Netskope IPSec with Cisco IOS

Netskope IPSec with Cisco IOS

Netskope supports Internet Protocol Security (IPSec) tunnels as a traffic steering method. IPSec tunnels allow you to route web traffic (port 80 and 443) to Netskope using logical tunnel interfaces that terminate to a Netskope IPSec gateway. When you create IPSec tunnels in the Netskope UI, Netskope provides parameters for configuring the tunnels on your firewall. The IPSec configuration below utilizes Cisco IOS XE commands and concepts.

This guide illustrates how to configure GRE tunnels between Netskope and the following Cisco routers:

  • Cisco CSR 1000v (VXE) running IOS XE version 17.03.03
  • Cisco ISR 3900 (C3900-UNIVERSALK9-M) running IOS XE version 15.4(3)M3

IPSec has two modes: tunnel mode and transport mode. This guide is for tunnel mode. To learn more about the CLI steps on Cisco IOS XE, see the Cisco documentation.

Prerequisites

Before configuring IPSec, review the prerequisites.

Creating IPSec Tunnels in Netskope

To create the IPSec tunnels for Cisco routers in the Netskope UI:

  1. Go to Settings > Security Cloud Platform > IPSec.
  2. Click Add New Tunnel.
  3. In the Add New IPSec Tunnel window:
    • Tunnel Name: Enter a name for the IPSec tunnel.
    • Source IP Address: (Optional) Enter the source peer IP address (i.e., exit public IP) of the Cisco router that Netskope will receive packets from. Netskope identifies traffic belonging to your organization through your router or firewall IP addresses.
    • Source Identity: Enter an IP address, a fully-qualified domain name (FQDN), or an ID in email address format. For example, 1.1.1.1 or sourcelocation@company.com. The router or firewall uses the source identity for authentication during Internet Key Exchange (IKE).
    • Primary Netskope POP: Select the primary Netskope point of presence (POP) closest to you, and copy the IPSec Gateway IP address. You need this information to establish the primary IPSec tunnel on your Cisco router. For optimal performance, Netskope recommends using the geographically closest POPs and configuring at least two tunnels for each egress location in your network.
    • Failover Netskope POP: Select the backup Netskope POP closest to you, and copy the IPSec Gateway IP address. You need this information to establish the backup IPSec tunnel on your Cisco router. For optimal performance, Netskope recommends using the geographically closest POPs and configuring at least two tunnels for each egress location in your network.
    • Pre-Shared Key (PSK): Enter the pre-shared key that both sides of the tunnel will use to authenticate one another. The PSK must be unique for each tunnel.
    • Encryption Cipher: Select an encryption algorithm for the IPSec tunnel.
    • Maximum Bandwidth: Enter the maximum bandwidth for the IPSec tunnel. The tunnel size can be up to 1 Gbps. To enable the 1 Gbps option, contact your Sales Representative.
    • Advanced Settings: Click to view the following options.
      • Rekey: Select to rekey SAs when they expire. Netskope recommends using the default setting.
      • Reauthentication: Select to create new IKE and IPSec SAs when they expire. Netskope recommends using the default setting.
      • Trust X-Forwarded-For Header: Select to trust IP addresses contained in the X-Forwarded-For (XFF) HTTP header at the tunnel level. If you trust XFF at the tenant level, you can’t select this option.
        • Apply to all traffic: Use the XFF HTTP header to identify all user traffic going through the IPSec tunnel.
        • Apply to specific NAT/proxy IP(s): Use the XFF HTTP header to identify traffic from specific NAT and proxy IP addresses going through the IPSec tunnel. Click +Add Another to add multiple IP addresses.
    The configured Add New IPSec Tunnel window.

    Note

    FedRAMP High IPs are different that those shown here. The current list can be found here: https://support.netskope.com/s/article/NewEdge-Consolidated-List-of-IP-Range-for-Allowlisting (a Support account is required).

  4. Click Add.

Configuring the IKEv2 Key Rings

Configure two IKEv2 key rings for your primary and backup IPSec tunnels.

