Netskope IPSec with Versa Director

Netskope IPSec with Versa Director

This guide explains the network and system configuration for the Versa Operating System (VOS) using Versa Director and the Netskope Security Cloud Platform using Secure Web Gateway (NG-SWG).

This document is for experienced network and system administrators who are responsible for configuring and managing public and private cloud infrastructure. It is presumed that admins are aware of virtualization concepts, technologies, and setup of network devices.

Supported Software Versions

  • Versa Director: 20.2.1
  • Versa Analytics: 20.2.1
  • Versa VOS: 20.2.1
  • Netskope R73+

Description

Versa SD-WAN Implementation where internet traffic needs to be sent to Netskope’s Next Generation Secure Web Gateway, this guide captures the configuration of the Versa Operating System (VOS) using Versa Director (Orchestrator), and the required Netskope configurations.

Netskope interoperability with Versa branches can be achieved using Site-to-Site IPSec VPN or GRE from the Versa WAN-Edge device to a Netskope Next Generation Secure Web Gateway (NG-SWG) based on parameters provided by Netskope.  

Netskope and Versa support both IKEv2/IPSec and GRE-based tunnels.

Topology

VersaTopology.png

Configuration Information

To establish an IPSec Tunnel, this information is required.

SWG ParametersVersa ParametersDescription
Source IdentityIKE – Peer IPPeer IP to establish IPsec
Primary POP/Secondary POPLocal ID – IPIKE
Primary POP/Secondary POPRemoted ID – IP Address
PSKPSKPre-shared Key
Policy

Example:

Match HTTP and HTTPS

Match policy for Policy based tunnel
IKE Version V2IKE Version V2

Creating IPSec Tunnels in Versa Director

  1. In Versa Director, go to Workflows.
  2. Expand Template then click Templates.
  3. Click image9.tiff to add a new workflow template.
    image10.tiff
  4. In the General, Interfaces, and Routing tabs, configure your basic information.
    image11.tiff
  5. Click the Tunnels tab.
  6. Under Split Tunnels, configure the DIA tunnel from your LAN VR for DNS queries.
    image12.tiff
  7. In the Site to Site Tunnels section:
    1. Enter an appropriate name for the tunnel.
    2. For the Peer Type, select Unmanaged.
    3. Select a WAN network.
    4. Select customer LAN VRF.
    5. Select + Add New from the Vpn Profile dropdown to configure a new VPN profile.
    image13.tiff
  8. In the Create Authentication Profile window:
    1. Configure appropriate VPN Profile Name.
    2. Select IKE Version v2.
    3. Select IKE Transform aes128-sha512.
    4. Select IPSec Transform esp-aes128-sha512.
    5. Select No. of tunnels as 2.
    6. Configure a Peer Auth PSK Key.
    7. Configure Netskope WAN IP as Peer Auth IP Identifier Identity.
    8. Select Tunnel Config as Policy Based.
    image14.tiff
  9. In Policy Configuration, click image9.tiff to add two new policies:
    1. Add a policy to accept HTTP traffic, and click OK.
      image15.tiff
    2. Add a another policy to accept HTTPS traffic, and click OK.
      image16.tiff
  10. Click OK.
    image17.tiff
  11. Click the green image9.tiff for the tunnel configuration to add the tunnel.
    image18.tif
  12. Configure the Inbound NAT, Services, and Management Servers tabs per your requirements, and clickRecreate to create workflow template.
    Newimage18.tiff
  13. Go to Configuration > Templates > Device Templates, and select the template you created in the previous step to enter the template configuration view.
    image19.tiff
  14. Go to Services > IPSec > VPN Profiles. Because 2 tunnels were selected, two separate VPN profiles have been created: Netskope-gw1 and Netskope gw2.
  15. Click Netskope-gw1 to edit, and click the IKE tab.
  16. Change the DH group to Diffie-Hellman-Group 14 2048.
    image20.tiff
  17. Click the IPSec tab, and change the DH group to Diffie-Hellman-Group 14 2048, and then click OK.
    image21.tiff
  18. Click Netskope-gw2, and modify the Peer IP to that of the backup tunnel endpoint.
    image22.tiff
  19. Click the IKE tab, and change the DH group to Diffie-Hellman-Group 14 2048, and Peer Auth Identity to the backup tunnel endpoint.
    image23.tiff
  20. Click the IPsec tab, and change the DH group to Diffie-Hellman-Group 14 2048, and then click OK.
    image24.tiff
  21. Go to Workflows > Devices > Devices, and click OK to add a device template based on the workflow template created in previous step. Enter the basic information under Basic > Device Service template and tabs.
  22. Click the Tunnel Information tab, and verify that tunnel information is auto-populated. If some information has to be provided by the user, update the information.
    image25.tiff
  23. In the Bind Data section, enter your bind data information, and click OK:
    1. netskope-gw-1_Local_auth_ip_identifier__IKELIdentifier is the Versa source WAN IP for the primary tunnel. Copy the local auth identifier to add it in the Netskope UI.
    2. netskope-gw-1_Local_auth_key__IKELKey is the pre-shared key for the primary tunnel. Copy the auth key to add it in the Netskope UI.
    3. netskope-gw-2_Local_auth_ip_identifier__IKELIdentifier is the Versa source WAN IP for backup tunnel. Copy the local auth identifier to add it in the Netskope UI.
    4. netskope-gw-2_Local_auth_key__IKELKey is the pre-shared key for the backup tunnel. Copy the auth key to add it in the Netskope UI.
    image26.tiff
  24. Deploy the device workflow configuration and onboard the device.

