Netskope IPSec with Aruba EdgeConnect SD-WAN

Netskope IPSec with Aruba EdgeConnect SD-WAN

Netskope supports Internet Protocol Security (IPSec) tunnels as a traffic steering method. IPSec VPN tunnels allow you to route web traffic (port 80 and 443) to Netskope using logical tunnel interfaces that terminate to a Netskope IPSec gateway. When you create IPSec tunnels in the Netskope UI, Netskope provides parameters for configuring the tunnels on your router. 

You can integrate Netskope and Aruba EdgeConnect appliances in two ways:

  • Active – Backup Internet Breakout

    Image2.jpeg

    When an EdgeConnect appliance has access to the Internet using a single internet service provider (ISP), the appliance can create IPSec tunnels to a primary Netskope Point of Presence (POP) and a secondary Netskope POP. The tunnel to the primary POP carries all traffic unless the tunnel or POP becomes unavailable. In this case, the traffic automatically fails over to the secondary POP.

  • Active – Active Internet Breakout

    Image12.jpeg

    When an EdgeConnect appliance has access to the internet using two internet service providers (e.g., ISP1 and ISP2), the appliance can create four IPSec VPN tunnels to the primary and secondary POPs. Only the primary tunnels from both ISP1 and ISP2 carry the traffic to the primary POP unless one of the primary tunnels or POPs is unavailable. When you create the Business Intent Overlay policies, you can allow the EdgeConnect appliance to load balance traffic to the primary POP using ISP1 and ISP2 by providing the same service name for the primary tunnels from both ISPs. This is a flow-based load balancing method.

This guide illustrates how to configure IPSec tunnels between Netskope and the Aruba EdgeConnect SD-WAN platform running the EdgeConnect OS (ECOS) version 9.2.5.0_94689. To learn more about the steps in ECOS, see the Aruba EdgeConnect SD-WAN Documentation.

Prerequisites

Before configuring IPSec, review the Netskope guidelines.

Creating IPSec Tunnels in Netskope

To create the IPSec VPN tunnels for Aruba EdgeConnect SD-WAN in the Netskope UI, see Creating an IPSec Site.

Creating IPSec Tunnels in Aruba EdgeConnect SD-WAN

To create the IPSec VPN tunnels in Aruba EdgeConnect SD-WAN:

  1. Log in to Aruba EdgeConnect SD-WAN.

  2. Go to Configuration > Tunnels.

    The Tunnels menu under Configuration.
  3. Click next to the appliance site you want to add a tunnel to.

    The Edit icon for the appliance site.
  4. Choose Passthrough.

    The Passthrough mode for the appliance site.
  5. Click Add Tunnel.

    The Add Tunnel option for the appliance site.
  6. In the Add Passthrough Tunnel window:

    • Alias: Enter a name for the IPSec tunnel.

    • Mode: Choose IPSec.

    • IPSec Suite B Preset: Choose None.

    • Admin: Choose up. which is the default setting for the administrative state of the tunnel.

    • Local IP: Select or enter the IP address of the WAN interface for the IPSec tunnel.

    • Remote IP: Enter the IPSec Gateway IP addresses of the primary Netskope POP you copied in the Netskope UI. In this example, it’s 163.116.205.38.

    • NAT: Leave as none.

    • Peer/Service: Enter the name of a new service using the IPSec tunnel. You use this service for configuring breakout to Netskope under Business Intent Overlays.

    • Auto max BW enabled: Select this option to let the appliance auto-negotiate the maximum tunnel bandwidth.

    • Max BW Kbps: Unavailable if you selected Auto max BW enabled.

    The General settings in the Add Passthrough Tunnel window.
  7. Click IKE:

    • Pre-shared key: Enter the pre-shared key you entered in the Netskope UI.

    • Authentication Algorithm: Choose SHA2-256.

    • Encryption Algorithm: Choose encryption cipher you chose in the Netskope UI.

    • Diffie-Hellman Group: Choose 14.

    • Rekey interval/lifetime: Leave as 360 minutes.

    • Dead peer detection:

      • Delay time: Leave as 10 seconds.

      • Retry count: You can’t modify this field.

    • Local IKE identifier: Enter the source identity you entered in the Netskope UI.

    • Remote IKE identifier: Enter the IPSec Gateway IP addresses of the primary Netskope POP you copied in the Netskope UI. In this example, it’s 163.116.205.38.

    • Phase 1 mode: Leave as Aggressive.

    • IKE Version: Choose IKE v2.

    The IKE settings in the Add Passthrough Tunnel window.
  8. Click IPSec:

    • Authentication algorithm: Choose SHA2-256.

    • Encryption algorithm: Choose auto.