  1. Log in to your Cisco router.
  2. Enter configuration mode:
    # configure terminal
  3. Enter an IKEv2 key ring name for the primary IPSec tunnel:
    (config)# crypto ikev2 keyring nskpkey1
  4. Enter a peer name for the primary IPSec tunnel:
    (config-ikev2-keyring)# peer ipsecgw
  5. Enter the IP address for the peer:
    (config-ikev2-keyring-peer)# address 10.136.176.30
  6. Enter the PSK for the peer:
    (config-ikev2-keyring-peer)# pre-shared-key local NetskopeTest
  7. Enter an IKEv2 key ring name for the backup IPSec tunnel:
    (config)# crypto ikev2 keyring nskpkey2
  8. Enter a peer name for the backup IPSec tunnel:
    (config-ikev2-keyring)# peer ipsecgw2
  9. Enter the IP address for the peer:
    (config-ikev2-keyring-peer)# address 10.136.176.31
  10. Enter the PSK for the peer:
    (config-ikev2-keyring-peer)# pre-shared-key local NetskopeTest

Configuring the IKEv2 Profiles

Configure two IKEv2 profiles to associate with your IKEv2 key rings. The IKEv2 profiles define the nonnegotiable parameters of the IKE SA.

  1. Enter an IKEv2 profile name for the primary IPSec tunnel:
    (config)# crypto ikev2 profile nsprofile1
  2. Define the match statement for the primary IKEv2 profile:
    (config-ikev2-profile)# match identity remote address 10.136.176.30 255.255.255.255
  3. Enter the local IKEv2 identity:
    (config-ikev2-profile)# identity local fqdn cisco123
  4. Define the remote authentication method:
    (config-ikev2-profile)# authentication remote pre-share
  5. Define the local authentication method:
    (config-ikev2-profile)# authentication local pre-share
  6. Enter the IKEv2 key ring name you configured for the backup IPSec tunnel:
    (config-ikev2-profile)# keyring local nskpkey1
  7. Enable Dead Peer Detection (DPD) and enter an interval:
    (config-ikev2-profile)# dpd 10 2 periodic
  8. Enter an IKEv2 profile name for the backup IPSec tunnel:
    (config)# crypto ikev2 profile nsprofile2
  9. Define the match statement for the backup IKEv2 profile:
    (config-ikev2-profile)# match identity remote address 10.136.176.31 255.255.255.255
  10. Enter the local IKEv2 identity:
    (config-ikev2-profile)# identity local fqdn cisco4567
  11. Define the remote authentication method:
    (config-ikev2-profile)# authentication remote pre-share
  12. Define the local authentication method:
    (config-ikev2-profile)# authentication local pre-share
  13. Enter the IKEv2 key ring name you configured for the backup IPSec tunnel:
    (config-ikev2-profile)# keyring local nskpkey2
  14. Enable DPD and enter an interval:
    (config-ikev2-profile)# dpd 10 2 periodic

Defining the IPSec Transform Set

The transform set defines the security protocols and algorithms that the peers agree to use during the IPSec SA negotiation.

  1. Enter a name for the transform set and define the authentication and encryption algorithms:
    (config)# crypto ipsec transform-set nskptrans esp-gcm 256
  2. Define the IPSec mode:
    (cfg-crypto-trans)# mode tunnel

Configuring the IPSec Profiles

Configure two IPSec profiles to associate with your transform set and IKEv2 profiles.

  1. Enter an IPSec profile name for the primary IPSec tunnel:
    (config)# crypto ipsec profile ipsec-prof-nskp1
  2. Enter the Defining the IPSec Transform Set you defined for the IPSec tunnels:
    (ipsec-profile)# set transform-set nskptrans
  3. Enter the IKEv2 profile name you configured for the primary IPSec tunnel:
    (ipsec-profile)# set ikev2-profile nsprofile1
  4. Enter an IPSec profile name for the backup IPSec tunnel:
    (config)# crypto ipsec profile ipsec-prof-nskp2
  5. Enter the Defining the IPSec Transform Set you defined for the IPSec tunnels:
    (ipsec-profile)# set transform-set nskptrans
  6. Enter the IKEv2 profile name you configured for the backup IPSec tunnel:
    (ipsec-profile)# set ikev2-profile nsprofile2

Creating the Tunnel Interfaces

Create two tunnel interfaces to associate with your IPSec profiles.

