Skip to main content
Cisco Meraki

Cisco+ Secure Connect - Non-Meraki IPSec Tunnel

Figure 1: Secure Private Access Tunnel

An IPsec (Internet Protocol Security) IKEv2 (Internet Key Exchange, version 2) tunnel is used to securely forward traffic from Cisco Umbrella to the destination networks of the private applications. For more details on supported IPSec parameters, reference Supported IPSec parameters 

Create a new Tunnel

  1. Click ADD in the upper right hand corner of the screen 

  2. Enter a Tunnel Name, select the correct datacenter Device Type and click Save 

Figure 2: Add a secure access tunnel

Configure Tunnel

Multiple Tunnels

If both Private Access (for remote users) and Secure Internet Access (for branch location access) tunnels, TWO separate tunnels are required today. It is not possible to use a single tunnel for both types of access.   Creating multiple tunnels from the same device is possible with some devices. For more details, see Can-I-create-multiple-IPSEC-Tunnels

Maximum Transmission Unit (MTU) Size

Umbrella does not support the reassembly of fragmented IPsec traffic or IP packets. Thus, when a network device sends fragmented IPsec or IP packets to Umbrella, Umbrella drops the fragmented packets.
IPsec tunnels for Secure Internet Access must have an MTU no larger than 1280 bytes. Fragmented packets in underlay or overlay are dropped. 

  1. Specify the Service Type as Private Access 

Figure 3: Configure private access service

  1. Client Reachable Prefixes -enter in a subnet or the subnets that remote users need to access. Traffic destined to these subnets are sent securely through the tunnel. 

Figure 4: Specify tunnel traffic

Configure Tunnel ID and Passphrase

  1. Set a Tunnel ID and Passphrase. These values must match the respective values on the datacenter device.  For more details see: Network Tunnel Configuration 

a. For Cisco devices, reference the instructions here

b. For non-Cisco devices, reference the instructions here


Please note that the following DC's are enabled for Secure Connect so please use the below IP while connect to tunnel headend



Los Angeles, CA


Santa Clara, CA


New York, NY


Ashburn, VA


London, UK


Frankfurt, DE


Paris, FR


Prague, CZ

  • If a tunnel is showing as “Not Established” (Deployments > Network Tunnels page) check the device has been configured using our supported IPsec paramters.   

  • If a tunnel is showing as “Inactive” ensure traffic is being generated which should be routed down the VPN.   

Secure Access Tunnel Provisioning is complete!!!

Figure 5: Return to Secure Connect link

  1. In the upper right hand corner of the screen, click Return to Cisco Plus Secure Connect 

    1. Once the tunnel is established traffic will not flow until traffic, such as a ping, is sent from the network where the private application resides.  Once this is complete, traffic will flow bidirectionally.  
  • Was this article helpful?