browse
Overview
This article explains how to build a CDFW Tunnel using a Viptela cEdge device running the 16.12 release.
Note: The configuration template below is in INTENT based format, which is needed to create CLI-based tunnels in vManage. INTENT based format is similar to vEdge configuration format but there are some differences. A Feature template cannot effectively be used until 17.2.1 for cEdge, thus this example is using a CLI-based template.
DISCLAIMER:
*This article was created to address the use case of sending corporate guest traffic through the Cisco Umbrella SIG solution.
*This how-to article uses CLI-based templates to override a limitation of Feature based templates in vManage
Prerequisites
- The device must be fully configured and operational using the CLI-based templates before configuring the Umbrella SIG relevant parts below. Only relevant items to the tunnel configuration are captured here.
- NAT must be configured in one or more of the transport VPN interfaces.
- The policy listed is a workaround until ‘allow-service ipsec’ is added in a future release.
Details
Step 1: Create CDFW Tunnel in Umbrella Dashboard ( https://login.umbrella.com/ )
Step 2: Configure Viptela device template as you would normally configure for your environment.
Step 3: Configure a SIG policy to allow ports UDP 500 and 4500 into transport interfaces. ACL_for_IKE_IPSec_tunnel is the ACL name that allows IPSEC traffic through the tunnel interface
(Optional: you can further restrict the ACL to only Umbrella SIG DCs. Listed here: https://docs.umbrella.com/deployment-umbrella/v1.0.6/docs/cisco-umbrella-data-centers )
access-list ACL_for_IKE_IPSec_tunnel
sequence 10
match
protocol 50
!
action accept
!
!
sequence 20
match
destination-port 4500 500
!
action accept
!
!
default-action drop
!
Step4: Apply the ACL to the tunnel interface you will be using.
sdwan
interface GigabitEthernet1
tunnel-interface
access-list ACL_for_IKE_IPSec_tunnel in
Step 5: Configure ipsec interface(s) in the transport VPN including required routes
The following variables are defined in the CLI config template below:
- {transport_vpn_1} is the network interface (typically the WAN interface) which will establish the IPSEC tunnel
- {transport_vpn_ip_addr_prefix} is the transport VPN that you assign. (ex. 1.1.1.0/24)
- {ipsec__int_number} is the IPSEC tunnel interface number (ex. The number 1 in interface "IPSEC1" )
- {ipsec_ip_addr_prefix} is ip address and subnet defined for the IPSEC tunnel interface.
- {transport_vpn_interface_1} is the network interface (typically the WAN interface) that will establish the IPSEC tunnel. This is the same interface used in transport_vpn_1 variable.
- {psk} is the tunnel's pre-shared key value created in the Umbrella Dashboard's tunnels section.
- {sig_fqdn} is the tunnel's IKE ID created in the Umbrella Dashboard's tunnels section.
- {sig_tunnel_dest_ip} is the CDFW DC's IP the tunnel will be connected to
vpn 0
interface {{transport_vpn_1}}
ip address {{transport_vpn_ip_addr_prefix}}
nat
refresh bi-directional
!
mtu 1360
no shutdown
!
interface ipsec{{ipsec__int_number}}
ip address {{ipsec_ip_addr_prefix}}
tunnel-source-interface {{transport_vpn_interface_1}}
tunnel-destination {{sig_tunnel_dest_ip}}
ike
version 2
rekey 14400
cipher-suite aes256-cbc-sha1
group 14
authentication-type
pre-shared-key
pre-shared-secret {{psk}}
local-id {{sig_fqdn}}
remote-id {{sig_tunnel_dest_ip}}
!
!
!
ipsec
rekey 3600
replay-window 512
cipher-suite aes256-gcm
perfect-forward-secrecy none
!
no shutdown
!
ip ipsec-route 0.0.0.0/0 vpn 0 interface ipsec{{ipsec__int_number}}
For your reference, here is a sample configuration mentioned in steps 3-5:
access-list ACL_for_IKE_IPSec_tunnel
sequence 10
match
protocol 50
!
action accept
!
!
sequence 20
match
destination-port 4500 500
!
action accept
!
!
default-action drop
!
vpn 0
dns 208.67.222.222 primary
name VPN0
interface GigabitEthernet4
ip address 192.168.1.0/24
nat
refresh bi-directional
!
mtu 1360
no shutdown
!
interface ipsec1
ip address 10.10.10.1/30
tunnel-source-interface GigabitEthernet4
tunnel-destination 146.112.83.8
ike
version 2
rekey 14400
cipher-suite aes256-cbc-sha1
group 14
authentication-type
pre-shared-key
pre-shared-secret YourPreSharedKey
local-id YourTunnelID@umbrella.sig.cisco.com
remote-id 146.112.83.8
!
!
!
ipsec
rekey 3600
replay-window 512
cipher-suite aes256-gcm
perfect-forward-secrecy none
!
no shutdown
!
ip ipsec-route 0.0.0.0/0 vpn 0 interface ipsec1