  1. Create your primary tunnel interface with an ID:
    (config)# interface Tunnel1
  2. Enter a local IP address for the interface. It can be any one you choose.
    (config-if)# ip address 10.0.0.1 255.255.255.0
  3. Set the tunnel source interface, which is the interface that the tunnel is attached to. It’s typically the public interface of the router.
    (config-if)# tunnel source 192.168.180.3
  4. Define the tunnel mode:
    (config-if)# tunnel mode ipsec ipv4
  5. Set the tunnel destination to the IP address of the primary Netskope POP, which you copied in Creating IPSec Tunnels in Netskope:
    (config-if)# tunnel destination 10.136.176.30
  6. Enter the IPSec profile name you configured for the primary IPSec tunnel:
    (config-if)# tunnel protection ipsec profile ipsec-prof-nskp1
  7. Create your backup tunnel interface with an ID:
    (config)# interface Tunnel2
  8. Enter a local IP address for the interface. It can be any one you choose.
    (config-if)# ip address 9.0.0.1 255.255.255.0
  9. Set the tunnel source interface, which is the interface that the tunnel is attached to. It’s typically the public interface of the router.
    (config-if)# tunnel source 192.168.180.3
  10. Define the tunnel mode:
    (config-if)# tunnel mode ipsec ipv4
  11. Set the tunnel destination to the IP address of the backup Netskope POP, which you copied in Creating IPSec Tunnels in Netskope:
    (config-if)# tunnel destination 10.136.176.31
  12. Enter the IPSec profile name you configured for the backup IPSec tunnel:
    (config-if)# tunnel protection ipsec profile ipsec-prof-nskp2

Configuring the ACL & Route Map

You can use the route map to only route web traffic on ports 80 and 443 to through the IPSec tunnels.

To configure an access control list (ACL) and route map:

  1. Create an ACL for the traffic you want to match and apply the route map to:
    (config)# access-list 101 permit tcp any any eq www
    (config)# access-list 101 permit tcp any any eq 443
  2. Define a route map to match traffic against:
    (config)# route-map netskope permit 5
  3. Assign the access-list to the route map you created in Step 2:
    (config-route-map)# match ip address 101
  4. Set the tunnel interfaces in order of priority:
    (config-route-map)# set interface Tunnel1 Tunnel2
  5. Apply the route map to the interface that the traffic must be rerouted from:
    (config-route-map)# interface GigabitEthernet0/1
    (config-if)# ip policy route-map netskope

Sample CLI Configuration

Below is a sample CLI IPSec tunnel configuration for Cisco routers:

crypto ikev2 keyring nskpkey1
 peer ipsecgw
  address 10.136.176.30
  pre-shared-key NetskopeTest
!         
crypto ikev2 keyring nskpkey2
 peer ipsecgw2
  address 10.136.176.31
  pre-shared-key NetskopeTest
!        
crypto ikev2 profile nsprofile1
 match fvrf any
 match identity remote address 10.136.176.30 255.255.255.255 
 identity local fqdn cisco123
 authentication remote pre-share
 authentication local pre-share
 keyring local nskpkey1
 dpd 10 2 periodic
!         
crypto ikev2 profile nsprofile2
 match fvrf any
 match identity remote address 10.136.176.31 255.255.255.255 
 identity local fqdn cisco4567
 authentication remote pre-share
 authentication local pre-share
 keyring local nskpkey2
 dpd 10 2 periodic
!
crypto ipsec transform-set nskptrans esp-gcm 256 
 mode tunnel
!         
crypto ipsec profile ipsec-prof-nskp1
 set transform-set nskptrans 
 set ikev2-profile nsprofile1
!         
crypto ipsec profile ipsec-prof-nskp2
 set transform-set nskptrans 
 set ikev2-profile nsprofile2
!         
interface Tunnel1
 ip address 10.0.0.1 255.255.255.0
 tunnel source 192.168.180.3
 tunnel mode ipsec ipv4
 tunnel destination 10.136.176.30
 tunnel protection ipsec profile ipsec-prof-nskp1
!
interface Tunnel2
 ip address 9.0.0.1 255.255.255.0
 tunnel source 192.168.180.3
 tunnel mode ipsec ipv4
 tunnel destination 10.136.176.31
 tunnel protection ipsec profile ipsec-prof-nskp2
!
interface GigabitEthernet0/0
 description "External network  -  VLAN180"
 ip address 192.168.180.3 255.255.252.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!         
interface GigabitEthernet0/1
 description "Internal network  -  VLAN119"
 ip address 192.168.119.3 255.255.255.0
 ip virtual-reassembly in
 ip policy route-map netskope
 duplex auto
 speed auto
!
route-map netskope permit 5
 match ip address 101
 set interface Tunnel1 Tunnel2
!
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443

