Netskope IPSec with Aruba EdgeConnect SD-WAN

Netskope IPSec with Aruba EdgeConnect SD-WAN

Netskope supports Internet Protocol Security (IPSec) tunnels as a traffic steering method. IPSec VPN tunnels allow you to route web traffic (port 80 and 443) to Netskope using logical tunnel interfaces that terminate to a Netskope IPSec gateway. When you create IPSec tunnels in the Netskope UI, Netskope provides parameters for configuring the tunnels on your router. 

You can integrate Netskope and Aruba EdgeConnect appliances in two ways:

  • Active – Backup Internet Breakout

    Image2.jpeg

    When an EdgeConnect appliance has access to the Internet using a single internet service provider (ISP), the appliance can create IPSec tunnels to a primary Netskope Point of Presence (POP) and a secondary Netskope POP. The tunnel to the primary POP carries all traffic unless the tunnel or POP becomes unavailable. In this case, the traffic automatically fails over to the secondary POP.

  • Active – Active Internet Breakout

    Image12.jpeg

    When an EdgeConnect appliance has access to the internet using two internet service providers (e.g., ISP1 and ISP2), the appliance can create four IPSec VPN tunnels to the primary and secondary POPs. Only the primary tunnels from both ISP1 and ISP2 carry the traffic to the primary POP unless one of the primary tunnels or POPs is unavailable. When you create the Business Intent Overlay policies, you can allow the EdgeConnect appliance to load balance traffic to the primary POP using ISP1 and ISP2 by providing the same service name for the primary tunnels from both ISPs. This is a flow-based load balancing method.

This guide illustrates how to configure IPSec tunnels between Netskope and the Aruba EdgeConnect SD-WAN platform running the EdgeConnect OS (ECOS) version 9.2.5.0_94689. To learn more about the steps in ECOS, see the Aruba EdgeConnect SD-WAN Documentation.

Prerequisites

Before configuring IPSec, review the Netskope guidelines.

Creating IPSec Tunnels in Netskope

To create the IPSec tunnels for the Aruba EdgeConnect platform in the Netskope UI:

  1. Go to Settings > Security Cloud Platform > IPSec.
  2. Click Add New Tunnel.
  3. In the Add New IPSec Tunnel window:
    • Tunnel Name: Enter a name for the IPSec tunnel.
    • Source IP Address: (Optional) Enter the source peer IP address (i.e., exit public IP) of the EdgeConnect router that Netskope will receive packets from. Netskope identifies traffic belonging to your organization through your router or firewall IP addresses.
    • Source Identity: Enter an IP address, a fully-qualified domain name (FQDN), or an ID in email address format. For example, 1.1.1.1 or sourcelocation@company.com. The router or firewall uses the source identity for authentication during Internet Key Exchange (IKE).
    • Primary Netskope POP: Select the primary Netskope point of presence (POP) closest to you, and copy the IPSec Gateway IP address. You need this information to establish the primary IPSec tunnel on your EdgeConnect router. For optimal performance, Netskope recommends using the geographically closest POPs and configuring at least two tunnels for each egress location in your network.

      Note

      FedRAMP High POPs are different that those shown here. Your FedRAMP High tenant will show the available POPs.

    • Failover Netskope POP: Select the backup Netskope POP closest to you, and copy the IPSec Gateway IP address. You need this information to establish the backup IPSec tunnel on your EdgeConnect router. For optimal performance, Netskope recommends using the geographically closest POPs and configuring at least two tunnels for each egress location in your network.
    • Pre-Shared Key (PSK): Enter the pre-shared key that both sides of the tunnel will use to authenticate one another. The PSK must be unique for each tunnel.
    • Encryption Cipher: Select an encryption algorithm for the IPSec tunnel.
    • Maximum Bandwidth: Enter the maximum bandwidth for the IPSec tunnel. The tunnel size can be up to 1 Gbps. To enable the 1 Gbps option, contact your Sales Representative.
    • Advanced Settings: Click to view the following options.
      • Rekey: Select to rekey SAs when they expire. Netskope recommends using the default setting.
      • Reauthentication: Select to create new IKE and IPSec SAs when they expire. Netskope recommends using the default setting.
      • Trust X-Forwarded-For Header: Select to trust IP addresses contained in the X-Forwarded-For (XFF) HTTP header at the tunnel level. If you trust XFF at the tenant level, you can’t select this option.
        • Apply to all traffic: Use the XFF HTTP header to identify all user traffic going through the IPSec tunnel.
        • Apply to specific NAT/proxy IP(s): Use the XFF HTTP header to identify traffic from specific NAT and proxy IP addresses going through the IPSec tunnel. Click +Add Another to add multiple IP addresses.
    The Add New IPSec Tunnel window configured for F5 Firewall.
  4. Click Add.

