Netskope IPSec with Aruba EdgeConnect SD-WAN
Netskope IPSec with Aruba EdgeConnect SD-WAN
Netskope supports Internet Protocol Security (IPSec) tunnels as a traffic steering method. IPSec VPN tunnels allow you to route web traffic (port 80 and 443) to Netskope using logical tunnel interfaces that terminate to a Netskope IPSec gateway. When you create IPSec tunnels in the Netskope UI, Netskope provides parameters for configuring the tunnels on your router.
You can integrate Netskope and Aruba EdgeConnect appliances in two ways:
-
Active – Backup Internet Breakout
When an EdgeConnect appliance has access to the Internet using a single internet service provider (ISP), the appliance can create IPSec tunnels to a primary Netskope Point of Presence (POP) and a secondary Netskope POP. The tunnel to the primary POP carries all traffic unless the tunnel or POP becomes unavailable. In this case, the traffic automatically fails over to the secondary POP.
-
Active – Active Internet Breakout
When an EdgeConnect appliance has access to the internet using two internet service providers (e.g., ISP1 and ISP2), the appliance can create four IPSec VPN tunnels to the primary and secondary POPs. Only the primary tunnels from both ISP1 and ISP2 carry the traffic to the primary POP unless one of the primary tunnels or POPs is unavailable. When you create the Business Intent Overlay policies, you can allow the EdgeConnect appliance to load balance traffic to the primary POP using ISP1 and ISP2 by providing the same service name for the primary tunnels from both ISPs. This is a flow-based load balancing method.
This guide illustrates how to configure IPSec tunnels between Netskope and the Aruba EdgeConnect SD-WAN platform running the EdgeConnect OS (ECOS) version 9.2.5.0_94689. To learn more about the steps in ECOS, see the Aruba EdgeConnect SD-WAN Documentation.
Prerequisites
Before configuring IPSec, review the Netskope guidelines.
Creating IPSec Tunnels in Netskope
To create the IPSec VPN tunnels for Aruba EdgeConnect SD-WAN in the Netskope UI, see Creating an IPSec Site.
Creating IPSec Tunnels in Aruba EdgeConnect SD-WAN
To create the IPSec VPN tunnels in Aruba EdgeConnect SD-WAN:
-
Log in to Aruba EdgeConnect SD-WAN.
-
Go to Configuration > Tunnels.
-
Click next to the appliance site you want to add a tunnel to.
-
Choose Passthrough.
-
Click Add Tunnel.
-
In the Add Passthrough Tunnel window:
-
Alias: Enter a name for the IPSec tunnel.
-
Mode: Choose IPSec.
-
IPSec Suite B Preset: Choose None.
-
Admin: Choose up. which is the default setting for the administrative state of the tunnel.
-
Local IP: Select or enter the IP address of the WAN interface for the IPSec tunnel.
-
Remote IP: Enter the IPSec Gateway IP addresses of the primary Netskope POP you copied in the Netskope UI. In this example, it’s
163.116.205.38
. -
NAT: Leave as none.
-
Peer/Service: Enter the name of a new service using the IPSec tunnel. You use this service for configuring breakout to Netskope under Business Intent Overlays.
-
Auto max BW enabled: Select this option to let the appliance auto-negotiate the maximum tunnel bandwidth.
-
Max BW Kbps: Unavailable if you selected Auto max BW enabled.
-
-
Click IKE:
-
Pre-shared key: Enter the pre-shared key you entered in the Netskope UI.
-
Authentication Algorithm: Choose SHA2-256.
-
Encryption Algorithm: Choose encryption cipher you chose in the Netskope UI.
-
Diffie-Hellman Group: Choose 14.
-
Rekey interval/lifetime: Leave as
360
minutes. -
Dead peer detection:
-
Delay time: Leave as
10
seconds. -
Retry count: You can’t modify this field.
