Skip to main content

 

Cisco Meraki Documentation

Cisco Secure Connect - Non-Meraki IPSec Tunnel

Overview

An IPsec (Internet Protocol Security) IKEv2 (Internet Key Exchange, version 2) tunnel is used to securely forward traffic from Cisco Umbrella to the destination networks of the private applications. For more details on supported IPSec parameters, reference Supported IPSec parameters 

Creating a New Tunnel

1. Navigate to Secure Connect > Network Tunnels. This will open Deployments > Core Identities  > Network Tunnels configuration page.

Network Tunnel.png

Figure 1: Network Tunnels

2. Click Add in the upper right hand corner of the screen 

3. Enter a Tunnel Name, select the correct datacenter Device Type and click Save 

Add A New Tunnel.png
Figure 2: Add a secure access tunnel

Maximum Transmission Unit (MTU) Size

Umbrella does not support the reassembly of fragmented IPSec traffic or IP packets for internet traffic. Thus, when a network device sends fragmented IPSec or IP packets to Umbrella, Umbrella drops the fragmented packets. IPSec tunnels for Secure Internet Access must have an MTU no larger than 1280 bytes. Fragmented packets in underlay or overlay are dropped.

4. Set a Tunnel ID and Passphrase. These values must match the respective values on the datacenter device. For more details see: Network Tunnel Configuration 

  • For Cisco devices, reference the instructions here

  • For non-Cisco devices, reference the instructions here

Tunnel ID and Passphrase.png

Figure 3: Add Tunnel ID and Passphrase

5. Select Service Type as Secure Internet Access or Private Access.

For Secure Internet Access, you will need to add all public and private address ranges used internally by your organization.

Service type - SIA.png

Figure 4: Configure Secure Internet Access service

For Private Access, you will need to add IP ranges and CIDR addresses of your private applications for route advertisement.

Service type - PA.png

Figure 5: Configure Private Access service

 

Secure Connect IPSec Headend Data Centers

Please note that the following DC's are enabled for Secure Connect so please use the below IP while connecting to the tunnel headend.

 

