Cisco+ Secure Connect - Non-Meraki IPSec Tunnel

Last updated
Save as PDF

Figure 1: Secure Private Access Tunnel

An IPsec (Internet Protocol Security) IKEv2 (Internet Key Exchange, version 2) tunnel is used to securely forward traffic from Cisco Umbrella to the destination networks of the private applications. For more details on supported IPSec parameters, reference Supported IPSec parameters

Create a new Tunnel

Click ADD in the upper right hand corner of the screen
Enter a Tunnel Name, select the correct datacenter Device Type and click Save

Figure 2: Add a secure access tunnel

Configure Tunnel

Multiple Tunnels

If both Private Access (for remote users) and Secure Internet Access (for branch location access) tunnels, TWO separate tunnels are required today. It is not possible to use a single tunnel for both types of access. Creating multiple tunnels from the same device is possible with some devices. For more details, see Can-I-create-multiple-IPSEC-Tunnels

Maximum Transmission Unit (MTU) Size

Umbrella does not support the reassembly of fragmented IPsec traffic or IP packets. Thus, when a network device sends fragmented IPsec or IP packets to Umbrella, Umbrella drops the fragmented packets.
IPsec tunnels for Secure Internet Access must have an MTU no larger than 1280 bytes. Fragmented packets in underlay or overlay are dropped.

Specify the Service Type as Private Access

Figure 3: Configure private access service

Client Reachable Prefixes -enter in a subnet or the subnets that remote users need to access. Traffic destined to these subnets are sent securely through the tunnel.

Figure 4: Specify tunnel traffic

Configure Tunnel ID and Passphrase

Set a Tunnel ID and Passphrase. These values must match the respective values on the datacenter device. For more details see: Network Tunnel Configuration

a. For Cisco devices, reference the instructions here

b. For non-Cisco devices, reference the instructions here

Please note that the following DC's are enabled for Secure Connect so please use the below IP while connect to tunnel headend

US-1	Los Angeles, CA	146.112.67.8
US-1	Santa Clara, CA	146.112.66.8
US-2	New York, NY	146.112.83.8
US-2	Ashburn, VA	146.112.82.8
EU-1	London, UK	146.112.97.8
EU-1	Frankfurt, DE	146.112.96.8
EU-2	Paris, FR	146.112.120.8
EU-2	Prague, CZ	146.112.103.8

If a tunnel is showing as “Not Established” (Deployments > Network Tunnels page) check the device has been configured using our supported IPsec paramters.
If a tunnel is showing as “Inactive” ensure traffic is being generated which should be routed down the VPN.

Secure Access Tunnel Provisioning is complete!!!

Figure 5: Return to Secure Connect link

In the upper right hand corner of the screen, click Return to Cisco Plus Secure Connect
1. Once the tunnel is established traffic will not flow until traffic, such as a ping, is sent from the network where the private application resides. Once this is complete, traffic will flow bidirectionally.