Netskope IPSec with Aruba EdgeConnect SD-WAN
Netskope IPSec with Aruba EdgeConnect SD-WAN
Netskope supports Internet Protocol Security (IPSec) tunnels as a traffic steering method. IPSec VPN tunnels allow you to route web traffic (port 80 and 443) to Netskope using logical tunnel interfaces that terminate to a Netskope IPSec gateway. When you create IPSec tunnels in the Netskope UI, Netskope provides parameters for configuring the tunnels on your router.
You can integrate Netskope and Aruba EdgeConnect appliances in two ways:
-
Active – Backup Internet Breakout
When an EdgeConnect appliance has access to the Internet using a single internet service provider (ISP), the appliance can create IPSec tunnels to a primary Netskope Point of Presence (POP) and a secondary Netskope POP. The tunnel to the primary POP carries all traffic unless the tunnel or POP becomes unavailable. In this case, the traffic automatically fails over to the secondary POP.
-
Active – Active Internet Breakout
When an EdgeConnect appliance has access to the internet using two internet service providers (e.g., ISP1 and ISP2), the appliance can create four IPSec VPN tunnels to the primary and secondary POPs. Only the primary tunnels from both ISP1 and ISP2 carry the traffic to the primary POP unless one of the primary tunnels or POPs is unavailable. When you create the Business Intent Overlay policies, you can allow the EdgeConnect appliance to load balance traffic to the primary POP using ISP1 and ISP2 by providing the same service name for the primary tunnels from both ISPs. This is a flow-based load balancing method.
This guide illustrates how to configure IPSec tunnels between Netskope and the Aruba EdgeConnect SD-WAN platform running the EdgeConnect OS (ECOS) version 9.2.5.0_94689. To learn more about the steps in ECOS, see the Aruba EdgeConnect SD-WAN Documentation.
Prerequisites
Before configuring IPSec, review the Netskope guidelines.
Creating IPSec Tunnels in Netskope
To create the IPSec tunnels for the Aruba EdgeConnect platform in the Netskope UI:
- Go to Settings > Security Cloud Platform > IPSec.
- Click Add New Tunnel.
- In the Add New IPSec Tunnel window:
- Tunnel Name: Enter a name for the IPSec tunnel.
- Source IP Address: (Optional) Enter the source peer IP address (i.e., exit public IP) of the EdgeConnect router that Netskope will receive packets from. Netskope identifies traffic belonging to your organization through your router or firewall IP addresses.
- Source Identity: Enter an IP address, a fully-qualified domain name (FQDN), or an ID in email address format. For example, 1.1.1.1 or sourcelocation@company.com. The router or firewall uses the source identity for authentication during Internet Key Exchange (IKE).
- Primary Netskope POP: Select the primary Netskope point of presence (POP) closest to you, and copy the IPSec Gateway IP address. You need this information to establish the primary IPSec tunnel on your EdgeConnect router. For optimal performance, Netskope recommends using the geographically closest POPs and configuring at least two tunnels for each egress location in your network.
Note
FedRAMP High POPs are different that those shown here. Your FedRAMP High tenant will show the available POPs.
- Failover Netskope POP: Select the backup Netskope POP closest to you, and copy the IPSec Gateway IP address. You need this information to establish the backup IPSec tunnel on your EdgeConnect router. For optimal performance, Netskope recommends using the geographically closest POPs and configuring at least two tunnels for each egress location in your network.
- Pre-Shared Key (PSK): Enter the pre-shared key that both sides of the tunnel will use to authenticate one another. The PSK must be unique for each tunnel.
- Encryption Cipher: Select an encryption algorithm for the IPSec tunnel.
- Maximum Bandwidth: Enter the maximum bandwidth for the IPSec tunnel. The tunnel size can be up to 1 Gbps. To enable the 1 Gbps option, contact your Sales Representative.
- Advanced Settings: Click to view the following options.
- Rekey: Select to rekey SAs when they expire. Netskope recommends using the default setting.
- Reauthentication: Select to create new IKE and IPSec SAs when they expire. Netskope recommends using the default setting.
- Trust X-Forwarded-For Header: Select to trust IP addresses contained in the X-Forwarded-For (XFF) HTTP header at the tunnel level. If you trust XFF at the tenant level, you can’t select this option.
- Apply to all traffic: Use the XFF HTTP header to identify all user traffic going through the IPSec tunnel.
- Apply to specific NAT/proxy IP(s): Use the XFF HTTP header to identify traffic from specific NAT and proxy IP addresses going through the IPSec tunnel. Click +Add Another to add multiple IP addresses.
- Click Add.
Creating IPSec Tunnels in Aruba EdgeConnect SD-WAN
To create the IPSec VPN tunnels in Aruba EdgeConnect SD-WAN:
-
Log in to Aruba EdgeConnect SD-WAN.
-
Go to Configuration > Tunnels.
-
Click next to the appliance site you want to add a tunnel to.
-
Choose Passthrough.
-
Click Add Tunnel.
-
In the Add Passthrough Tunnel window:
-
Alias: Enter a name for the IPSec tunnel.
-
Mode: Choose IPSec.
