Netskope IPSec with Cisco Meraki MX
Netskope IPSec with Cisco Meraki MX
Netskope Intelligent Security Service Edge (SSE) is fast, easy to use, and secures your transactions wherever your people and data go. Netskope SSE converges security capabilities into a single cloud platform to allow a central unified security policy for all users across the organization both on premises or working remotely. This guide illustrates how to configure all internet bound traffic to be routed to the Netskope SSE through an IPSec tunnel for traffic inspection, content filtering, data and threat protection.
To learn more about the steps in the Meraki MX and Umbrella Secure Internet Gateway (SIG): MX documentation.
Note
Cisco Meraki MX routers don’t support policy-based forwarding and policy-based routing.
Prerequisites
Before configuring an IPSec tunnel with Cisco Meraki MX, ensure you have the following:
- Netskope NG-SWG with the Cloud Firewall license.
- Cisco Meraki MX requires MX 15.12+ firmware, on which users are able to configure the Non-Meraki VPN Peer with the two following Umbrella requirements:
- Choose IKE version type on each Non-Meraki VPN Peer. When choosing IKEv2, the Local ID field will be enabled. The Netskope IPSec config Source Identity info needs to be added into this field.
- On IPSec policies, choose Diffie-Hellman group 14.
Creating IPSec Tunnels in Netskope
To create the IPSec VPN tunnels for Cisco Meraki MX in the Netskope UI, see Creating an IPSec Site.
Configuring IPSec Tunnels in Cisco Meraki MX
To create the IPSec tunnels in the Cisco Meraki MX UI:
- Go to Security & SD-WAN > Site-to-site VPN.
- In VPN settings, select the subnets you want to participate in the Netskope SSE VPN.
- In Organization-wide settings, for Non-Meraki VPN peers, click Add a peer.
- Enter the following peer information:
- Name: Enter a name for the tunnel.
- Public IP: Enter the primary IPSec gateway IP address of the Netskope POP.
- Local ID: Enter the source identity IP address you configured for the Netskope IPSec tunnel.
- Private subnets: Enter
0.0.0.0/0
to redirect all internet-bound traffic into the IPSec tunnel. - IPSec policies: Choose a Custom Preset to configure the IPSec Phase 1 and Phase 2 encryption ciphers.
- Preshared secret: Enter the same PSK you configured for the Netskope IPSec tunnel.
- Availability: Enter a Network tag that you want to apply to the network where the MX router is assigned to.
- Configure the IPSec connection parameters below. Ensure you use AES 256 encryption, Diffie-Helman group 14 for the key exchange, Phase 1 lifetime 86400 seconds and Phase 2 lifetime 7200 seconds.
- You must generate traffic through the tunnel so the correct tunnel status reflects on the Cisco Meraki dashboard. Go to Security & SD-WAN > Appliance Status > Tools to generate traffic and source pings from a VPN-participating VLAN to the destination IP address that uses the IPSec tunnel route.
Troubleshooting
To verify your IPSec tunnel on the CIsco Meraki dashboard, go to Security & SD-WAN > VPN Status, and you should see an active Netskope SSE IPSec tunnel.
To verify your IPSec tunnel in the Netskope UI, go to Settings > Security Cloud Platform > IPSec, and you should see the IPSec tunnel display an up status with a throughput greater than 0 Kbps.
You can also validate if the web traffic is sent through Netskope SSE by visiting http://notskope.com from a web browser on an endpoint connected to the VLAN with traffic steered to the 3rd party IPSec tunnel.