Verification

  1. Go to the Monitor tab, select Organization > Devices, and select a device.
  2. Click Services > IPSEC > IPSEC Security Association, and select netskope-gw1 from the drop-down list to verify the primary tunnel status.
    image27.tiff
  3. Select netskope-gw-2 to verify backup tunnel status.
    image28.png

Creating IPSec Tunnels in Netskope

To create the IPSec tunnels for Versa Director in the Netskope UI:

  1. Go to Settings > Security Cloud Platform > IPSec.
  2. Click Add New Tunnel.
  3. In the Add New IPSec Tunnel window:
    • Tunnel Name: Enter a name for the IPSec tunnel.
    • Source IP Address: (Optional) Enter the source peer IP address (i.e., exit public IP) of the Versa router that Netskope will receive packets from. Netskope identifies traffic belonging to your organization through your router or firewall IP addresses.
    • Source Identity: Enter the local-auth-info id-string from the VOS configuration. The router or firewall uses the source identity for authentication during Internet Key Exchange (IKE).
    • Primary Netskope POP: Select the primary Netskope point of presence (POP) closest to you, and copy the IPSec Gateway IP address. You need this information to establish the primary IPSec tunnel on your Versa router. For optimal performance, Netskope recommends using the geographically closest POPs and configuring at least two tunnels for each egress location in your network.

      Note

      FedRAMP High POPs are different that those shown here. Your FedRAMP High tenant will show the available POPs.

    • Failover Netskope POP: Select the backup Netskope POP closest to you, and copy the IPSec Gateway IP address. You need this information to establish the backup IPSec tunnel on your Versa router. For optimal performance, Netskope recommends using the geographically closest POPs and configuring at least two tunnels for each egress location in your network.
    • Pre-Shared Key (PSK): Enter the pre-shared key that both sides of the tunnel will use to authenticate one another. The PSK must be unique for each tunnel.
    • Encryption Cipher: Select an encryption algorithm for the IPSec tunnel.
    • Maximum Bandwidth: Enter the maximum bandwidth for the IPSec tunnel. The tunnel size can be up to 1 Gbps. To enable the 1 Gbps option, contact your Sales Representative.
    • Advanced Settings: Click to view the following options.
      • Rekey: Select to rekey SAs when they expire. For Versa Director, Netskope recommends deselecting this option.
      • Reauthentication: Select to create new IKE and IPSec SAs when they expire. For Versa Director, Netskope recommends deselecting this option.
    Add New IPSec Tunnel window
  4. Click Add.

To view the IPSec tunnel information, click the tunnel name. If the IPSec tunnel configuration is successful, the Status will be Up.

Netskope-IPSec-Tunnel-Details-Pane.png

Sample CLI Configuration

Below is a sample CLI IPSec tunnel configuration for Versa Director:

admin@branch-cloud-1-cli> show configuration orgs org-services testdemo ipsec vpn-profile netskope-gw-1
vpn-type                site-to-site;
local-auth-info {
    auth-type psk;
    id-type   ip;
    key       1234;
    id-string 54.189.122.221;
}
local {
    interface-name vni-0/0.0;
}
routing-instance        AWS-INTERNET-Transport-VR;
tunnel-routing-instance testdemo-LAN-VR;
tunnel-initiate         automatic;
ipsec {
    fragmentation pre-fragmentation;
    force-nat-t   disable;
    transform     esp-aes128-sha512;
    mode          tunnel;
    pfs-group     mod14;
    anti-replay   enable;
    life {
        duration 28800;
    }
}
ike {
    version     v2;
    group       mod14;
    transform   aes128-sha512;
    lifetime    28800;
    dpd-timeout 30;
}
peer-auth-info {
    auth-type psk;
    id-type   ip;
    key       1234;
    id-string 8.36.116.114;
}
peer {
    address [ 8.36.116.114 ];
}
rule http {
    protocol any;
    src {
        inet 0.0.0.0/0;
        port 0;
        }
        dst {
            inet 0.0.0.0/0;
            port 80;
        }
    }
    rule https {
        protocol any;
        src {
            inet 0.0.0.0/0;
            port 0;
        }
        dst {
            inet 0.0.0.0/0;
            port 443;
        }
    }
    [ok][2020-05-15 11:58:36]
    admin@branch-cloud-1-cli>
admin@branch-cloud-1-cli> show configuration orgs org-services testdemo ipsec vpn-profile netskope-gw-2
vpn-type                site-to-site;
local-auth-info {
    auth-type psk;
    id-type   ip;
    key       1234;
    id-string 54.189.122.221;
}
local {
    interface-name vni-0/0.0;
}
routing-instance        AWS-INTERNET-Transport-VR;
tunnel-routing-instance testdemo-LAN-VR;
tunnel-initiate         automatic;
ipsec {
    fragmentation pre-fragmentation;
    force-nat-t   disable;
    transform     esp-aes128-sha512;
    mode          tunnel;
    pfs-group     mod14;
    anti-replay   enable;
    life {
        duration 28800;
    }
}
ike {
    version     v2;
    group       mod14;
    transform   aes128-sha512;
    lifetime    28800;
    dpd-timeout 30;
    }
    peer-auth-info {
        auth-type psk;
        id-type   ip;
        key       1234;
        id-string 163.116.132.38;
    }
    peer {
        address [ 163.116.132.38 ];
    }
    rule http {
        protocol any;
        src {
            inet 0.0.0.0/0;
            port 0;
        }
        dst {
            inet 0.0.0.0/0;
            port 80;
        }
    }
    [ok][2020-05-15 11:59:09]
    admin@branch-cloud-1-cli>

Display SET View

admin@branch-cloud-1-cli> show configuration orgs org-services testdemo ipsec vpn-profile netskope-gw-1 | display set

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 vpn-type site-to-site

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 local-auth-info

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 local-auth-info auth-type psk

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 local-auth-info id-type ip

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 local-auth-info key 1234

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 local-auth-info id-string 54.189.122.221

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 local

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 local interface-name vni-0/0.0

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 routing-instance AWS-INTERNET-Transport-VR

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 tunnel-routing-instance testdemo-LAN-VR

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 tunnel-initiate automatic

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 ipsec fragmentation pre-fragmentation

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 ipsec force-nat-t disable

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 ipsec transform esp-aes128-sha512

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 ipsec mode tunnel

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 ipsec pfs-group mod14

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 ipsec anti-replay enable

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 ipsec life duration 28800

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 ike version v2

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 ike group mod14

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 ike transform aes128-sha512

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 ike lifetime 28800

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 ike dpd-timeout 30

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 peer-auth-info

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 peer-auth-info auth-type psk

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 peer-auth-info id-type ip

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 peer-auth-info key 1234

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 peer-auth-info id-string 8.36.116.114

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 peer

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 peer address [ 8.36.116.114 ]

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 rule http protocol any

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 rule http src inet 0.0.0.0/0

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 rule http src port 0

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 rule http dst inet 0.0.0.0/0

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 rule http dst port 80

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 rule https protocol any

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 rule https src inet 0.0.0.0/0

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 rule https src port 0

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 rule https dst inet 0.0.0.0/0

set orgs org-services testdemo ipsec vpn-profile netskope-gw-1 rule https dst port 443

[ok][2020-05-15 11:59:45]
admin@branch-cloud-1-cli> show configuration orgs org-services testdemo ipsec vpn-profile netskope-gw-2 | display set

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 vpn-type site-to-site

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 local-auth-info

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 local-auth-info auth-type psk

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 local-auth-info id-type ip

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 local-auth-info key 1234

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 local-auth-info id-string 54.189.122.221

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 local

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 local interface-name vni-0/0.0

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 routing-instance AWS-INTERNET-Transport-VR

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 tunnel-routing-instance testdemo-LAN-VR

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 tunnel-initiate automatic

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 ipsec fragmentation pre-fragmentation

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 ipsec force-nat-t disable

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 ipsec transform esp-aes128-sha512

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 ipsec mode tunnel

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 ipsec pfs-group mod14

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 ipsec anti-replay enable

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 ipsec life duration 28800

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 ike version v2

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 ike group mod14

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 ike transform aes128-sha512

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 ike lifetime 28800

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 ike dpd-timeout 30

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 peer-auth-info

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 peer-auth-info auth-type psk

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 peer-auth-info id-type ip

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 peer-auth-info key 1234

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 peer-auth-info id-string 163.116.132.38

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 peer

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 peer address [ 163.116.132.38 ]

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 rule http protocol any

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 rule http src inet 0.0.0.0/0

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 rule http src port 0

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 rule http dst inet 0.0.0.0/0

set orgs org-services testdemo ipsec vpn-profile netskope-gw-2 rule http dst port 80

[ok][2020-05-15 11:59:51]

admin@branch-cloud-1-cli>
Share this Doc

Netskope IPSec with Versa Director

Or copy link

In this topic ...