-
-
Local IKE identifier: Enter the source identity you entered in the Netskope UI.
-
Remote IKE identifier: Enter the IPSec Gateway IP addresses of the primary Netskope POP you copied in the Netskope UI. In this example, it’s
163.116.205.38
. -
Phase 1 mode: Leave as Aggressive.
-
IKE Version: Choose IKE v2.
-
-
Click IPSec:
-
Authentication algorithm: Choose SHA2-256.
-
Encryption algorithm: Choose auto.
-
IPSec anti-replay window: Choose 1024.
-
Rekey interval/lifetime: Enter
360
minutes and0
megabytes. -
Perfect forward secrecy group: Choose 2.
-
-
Click Save.
-
Repeat the steps to create the backup IPSec tunnel. Use the same values except for the following fields:
-
Alias: Enter a unique name for the backup tunnel.
-
Remote IP: Enter the IPSec Gateway IP addresses of the failover Netskope POP you copied in the Netskope UI.
-
Peer/Service: Enter a new service name to direct traffic to the backup tunnel.
-
Remote IKE Identifier: Enter the IPSec Gateway IP addresses of the failover Netskope POP you copied in the Netskope UI.
-
Adding a Route Policy
You must add a route policy to send traffic through the IPSec tunnel.
To add a route policy:
-
Go to Configuration > Route Policies.
-
Click next to the appliance site you configured a tunnel for.
-
Click Add Rule.
-
Click under Priority to enter a low value so the rule applies first.
-
Click under Set Actions.
-
In the Set Actions window:
-
Destination Type: Choose Passthrough Tunnel.
-
Destination: Choose the primary IPSec tunnel name you created earlier. In this example, it’s Netskope-Primary.
-
Fallback: Leave as pass-through.
-
-
Click Save.
-
Click Save.
Configuring Business Intent Overlay Policies
After creating the IPSec tunnels from the Aruba EdgeConnect appliance to the primary and failover Netskope POPs, you must create Business Intent Overlays (BIOs) that points to those IPSec tunnels. Using access control lists (ACL), specify the applications that you want to forward to Netskope in the BIO policies.
To create BIO policies:
-
Go to Configuration > Business Intent Overlays.
-
Click +New.
-
In the Create Overlay window, enter a name for the overlay.
-
Click the overlay you created.
-
In the Overlay Configuration window, for Match, choose Overlay ACL.
-
Click .
-
In the Associate ACL window, click Add Rule and Save to add an ACL that matches everything.
-
In the SD-WAN Traffic to Internal Subnets tab, drag the Available Interfaces to Build SD-WAN Using These Interfaces to configure your primary and backup interfaces.
-
In the Breakout Traffic to Internet & Cloud Services tab, click next to Available Policies.
-
In the Services window, under Service Name, enter the primary and backup IPSec tunnel names you created earlier, and click Add. In this example, it’s Netskope-Primary and Netskope-Backup.
-
Click Save.
-
In the Breakout Traffic to Internet & Cloud Services tab, drag the primary and backup IPSec tunnel names under Available Policies to Preferred Policy Order in the desired order.
-
Click OK.
-
Click Save and Apply Changes to Overlays.
-
Click Save.
Adding a Route Policy for the BIO
-
Go to Configuration > Route Policies.
-
Click next to the appliance site you configured a tunnel for.
-
Click Add Rule.
-
Click under Priority to enter a greater value than the previous routing policy.
-
Click under Set Actions.
-
In the Set Actions window:
-
Destination Type: Choose Overlay.
-
Destination: Choose the BIOs overlay name you created earlier. In this example, it’s Netskope.
-
Fallback: Choose drop.
-
-
Click Save.
-
Click Save.
Verifying the IPSec Tunnel Status in Aruba EdgeConnect SD-WAN
To verify the IPSec tunnel status in Aruba EdgeConnect, go to Configuration > Tunnels. The primary and backup tunnels display an up – active status: