Skip to main content
Cisco Meraki

Cisco+ Secure Connect - Non-Meraki IPSec Tunnel


An IPsec (Internet Protocol Security) IKEv2 (Internet Key Exchange, version 2) tunnel is used to securely forward traffic from Cisco Umbrella to the destination networks of the private applications. For more details on supported IPSec parameters, reference Supported IPSec parameters 

Creating a New Tunnel

  1. Navigate to Secure Connect > Network Tunnels. This will open Deployments > Core Identities  > Network Tunnels configuration page.

  2. Click ADD in the upper right hand corner of the screen 

  3. Enter a Tunnel Name, select the correct datacenter Device Type and click Save 

Figure 2: Add a secure access tunnel

Multiple Tunnels

Private Access (for remote users) tunnels can support internet bound traffic. Traffic sent to a Private Application tunnel to the destination that is not routed down existing branch or DC tunnels will egress the Secure Connect infrastructure through the Secure Internet Gateway, with the appropriate policies applied at the CDFW (Umbrella's cloud-delivered firewall), IPS (Umbrella's Intrusion Prevention System), SWG (Cisco Umbrella's Secure Web Gateway), etc.

If you are looking for HA, you can configure multiple tunnels for redundancy. Or, if you want to have a dedicate the Secure Private Access tunnel for private applications, you can create a separate tunnel for internet bound traffic. 

Creating multiple tunnels from the same device is possible with some devices. For more details, see Can-I-create-multiple-IPSEC-Tunnels

Maximum Transmission Unit (MTU) Size

Umbrella does not support the reassembly of fragmented IPSec traffic or IP packets. Thus, when a network device sends fragmented IPSec or IP packets to Umbrella, Umbrella drops the fragmented packets.
IPSec tunnels for Secure Internet Access must have an MTU no larger than 1280 bytes. Fragmented packets in underlay or overlay are dropped. 

  1. Specify the Service Type as Private Access 

Figure 3: Configure private access service

  1. Client Reachable Prefixes -enter a subnet or the subnets that remote users need to access. Traffic destined to these subnets are sent securely through the tunnel. 

Figure 4: Specify tunnel traffic

  1. Set a Tunnel ID and Passphrase. These values must match the respective values on the datacenter device.  For more details see: Network Tunnel Configuration 

a. For Cisco devices, reference the instructions here

b. For non-Cisco devices, reference the instructions here

Please note that the following DC's are enabled for Secure Connect so please use the below IP while connecting to the tunnel headend.


Region City IP Address


Los Angeles, CA


Palo Alto, CA


New York, NY


Ashburn, VA


Dallas-Fort Worth, TX


Denver, CO


London, United Kingdom


Frankfurt, Germany


Paris, France


Prague, Czechia


Milan, Italy


Madrid, Spain

  • If a tunnel is showing as “Not Established” (Deployments > Network Tunnels page) check the device has been configured using our supported IPsec paramters.   

  • If a tunnel is showing as “Inactive” ensure traffic is being generated which should be routed down the VPN.   


Figure 5: Return to Secure Connect link

  1. In the upper right hand corner of the screen, click Return to Cisco Plus Secure Connect.

Once the tunnel is established traffic will not flow until traffic, such as a ping, is sent from the network where the private application resides.  Once this is complete, traffic will flow bidirectionally.  

Modifying Tunnel

Presently, the IPSec tunnel for Cisco+ Secure Connect is configured in the Umbrella dashboard. To modify the IPsec tunnel settings, please follow the following steps.

Accessing Tunnel Edit Options

  1. From the Meraki Secure Connect dashboard, navigate to the Secure Connect menu > Identities & Connections > click on the Network Tunnel link. The page will be redirected to the Umbrella dashboard where you can configure the Deployments > Core Identities > Network Tunnels.cpsc_ipsec_modification_menu.png
  2. From the Network Tunnels page > click on the horizontal ellipsis button (. . .) next to the private tunnel that you would like to make the change > and then click Details.cpsc_ipsec_tunnel_modification_01.png
  3. Within the Network Tunnels details page click on the horizontal ellipsis button (. . .) > and then click Edit to show the Tunnel Edit options. cpsc_ipsec_tunnel_modification_02.png

    The following are the available tunnel settings that can be modified:

    • Tunnel Name
    • Tunnel ID
    • Passphrase
    • Client Reachable Prefixes

Updating Tunnel ID

From the Network Tunnel edit options > click Edit under the Tunnel ID to access the Update Tunnel ID popup window > enter New Tunnel ID name > click the acknowledgment checkbox > and then click Save​​​​​.


Updating Tunnel Passphrase

From the Network Tunnel edit options > click Edit under the Passphrase to access the Update Tunnel Passphrase popup window > enter New Passphrase and Confirm Passphrase > click the acknowledgment checkbox > and then click Save​​​​.


Updating Client Reachable Prefixes

From the Network Tunnel edit options > click Edit under the Client Reachable Prefixes to access the Edit Client Reachable Prefixes popup window enter the IP ranges and CIDR addresses that remote users need to access via the IPSec tunnel click on the checkbox to Acknowledge Disconnect & Reconnect Requirement > and then click Save. 


Please note route changes do not apply until you manually disconnect and then reconnect the user's IPsec tunnel.


  • Was this article helpful?