Netskope IPSec with Cisco Firepower

Netskope IPSec with Cisco Firepower

Netskope supports Internet Protocol Security (IPSec) tunnels as a traffic steering method. IPSec tunnels allow you to route web traffic (port 80 and 443) to Netskope using logical tunnel interfaces that terminate to a Netskope IPSec gateway. When you create IPSec tunnels in the Netskope UI, Netskope provides parameters for configuring the tunnels on your firewall.

This guide illustrates how to configure IPSec tunnels between Netskope and Cisco Firepower appliances running Firepower Management Center (FMC) version 7.0.1. To learn more about the steps in the FMC: FMC documentation.

Configuring IPSec Tunnels in Netskope

To create the IPSec VPN tunnels for Cisco Firepower appliances in the Netskope UI, see Creating an IPSec Site.

Configuring the Access Control List

To configure the access lists that will match the traffic that goes inside the tunnel:

  1. In the Firepower Threat Defense (FTD) Management, go to Objects > Object Management.
  2. Select Access List > Extended.
  3. Select the option to create a new access list.
  4. Create the following entry to match all HTTP/HTTPS traffic to the internet:
    • Seq: 1
    • Action: Allow
    • Source: Internal LAN network Source
    • Port: any
    • Destination: any
    • Destination Port: HTTP / HTTPS. You can add non-standard ports, but ensure you add them in Netskope as well.
  5. Create the following entry to allow ICMP from the internal network to the Netskope Probe IP address.
    • Seq: 2
    • Action: Allow
    • Source: Internal LAN network Source
    • Port: any
    • Destination: Netskope Probe IP addresses. You can copy them from the IPSec tunnels you configured in Netskope.
    • Destination Port: ICMP
  6. Click Save then Continue.

Configuring the Phase 1 Proposal

  1. Go to Objects > VPN > IKEv2 Policy.
  2. Select the option to create a new policy.
  3. Configure the phase 1 parameters. To see a list of the Netskope supported IPSec parameters: IPSec.
  4. Click Save then Continue.

Configuring the Phase 2 Proposal

  1. Go to Objects > VPN > IKEv2 IPsec Policy.
  2. Select the option to create a new policy.
  3. Configure the phase 2 parameters. To see a list of the Netskope supported IPSec parameters: IPSec.
  4. Click Save then Continue.

Configuring the Site-To-Site Tunnel

To configure the VPN tunnel:

  1. Under VPN, go to Devices > Site-to-Site.
  2. Select the option to create a new VPN Topology.
  3. In the Edit VPN Topology window:
    • Topology Name: Enter a name for the VPN.
    • Policy Based (Crypto Map): Select.
    • Network Topology: Choose Point to Point.
    • IKE Version: Select IKEv2.
  4. In the Endpoints tab:
    • Node A (Netskope)
      • Device: Select Extranet.
      • Device Name: Enter a name for the device.
      • Static IP: Enter the primary and secondary IPSec GW addresses in the following format: <Primary IPSec GW>,<Secondary IPSec GW>. You can copy these POP addresses in Netskope.
      • Protected Network: NEW.
      • Access List Extended: Select the access list you created above.
    • Node B (FTD)
      • Device: Enter the appliance establishing the tunnel.
      • Interface: The WAN interface.
      • IP Address: The IP address associated with the WAN Interface.
      • Connection Type: Bi-directional.
      • Protected Network: NEW.
      • Access List Extended: Select the access list you created above.
    image2.png
  5. Click the IKE tab.
  6. Under IKEv2 Settings:
    • Policy: Choose the Phase 1 proposal you configured above.
    • Authentication Type: Choose Pre-shared Manual Key.
    • Key: Enter the pre-shared key (PSK) you created in Netskope.
    • Confirm Key: Reenter the PSK.
    image3.png
  7. Click the IPsec tab.
  8. In the IPsec tab:
    • Crypto Map Type: Select Static.
    • IKEv2 Mode: Choose Tunnel.
    • Transform Sets: Next to IKEv2 IPsec Proposals, click the Edit icon, and select the Phase 2 proposal you configured above.
    image4.png
  9. Click the Advanced tab.
  10. Under ISAKAMP Settings:
    • Identity Sent to Peers: Choose the identity type that matches the configured FQDN field in Netskope.
    • Peer Identity Validation: Choose Required.

    Under IPsec and Tunnel, use the default settings.

    image5.png
  11. Click Save.

Exempting IPSec Traffic from Existing NAT Rules

The Netskope cloud must see the original client IP addressess to authenticate them. If there is an existing NAT policy, the IPSec traffic must be exempted from it.

  1. Go to Devices > NAT.
  2. Add a new NAT rule above the existing NAT rule that disables NAT for all traffic going through the tunnel.
  3. Under Interface Objects:
    • Source: Internal Networks
    • Destinatinon: Outside-Zone
  4. Click the Translation tab, and configure accordingly.
image6.png

Configuring a Policy to Steer Traffic through the Tunnel

  1. Go to Policies > Access Control.
  2. Add a new rule:
    • Name: Enter a name for the policy.
    • Insert: Into Mandatory.
    • Action: Allow. If SNORT is used, you can use TRUST.
    • Source Zone: Internal Zone.
    • Destination Zone: Outside-Zone.
    • Source Zone: Internal Subnet(s).
    • Destination Zone: any-ipv4.
  3. Click Save.

Troubleshooting

You can use any of the CLI commands below to troubleshoot the IPSec tunnels in the FMC. The CLI output displays the number of tunnels that are up, peers, and ciphers. You can use this information to verify tunnel establishment or identify a mismatch the phases.

Troubleshooting Phase 1

Enter the following command to verify if there is a security association (SA) for Phase 1:

# Show crypto ikev2 sa

Troubleshooting Phase 2

Enter the following command to verify if there is an SA for Phase 2:

# Show crypto ipsec sa
Share this Doc

Netskope IPSec with Cisco Firepower

Or copy link

In this topic ...