    • IPSec anti-replay window: Choose 1024.

    • Rekey interval/lifetime: Enter 360 minutes and 0 megabytes.

    • Perfect forward secrecy group: Choose 2.

    The IPSec settings in the Add Passthrough Tunnel window.
  9. Click Save.

  10. Repeat the steps to create the backup IPSec tunnel. Use the same values except for the following fields:

    • Alias: Enter a unique name for the backup tunnel.

    • Remote IP: Enter the IPSec Gateway IP addresses of the failover Netskope POP you copied in the Netskope UI.

    • Peer/Service: Enter a new service name to direct traffic to the backup tunnel.

    • Remote IKE Identifier: Enter the IPSec Gateway IP addresses of the failover Netskope POP you copied in the Netskope UI.

Adding a Route Policy

You must add a route policy to send traffic through the IPSec tunnel.

To add a route policy:

  1. Go to Configuration > Route Policies.

    The Route Policies menu under Configuration.
  2. Click next to the appliance site you configured a tunnel for.

    The Edit icon for the appliance site.
  3. Click Add Rule.

    The Add Rule option for the appliance site.
  4. Click under Priority to enter a low value so the rule applies first.

    The Priority column in Route Policies.
  5. Click under Set Actions.

    The Set Actions column in Route Policies.
  6. In the Set Actions window:

    • Destination Type: Choose Passthrough Tunnel.

    • Destination: Choose the primary IPSec tunnel name you created earlier. In this example, it’s Netskope-Primary.

    • Fallback: Leave as pass-through.

    The Set Actions window in Route Policies.
  7. Click Save.

  8. Click Save.

Configuring Business Intent Overlay Policies

After creating the IPSec tunnels from the Aruba EdgeConnect appliance to the primary and failover Netskope POPs, you must create Business Intent Overlays (BIOs) that points to those IPSec tunnels. Using access control lists (ACL), specify the applications that you want to forward to Netskope in the BIO policies.

Before creating a BIO, go to Configuration > Template to create ACLs and apply them to the Aruba EdgeConnect appliance.

To create BIO policies:

  1. Go to Configuration > Business Intent Overlays.

    The Business Intent Overlays menu under Configuration
  2. Click +New.

    The highlighted +New button in the Business Intent Overlays tab.
  3. In the Create Overlay window, enter a name for the overlay.

    The Create Overlay window.
  4. Click the overlay you created.

    The created overlay in the Business Intent Overlays tab.
  5. In the Overlay Configuration window, for Match, choose Overlay ACL.

  6. Click .

  7. In the Associate ACL window, click Add Rule and Save to add an ACL that matches everything.

    The Associate ACL window.
  8. In the SD-WAN Traffic to Internal Subnets tab, drag the Available Interfaces to Build SD-WAN Using These Interfaces to configure your primary and backup interfaces.

    The SD-WAN Traffic to Internal Subnets tab in the Overlay Configuration window.
  9. In the Breakout Traffic to Internet & Cloud Services tab, click next to Available Policies.

  10. In the Services window, under Service Name, enter the primary and backup IPSec tunnel names you created earlier, and click Add. In this example, it’s Netskope-Primary and Netskope-Backup.

    The Services window.
  11. Click Save.

  12. In the Breakout Traffic to Internet & Cloud Services tab, drag the primary and backup IPSec tunnel names under Available Policies to Preferred Policy Order in the desired order.

    The Breakout Traffic to Internet & Cloud Services in the Overlay Configuration window.
  13. Click OK.

  14. Click Save and Apply Changes to Overlays.

  15. Click Save.

Adding a Route Policy for the BIO

  1. Go to Configuration > Route Policies.

    The Route Policies menu under Configuration.
  2. Click next to the appliance site you configured a tunnel for.

    The Edit icon for the appliance site.
  3. Click Add Rule.

    The Add Rule option for the appliance site.
  4. Click under Priority to enter a greater value than the previous routing policy.

    The Priority column in Route Policies.
  5. Click under Set Actions.

    The Set Actions column in Route Policies.
  6. In the Set Actions window:

    • Destination Type: Choose Overlay.

    • Destination: Choose the BIOs overlay name you created earlier. In this example, it’s Netskope.

    • Fallback: Choose drop.

    The Set Actions window.
  7. Click Save.

  8. Click Save.

Verifying the IPSec Tunnel Status in Aruba EdgeConnect SD-WAN

To verify the IPSec tunnel status in Aruba EdgeConnect, go to Configuration > Tunnels. The primary and backup tunnels display an up – active status:

The Status column in Tunnels.
Share this Doc

Netskope IPSec with Aruba EdgeConnect SD-WAN

Or copy link

In this topic ...