Select the second closest Netskope POP in your country to use as the backup/failover site. For optimal performance, see the previous recommendations.
-
Sort Netskope POPs by geographical distance: Select to sort the Netskope POP list by the closest geographical distance. You can search for the nearest POP by entering an IP address or longitude and latitude coordinates.
-
Pre-Shared Key (PSK): Enter the pre-shared key that both sides of the tunnel will use to authenticate one another. The PSK must be unique for each tunnel.
-
Encryption Cipher: Select an encryption algorithm for the IPSec tunnel.
-
Maximum Bandwidth: Enter the maximum bandwidth for the IPSec tunnel. The tunnel size can be up to 1 Gbps.
To enable the 500 Mbps option, contact your Sales Representative or Support.
-
-
(Optional) In the Advanced Settings tab:
-
Traffic Type: Choose the type of traffic traversing the GRE site. You can use this option to classify your tunnel traffic and build a usage report.
-
User
-
IoT
-
Mixed
-
Machine
-
Guest Wifi
-
-
Source IP Address: Enter the source peer IP address (i.e., exit public IP) of the router or firewall that Netskope will receive packets from. Netskope identifies traffic belonging to your organization through your router or firewall IP addresses.
-
Additional Netskope POP: You can select a maximum of 9 more POPs; however additional POPs are best-effort. For licensed high-capacity tunnels, additional Netskope POPs are not supported. For optimal performance, Netskope recommends:
-
Using the IP address or geographical coordinates to locate the geographically closest POPs.
-
Configuring at least two POPs for each egress location in your network.
-
Ensure your POPs don’t fall on a new release deployment day. See Recommendation for PoP selection for IPsec/GRE tunnels.
-
-
Rekey: Select to rekey IPSec SAs when they expire. Netskope recommends using the default setting.
-
If you select rekey only, Netskope initiates the IPSec rekey with a default value of 2 hours.
-
If you select re-authentication only, Netskope initiates the IKE re-authentication with a default value of 24 hours.
-
If you select both rekey and re-authentication, Netskope initiates the IPSec rekey and IKE re-authentication with the default values of 2 hours and 24 hours respectively.
-
If you unselect both, Netskope doesn’t initiate rekey or re-authentication.
This is the default Netskope behavior. Ensure the rekey and re-authentication settings of your gateways are the same to avoid conflict.
Netskope doesn’t support IKE (Phase 1) rekeying but supports IKE re-authentication, which you can enable below as it’s disabled by default. -
-
Reauthentication: Select to create new IKE and IPSec SAs when they expire. Netskope recommends using the default setting.
-
Trust X-Forwarded-For Header: Select to trust IP addresses contained in the X-Forwarded-For (XFF) HTTP header at the tunnel level. If you trust XFF at the tenant level, you can’t select this option.
-
Apply to all traffic: Use the XFF HTTP header to identify all user traffic going through the IPSec tunnel.
-
Apply to specific NAT/proxy IP(s): Use the XFF HTTP header to identify traffic from specific NAT and proxy IP addresses going through the IPSec tunnel. Click +Add Another to add multiple IP addresses.
-
-
-
Click Save and Copy POPs Info to save the IPSec site and copy the Netskope POP info to your clipboard. You need this information to establish the primary and backup IPSec tunnels on your router/firewall.