Troubleshooting

You can use any of the following commands to troubleshoot the IPSec tunnels on the Cisco router:

Troubleshooting Phase 1

Enter the following command to troubleshoot Phase 1:

# show crypto ikev2 sa

The CLI output should similar to the following:

csr#sh crypto ikev2 session
 IPv4 Crypto IKEv2 Session 
Session-id:3326, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local                 Remote                fvrf/ivrf            Status 
2         10.2.10.85/4500       66.151.135.63/4500    none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA384, Hash: SHA384, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/11454 sec
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
          remote selector 0.0.0.0/0 - 255.255.255.255/65535
          ESP spi in/out: 0x8013BA61/0xC34C9E57  
Session-id:3325, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         10.2.10.85/4500       163.116.136.184/4500  none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA384, Hash: SHA384, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/19347 sec
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
          remote selector 0.0.0.0/0 - 255.255.255.255/65535
          ESP spi in/out: 0x49262441/0xC09E0275  
 IPv6 Crypto IKEv2 Session 

csr#sh crypto ikev2 sa 
 IPv4 Crypto IKEv2  SA 
Tunnel-id Local                 Remote                fvrf/ivrf            Status 
2         10.2.10.85/4500       66.151.135.63/4500    none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA384, Hash: SHA384, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/11123 sec
Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         10.2.10.85/4500       163.116.136.184/4500  none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA384, Hash: SHA384, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/19016 sec
 IPv6 Crypto IKEv2  SA 

Troubleshooting Phase 2

Enter the following command to troubleshoot Phase 2:

# show crypto ipsec sa

The CLI output should similar to the following:

csr#sh crypto ipsec sa
interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 10.2.10.85
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 163.116.136.184 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 151253, #pkts encrypt: 151253, #pkts digest: 151253
    #pkts decaps: 3771, #pkts decrypt: 3771, #pkts verify: 3771
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 10.2.10.85, remote crypto endpt.: 163.116.136.184
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0xC5EB7597(3320542615)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x7B464481(2068202625)
        transform: esp-gcm 256 ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 17496, flow_id: CSR:15496, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
         sa timing: remaining key lifetime (k/sec): (2560/73)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xC5EB7597(3320542615)
        transform: esp-gcm 256 ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 17495, flow_id: CSR:15495, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
         sa timing: remaining key lifetime (k/sec): (2552/73)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     outbound ah sas:
     outbound pcp sas:

interface: Tunnel2
    Crypto map tag: Tunnel2-head-0, local addr 10.2.10.85
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 66.151.135.63 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 110, #pkts encrypt: 110, #pkts digest: 110
    #pkts decaps: 112, #pkts decrypt: 112, #pkts verify: 112
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 10.2.10.85, remote crypto endpt.: 66.151.135.63
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0xCF1B446D(3474670701)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x5C1B62E4(1545298660)
        transform: esp-gcm 256 ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 17494, flow_id: CSR:15494, sibling_flags FFFFFFFF80000048, crypto map: Tunnel2-head-0
         sa timing: remaining key lifetime (k/sec): (2560/46)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     inbound ah sas:
      inbound pcp sas:
   outbound esp sas:
      spi: 0xCF1B446D(3474670701)
        transform: esp-gcm 256 ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 17493, flow_id: CSR:15493, sibling_flags FFFFFFFF80000048, crypto map: Tunnel2-head-0
         sa timing: remaining key lifetime (k/sec): (2560/46)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)     outbound ah sas:
     outbound pcp sas:
Share this Doc

Netskope IPSec with Cisco IOS

Or copy link

In this topic ...