Skip to main content
Cisco Meraki Documentation

Catalyst SD-WAN Integration with Cisco Secure Connect

Cisco Secure Connect Catalyst SD-WAN Integration Deployment Guide



Organizations are shifting their network landscape by moving on-prem applications to the public or private cloud. Previously all traffic was backhauled through central data centers with security stack choking links and increasing latency significantly, but now almost 80% of traffic is routed directly to the internet from branch. Securing a network edge has always been complex and with this change in network infrastructure, it became even more difficult to manage and secure an entire organization. 

Secure Access Service Edge (SASE) is the convergence of Network as a Service and Security as a Service within a unified cloud delivered platform. Cisco Secure Connect is Cisco’s unified SASE solution with an integrated Remote access capability, cloud managed network delivered through the Cisco Meraki cloud and centralized cloud managed security powered by Cisco Umbrella. This unified full stack SASE solution is one of its kind that delivers complete end to end control, connectivity, security and policy management of remote users, branches, and private applications across both Cisco SD-WAN (powered by Catalyst SD-WAN and Meraki) solution. 

This deployment guide outlines how to integrate your Cisco SD-WAN fabric to the Cisco Secure Connect solution and manage both the remote worker and SD-WAN branch network connectivity and security using the Cisco Secure Connect cloud dashboard.

Acronyms and Terminologies: 

Viptela = Catalyst SD-WAN 


A picture containing diagram

Description automatically generated


Onboarding - Getting your Cisco Secure Connect Dashboard

To begin, you'll first need to integrate Cisco Meraki and Cisco Umbrella management together for a seamless experience.  For further instructions, see  Cisco Secure Connect Onboarding 

Enrolling Catalyst SD-WAN Sites to Cisco Secure Connect

After successfully provisioning Cisco Secure Connect, go to the Secure Connect > Sites page. There are 2 use cases that are supported independently with Cisco Secure Connect. 


  1. Create tunnels to Catalyst SD-WAN HUBs from Cisco Secure Connect using SC's enhanced headend. Remote users connecting to Cisco Secure Connect can securely access applications or resources behind the integrated Hub.  

  1. Import secure internet access Catalyst SD-WAN branch tunnels already integrated to SIG into Cisco Secure Connect. Enabling a single point of monitoring of both private and internet access tunnels. (only umbrella SIG tunnels supported)  

Graphical user interface, text, application

Description automatically generated 

Graphical user interface, application, Teams

Description automatically generated 

Integrating Viptela SDWAN Private Application Service Hub to Cisco Secure Connect 

Cisco Secure Connect establishes a secure interconnect between the remote users and the applications or resources hosted behind Viptela SDWAN service hubs. The first step towards the integration is to establish a connectivity between Viptela devices and Cisco Secure Connect fabric.  

Click on > Connect Viptela Devices

Graphical user interface, application, Teams

Description automatically generated 

Give the Site you are creating a tunnel from a name and from the drop down select the region you want to connect your Catalyst SD-WAN hubs then,  

After choosing the region and the name for your Site, next create tunnels from the Site to Cisco Secure Connect enhanced headend in the chosen region. Give the tunnel a unique name and a secure passphrase. Click on > Next 

Currently site name and tunnel name are concatenated for tunnel identity. Currently in vManage ipsec template, the tunnel identity field is only 63 characters. Therefore its recommended to use shorter names for site name and tunnel names so that the overall tunnel identity is less than 63 characters. 

Passphare is 16 character minium 



Graphical user interface, text, application

Description automatically generated


Graphical user interface, text, application, email, Teams

Description automatically generated

This successfully configures 2 tunnels (primary, secondary) in the DC locations associated with the chosen regions. After successful creation of the tunnels, there is pop up window that gives all the required information regarding the tunnels created. The tunnel pairs configs can be associated with single router or multiple routers on the Catalyst SD-WAN hub location . Every router within the hub location will have primary and secondary tunnel towards Secure Connect primary and secondary DC respectively for that region. 

Please copy and save all the information shown in the pop-up window related to both the tunnels before clicking on Done.


Graphical user interface, text, application, email

Description automatically generated


The auto tunnel automation is not available end to end for viptela sd-wan. Therefore, the tunnel needs to be manually created under service vpns of the devices using vManage templates. 

The ipsec parameters for tunnel needs to be shown in the GUI here or follow the below screen shots.(for customers we should finalized on some secure parameters) 

The tunnel ID and the Secure Connect DC IPs for each tunnel and its associated DC need to be entered in the corresponding templates in vManage. To know more about associated vManage template please click on the following link  

After clicking ‘Done’ on the pop-up window, in the Sites page you will see the newly created Site with the primary and secondary tunnels in the drop down of the Site.