Region City IP Address FQDN

Americas

Los Angeles, CA, US

146.112.67.8

us1-a.vpn.sig.umbrella.com

Americas

Palo Alto, CA, US

146.112.66.8

us1-b.vpn.sig.umbrella.com

Americas

New York, NY, US

146.112.83.8

us2-a.vpn.sig.umbrella.com

Americas

Ashburn, VA, US

146.112.82.8

us2-b.vpn.sig.umbrella.com

Americas

Miami, FL, US

146.112.84.8

us3-a.vpn.sig.umbrella.com

Americas

Atlanta, GA, US

146.112.85.8

us3-b.vpn.sig.umbrella.com

Americas

Dallas-Fort Worth, TX, US

146.112.72.8

us4-a.vpn.sig.umbrella.com

Americas

Denver, CO, US

146.112.73.8

us4-b.vpn.sig.umbrella.com

Americas

Minneapolis, MN, US

146.112.81.8

us5-a.vpn.sig.umbrella.com

Americas

Chicago, IL, US

146.112.80.8

us5-b.vpn.sig.umbrella.com

EMEA

London, United Kingdom

146.112.97.8

eu1-a.vpn.sig.umbrella.com

EMEA

Frankfurt, Germany

146.112.96.8

eu1-b.vpn.sig.umbrella.com

EMEA

Paris, France

146.112.102.8

eu2-a.vpn.sig.umbrella.com

EMEA

Prague, Czech Republic

146.112.103.8

eu2-b.vpn.sig.umbrella.com

EMEA

Copenhagen, Denmark

146.112.100.8

eu3-b.vpn.sig.umbrella.com

EMEA

Stockholm, Sweden

146.112.101.8

eu3-a.vpn.sig.umbrella.com

EMEA

Milan, Italy

146.112.107.8

eu4-a.vpn.sig.umbrella.com

EMEA

Madrid, Spain

146.112.106.8

eu4-b.vpn.sig.umbrella.com

Africa

Johannesburg, South Africa

146.112.108.8

af1-a.vpn.sig.umbrella.com

Africa

Cape Town, South Africa

146.112.109.8

af1-b.vpn.sig.umbrella.com

Asia

Singapore, Singapore

146.112.113.8

as1-a.vpn.sig.umbrella.com

Asia

Tokyo, Japan

146.112.112.8

as1-b.vpn.sig.umbrella.com

Asia

Sydney, Australia

146.112.118.8

au1-a.vpn.sig.umbrella.com

Asia

Melbourne, Australia

148.112.119.8

au1-b.vpn.sig.umbrella.com

Canada

Toronto, Canada

146.112.65.8

ca1-a.vpn.sig.umbrella.com

Canada

Vancouver, Canada

146.112.64.8

ca1-b.vpn.sig.umbrella.com

South America

São Paulo, Brazil

146.112.92.8

br1-a.vpn.sig.umbrella.com

South America

Rio de Janeiro, Brazil

146.112.93.8

br1-b.vpn.sig.umbrella.com

Multiple Tunnels

Each manual IPSec tunnel is limited to approximately 250 Mbps. To achieve higher throughput, we can establish multiple tunnels. Creating multiple tunnels from the same device. For more details, see examples in Multiple Tunnels Load Sharing and Can-I-create-multiple-IPSEC-Tunnels.

If you set up multiple tunnels, there are limitations to follow:

  1. A unique set of Network Tunnel credentials must be used for each IPSec tunnel. Two IPSec tunnels cannot connect to the same data center with the same credentials (IP addresses) at the same time. Using 2 different public IP addresses on the customer device, or two different loopback addresses that are NATed using different port numbers will activate the both tunnels at the same time. Example how to accomplish this can be found here.
  2. For Secure Internet Access, all traffic should be initiated from behind the IPSec tunnel. We recommend that you divide the traffic between the tunnels either through load balancing with ECMP (Equal-cost multi-path routing) or assigning traffic through policy-based routing. Overlapping IPs in Edge devices is supported and ECMP is supported only if tunnels are terminating at the same Data Center headend. This configuration is done on customer device if supported. 
  3. For Secure Private Access, remote access users or branch users will be initiating traffic toward the servers behind the IPSec tunnel. Overlapping IPs is not recommended as it can cause unexpected behaviour with routing.

 

  • If a tunnel is showing as “Not Established” (Deployments > Network Tunnels page) check the device has been configured using our supported IPsec paramters.   

  • If a tunnel is showing as “Inactive” ensure traffic is being generated which should be routed down the VPN.   

 

secureconnectbutton.png
Figure 4: Return to Secure Connect link

  1. In the upper right hand corner of the screen, click Return TO SECURE CONNECT.

Once the tunnel is established traffic will not flow until traffic, such as a ping, is sent from the network where the private application resides.  Once this is complete, traffic will flow bidirectionally.  

Modifying Tunnel

Presently, the IPSec tunnel for Secure Connect is configured in the Umbrella dashboard. To modify the IPsec tunnel settings, please follow the following steps.

Accessing Tunnel Edit Options

  1. From the Meraki Secure Connect dashboard, navigate to the Secure Connect menu > Identities & Connections > click on the Network Tunnel link. The page will be redirected to the Umbrella dashboard where you can configure the Deployments > Core Identities > Network Tunnels.
    Secure Connnect - Navigation - Tunnel.png
  2. From the Network Tunnels page > click on the horizontal ellipsis button (. . .) next to the private tunnel that you would like to make the change > and then click Details.
    Network Tunnel - ASA.png
  3. Within the Network Tunnels details page click on the horizontal ellipsis button (. . .) > and then click Edit to show the Tunnel Edit options. 
    Network Tunnel - Tunnel Edit.png

    The following are the available tunnel settings that can be modified:

    • Tunnel Name
    • Tunnel ID
    • Passphrase
    • Client Reachable Prefixes

    Network Tunnel - Tunnel Edit - after click edit.png

Update Tunnel ID

From the Network Tunnel edit options > click Edit under the Tunnel ID to access the Update Tunnel ID popup window > enter New Tunnel ID name > click the acknowledgment checkbox > and then click Save​​​​​.
Network Tunnel - Tunnel Edit - after click edit.png

Update the Tunnel ID.png
Update Tunnel Passphrase

From the Network Tunnel edit options > click Edit under the Passphrase to access the Update Tunnel Passphrase popup window > enter New Passphrase and Confirm Passphrase > click the acknowledgment checkbox > and then click Save​​​​.

Updating Tunnel Passphrase.png

Edit Client Reachable Prefixes

From the Network Tunnel edit options > click Edit under the Client Reachable Prefixes to access the Edit Client Reachable Prefixes popup window enter the IP ranges and CIDR addresses that remote users need to access via the IPSec tunnel click on the checkbox to Acknowledge Disconnect & Reconnect Requirement > and then click Save. 

 Edit Client Reachable Prefixes.png

Please note route changes do not apply until you manually disconnect and then reconnect the IPsec tunnel.

 

  • Was this article helpful?