Creating IPSec Tunnels in Aruba EdgeConnect SD-WAN

To create the IPSec VPN tunnels in Aruba EdgeConnect SD-WAN:

  1. Log in to Aruba EdgeConnect SD-WAN.

  2. Go to Configuration > Tunnels.

    The Tunnels menu under Configuration.
  3. Click next to the appliance site you want to add a tunnel to.

    The Edit icon for the appliance site.
  4. Choose Passthrough.

    The Passthrough mode for the appliance site.
  5. Click Add Tunnel.

    The Add Tunnel option for the appliance site.
  6. In the Add Passthrough Tunnel window:

    • Alias: Enter a name for the IPSec tunnel.

    • Mode: Choose IPSec.

    • IPSec Suite B Preset: Choose None.

    • Admin: Choose up. which is the default setting for the administrative state of the tunnel.

    • Local IP: Select or enter the IP address of the WAN interface for the IPSec tunnel.

    • Remote IP: Enter the IPSec Gateway IP addresses of the primary Netskope POP you copied in the Netskope UI. In this example, it’s 163.116.205.38.

    • NAT: Leave as none.

    • Peer/Service: Enter the name of a new service using the IPSec tunnel. You use this service for configuring breakout to Netskope under Business Intent Overlays.

    • Auto max BW enabled: Select this option to let the appliance auto-negotiate the maximum tunnel bandwidth.

    • Max BW Kbps: Unavailable if you selected Auto max BW enabled.

    The General settings in the Add Passthrough Tunnel window.
  7. Click IKE:

    • Pre-shared key: Enter the pre-shared key you entered in the Netskope UI.

    • Authentication Algorithm: Choose SHA2-256.

    • Encryption Algorithm: Choose encryption cipher you chose in the Netskope UI.

    • Diffie-Hellman Group: Choose 14.

    • Rekey interval/lifetime: Leave as 360 minutes.

    • Dead peer detection:

      • Delay time: Leave as 10 seconds.

      • Retry count: You can’t modify this field.

    • Local IKE identifier: Enter the source identity you entered in the Netskope UI.

    • Remote IKE identifier: Enter the IPSec Gateway IP addresses of the primary Netskope POP you copied in the Netskope UI. In this example, it’s 163.116.205.38.

    • Phase 1 mode: Leave as Aggressive.

    • IKE Version: Choose IKE v2.

    The IKE settings in the Add Passthrough Tunnel window.
  8. Click IPSec:

    • Authentication algorithm: Choose SHA2-256.

    • Encryption algorithm: Choose auto.

    • IPSec anti-replay window: Choose 1024.

    • Rekey interval/lifetime: Enter 360 minutes and 0 megabytes.

    • Perfect forward secrecy group: Choose 2.

    The IPSec settings in the Add Passthrough Tunnel window.
  9. Click Save.

  10. Repeat the steps to create the backup IPSec tunnel. Use the same values except for the following fields:

    • Alias: Enter a unique name for the backup tunnel.

    • Remote IP: Enter the IPSec Gateway IP addresses of the failover Netskope POP you copied in the Netskope UI.

    • Peer/Service: Enter a new service name to direct traffic to the backup tunnel.