-
IPSec Suite B Preset: Choose None.
-
Admin: Choose up. which is the default setting for the administrative state of the tunnel.
-
Local IP: Select or enter the IP address of the WAN interface for the IPSec tunnel.
-
Remote IP: Enter the IPSec Gateway IP addresses of the primary Netskope POP you copied in the Netskope UI. In this example, it’s
163.116.205.38
. -
NAT: Leave as none.
-
Peer/Service: Enter the name of a new service using the IPSec tunnel. You use this service for configuring breakout to Netskope under Business Intent Overlays.
-
Auto max BW enabled: Select this option to let the appliance auto-negotiate the maximum tunnel bandwidth.
-
Max BW Kbps: Unavailable if you selected Auto max BW enabled.
-
-
Click IKE:
-
Pre-shared key: Enter the pre-shared key you entered in the Netskope UI.
-
Authentication Algorithm: Choose SHA2-256.
-
Encryption Algorithm: Choose encryption cipher you chose in the Netskope UI.
-
Diffie-Hellman Group: Choose 14.
-
Rekey interval/lifetime: Leave as
360
minutes. -
Dead peer detection:
-
Delay time: Leave as
10
seconds. -
Retry count: You can’t modify this field.
-
-
Local IKE identifier: Enter the source identity you entered in the Netskope UI.
-
Remote IKE identifier: Enter the IPSec Gateway IP addresses of the primary Netskope POP you copied in the Netskope UI. In this example, it’s
163.116.205.38
. -
Phase 1 mode: Leave as Aggressive.
-
IKE Version: Choose IKE v2.
-
-
Click IPSec:
-
Authentication algorithm: Choose SHA2-256.
-
Encryption algorithm: Choose auto.
-
IPSec anti-replay window: Choose 1024.
-
Rekey interval/lifetime: Enter
360
minutes and0
megabytes. -
Perfect forward secrecy group: Choose 2.
-
-
Click Save.
-
Repeat the steps to create the backup IPSec tunnel. Use the same values except for the following fields:
-
Alias: Enter a unique name for the backup tunnel.
-
Remote IP: Enter the IPSec Gateway IP addresses of the failover Netskope POP you copied in the Netskope UI.
-
Peer/Service: Enter a new service name to direct traffic to the backup tunnel.
-
Remote IKE Identifier: Enter the IPSec Gateway IP addresses of the failover Netskope POP you copied in the Netskope UI.
-
Adding a Route Policy
You must add a route policy to send traffic through the IPSec tunnel.
To add a route policy:
-
Go to Configuration > Route Policies.
-
Click next to the appliance site you configured a tunnel for.
-
Click Add Rule.
-
Click under Priority to enter a low value so the rule applies first.
-
Click under Set Actions.
-
In the Set Actions window:
-
Destination Type: Choose Passthrough Tunnel.
-
Destination: Choose the primary IPSec tunnel name you created earlier. In this example, it’s Netskope-Primary.
-
Fallback: Leave as pass-through.
-
-
Click Save.
-
Click Save.
Configuring Business Intent Overlay Policies
After creating the IPSec tunnels from the Aruba EdgeConnect appliance to the primary and failover Netskope POPs, you must create Business Intent Overlays (BIOs) that points to those IPSec tunnels. Using access control lists (ACL), specify the applications that you want to forward to Netskope in the BIO policies.
To create BIO policies:
-
Go to Configuration > Business Intent Overlays.
-
Click +New.
-
In the Create Overlay window, enter a name for the overlay.
-
Click the overlay you created.
-
In the Overlay Configuration window, for Match, choose Overlay ACL.
-
Click .
-
In the Associate ACL window, click Add Rule and Save to add an ACL that matches everything.
-
In the SD-WAN Traffic to Internal Subnets tab, drag the Available Interfaces to Build SD-WAN Using These Interfaces to configure your primary and backup interfaces.
-
In the Breakout Traffic to Internet & Cloud Services tab, click next to Available Policies.
-
In the Services window, under Service Name, enter the primary and backup IPSec tunnel names you created earlier, and click Add. In this example, it’s Netskope-Primary and Netskope-Backup.
-
Click Save.
-
In the Breakout Traffic to Internet & Cloud Services tab, drag the primary and backup IPSec tunnel names under Available Policies to Preferred Policy Order in the desired order.
-
Click OK.
-
Click Save and Apply Changes to Overlays.
-
Click Save.
Adding a Route Policy for the BIO
-
Go to Configuration > Route Policies.
-
Click next to the appliance site you configured a tunnel for.
-
Click Add Rule.
-
Click under Priority to enter a greater value than the previous routing policy.
-
Click under Set Actions.
-
In the Set Actions window:
-
Destination Type: Choose Overlay.
-
Destination: Choose the BIOs overlay name you created earlier. In this example, it’s Netskope.
-
Fallback: Choose drop.
-
-
Click Save.
-
Click Save.
Verifying the IPSec Tunnel Status in Aruba EdgeConnect SD-WAN
To verify the IPSec tunnel status in Aruba EdgeConnect, go to Configuration > Tunnels. The primary and backup tunnels display an up – active status: