Home > Security and SD-WAN > Site-to-site VPN > MX and Umbrella SIG IPSec Tunnel

MX and Umbrella SIG IPSec Tunnel

Overview 

Umbrella SIG (Secure Internet Gateway) is a cloud-based security solution designed for branch offices. This article outlines how to configure Umbrella SIG between the Umbrella dashboard and a Meraki MX Security and SD-WAN device. This solution provides centralized management for security so network administrators do not have to separately manage security settings for each branch. All internet-bound traffic will be forwarded to Umbrella SIG through an IPSec tunnel for inspection and filtering. 

 

Screen Shot 2019-09-13 at 2.20.40 PM.png

Use Case 

If network administrators desire a cloud managed security solution to alleviate the inconvenience of separately managing security settings at each branch location, Umbrella SIG is the perfect solution.

Features 

Umbrella SIG offers security features such as:

  • DNS Policies
  • Firewall Policies
  • Web Policies

Please visit Umbrella's documentation for a comprehensive guide to Umbrella SIG features.

Prerequisites

  1. The Umbrella SIG Essentials package is required. Please visit Umbrella for more package information.
  2. The Meraki MX requires MX 15.12+ firmware, on which users are able to configure the Non-Meraki VPN Peer with the two following Umbrella requirements:
    1. Choose IKE version type on each Non-Meraki VPN Peer. When choosing IKEv2, the "Local ID" field will be enabled. The User FQDN info needs to be added into this field.
    2. On IPSec policies, choose "Diffie-Hellman group" 14.

Configuration 

To establish an IPSec tunnel to Umbrella, configurations must be made on both Umbrella Dashboard and Meraki Dashboard.

Umbrella Dashboard

In the Umbrella dashboard, navigate to Deployments > Network Tunnels > select Add

 

Screen Shot 2019-09-17 at 2.41.27 PM.png

 

Name the tunnel and select Device Type > Meraki MX.

 

Tunnel_Name2.png

 

Set the Tunnel ID and Passphrase. This will be entered as the Local ID (User FQDN) and preshared secret in the Meraki dashboard.

 

Screen Shot 2019-09-17 at 2.46.17 PM.png

 

After setting the Tunnel ID and Passphrase, a confirmation prompt will be displayed, allowing you to copy and paste the Tunnel ID and Passphrase to Local ID (User FQDN) and Preshared secret in the Meraki dashboard.

 

Screen Shot 2019-09-17 at 3.02.42 PM.png

Meraki Dashboard

Navigate to Security & SD-WAN > Site-to-site VPN > Select desired subnets to participate in VPN.

 

VPN-Participate.png

In the Security & SD-WAN > Site-to-site VPN > Non-Meraki VPN peers section, select Add a peer.

 

Screen Shot 2019-09-17 at 3.12.04 PM.png

 

For the Non-Meraki VPN peers fields:

  • Name: Provide any sample name for the tunnel
  • Public IP: You will find this IP address in the article at https://docs.umbrella.com/umbrella-user-guide/docs/cisco-umbrella-data-centers
  • Local ID: You will get this string from Umbrella dashboard once you have completed creating a Network Tunnel Identity using PSK.
  • Private subnets: This will always be 0.0.0.0/0 You will be redirecting all internet bound traffic into the tunnels.
  • IPSec policies: Choose Preset of “Umbrella”.  This will populate all of the IPSec tunnel parameters necessary for Umbrella connectivity.
  • Preshared secret: You will get this string from Umbrella dashboard once you have completed creating a Network Tunnel Identity using PSK.
  • Availability: You will add the Tag here that you had defined earlier for the MX appliance that will be building the tunnels to Umbrella cloud.  If you want the configuration to apply to all networks, you can use the All option.

 

Verification of the Umbrella IPSec parameters can be viewed by selecting Umbrella

 

Screen Shot 2019-09-17 at 3.26.42 PM.png

 

Lastly, you will have to generate interesting traffic through the tunnel in order for the Umbrella dashboard to reflect active tunnel status. To generate interesting traffic, simply source pings from a VPN-participating VLAN (navigate to Security & SD-WAN > Appliance Status > Tools) to a destination IP address that would take the IPSec tunnel route.

 

Screen Shot 2019-09-17 at 4.19.06 PM.png

 

Meraki dashboard displaying an active Umbrella SIG IPSec tunnel (Security & SD-WAN > VPN Status) should look like the following:

 

Screen Shot 2019-09-17 at 4.25.57 PM.png

 

Umbrella Dashboard displaying an active IPSec tunnel to Meraki MX (Deployments > Network Tunnels) should look like the following:

 

Screen Shot 2019-09-17 at 4.23.45 PM.png

 

Validation

To validate traffic being sent to over the tunnel to SIG vs traffic not being sent over the tunnel we can connect to a network on a VLAN that is participating in tunnel and one that is not to observe the difference.

 

For this test we used the below configuration where the Default VLAN1 is not participating in VPN and the SIG VLAN10 is participating. This configuration can be viewed under Security & SD-WAN > Site-to-site VPN.

 

VPN-Participate.png

 

Using a Wireless capable MX68CW two SSIDs were created. One on VLAN1 and the other on VLAN10.

 

SSIDConfig.png

 

When a device connects to the SSID SIG1, it receives an IP on VLAN10.

 

SIG-SSID-Connect.png

 

When the device accesses the Internet, the traffic will have a NAT address from Umbrella.

 

SIG-SSID-Connect-PubIP.png

 

When a device connects to the SSID DIA, it receives an IP on VLAN1.

 

DIA-SSID-Connect.png

 

When the device accesses the Internet, the traffic will have a NAT address from the MX Internet Interface.

 

DIA-SSID-Connect-PubIP.png

 

Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 8702

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community