    • Remote IKE Identifier: Enter the IPSec Gateway IP addresses of the failover Netskope POP you copied in the Netskope UI.

Adding a Route Policy

You must add a route policy to send traffic through the IPSec tunnel.

To add a route policy:

  1. Go to Configuration > Route Policies.

    The Route Policies menu under Configuration.
  2. Click next to the appliance site you configured a tunnel for.

    The Edit icon for the appliance site.
  3. Click Add Rule.

    The Add Rule option for the appliance site.
  4. Click under Priority to enter a low value so the rule applies first.

    The Priority column in Route Policies.
  5. Click under Set Actions.

    The Set Actions column in Route Policies.
  6. In the Set Actions window:

    • Destination Type: Choose Passthrough Tunnel.

    • Destination: Choose the primary IPSec tunnel name you created earlier. In this example, it’s Netskope-Primary.

    • Fallback: Leave as pass-through.

    The Set Actions window in Route Policies.
  7. Click Save.

  8. Click Save.

Configuring Business Intent Overlay Policies

After creating the IPSec tunnels from the Aruba EdgeConnect appliance to the primary and failover Netskope POPs, you must create Business Intent Overlays (BIOs) that points to those IPSec tunnels. Using access control lists (ACL), specify the applications that you want to forward to Netskope in the BIO policies.

Before creating a BIO, go to Configuration > Template to create ACLs and apply them to the Aruba EdgeConnect appliance.

To create BIO policies:

  1. Go to Configuration > Business Intent Overlays.

    The Business Intent Overlays menu under Configuration
  2. Click +New.

    The highlighted +New button in the Business Intent Overlays tab.
  3. In the Create Overlay window, enter a name for the overlay.

    The Create Overlay window.
  4. Click the overlay you created.

    The created overlay in the Business Intent Overlays tab.
  5. In the Overlay Configuration window, for Match, choose Overlay ACL.

  6. Click .

  7. In the Associate ACL window, click Add Rule and Save to add an ACL that matches everything.

    The Associate ACL window.
  8. In the SD-WAN Traffic to Internal Subnets tab, drag the Available Interfaces to Build SD-WAN Using These Interfaces to configure your primary and backup interfaces.

    The SD-WAN Traffic to Internal Subnets tab in the Overlay Configuration window.
  9. In the Breakout Traffic to Internet & Cloud Services tab, click next to Available Policies.

  10. In the Services window, under Service Name, enter the primary and backup IPSec tunnel names you created earlier, and click Add. In this example, it’s Netskope-Primary and Netskope-Backup.

    The Services window.
  11. Click Save.

  12. In the Breakout Traffic to Internet & Cloud Services tab, drag the primary and backup IPSec tunnel names under Available Policies to Preferred Policy Order in the desired order.

    The Breakout Traffic to Internet & Cloud Services in the Overlay Configuration window.
  13. Click OK.

  14. Click Save and Apply Changes to Overlays.

  15. Click Save.

Adding a Route Policy for the BIO

  1. Go to Configuration > Route Policies.

    The Route Policies menu under Configuration.
  2. Click next to the appliance site you configured a tunnel for.

    The Edit icon for the appliance site.
  3. Click Add Rule.

    The Add Rule option for the appliance site.
  4. Click under Priority to enter a greater value than the previous routing policy.

    The Priority column in Route Policies.
  5. Click under Set Actions.

    The Set Actions column in Route Policies.
  6. In the Set Actions window:

    • Destination Type: Choose Overlay.

    • Destination: Choose the BIOs overlay name you created earlier. In this example, it’s Netskope.

    • Fallback: Choose drop.

    The Set Actions window.
  7. Click Save.

  8. Click Save.

Verifying the IPSec Tunnel Status in Aruba EdgeConnect SD-WAN

To verify the IPSec tunnel status in Aruba EdgeConnect, go to Configuration > Tunnels. The primary and backup tunnels display an up – active status:

The Status column in Tunnels.
Share this Doc

Netskope IPSec with Aruba EdgeConnect SD-WAN

Or copy link

In this topic ...