Skip to main content
Cisco Meraki Documentation

Cisco Secure Connect - Non-Meraki IPSec Tunnel

Overview

An IPsec (Internet Protocol Security) IKEv2 (Internet Key Exchange, version 2) tunnel is used to securely forward traffic from Cisco Umbrella to the destination networks of the private applications. For more details on supported IPSec parameters, reference Supported IPSec parameters 

Creating a New Tunnel

  1. Navigate to Secure Connect > Network Tunnels. This will open Deployments > Core Identities  > Network Tunnels configuration page.

  2. Click ADD in the upper right hand corner of the screen 

  3. Enter a Tunnel Name, select the correct datacenter Device Type and click Save 

nametunnel.png
Figure 2: Add a secure access tunnel

Maximum Transmission Unit (MTU) Size

Umbrella does not support the reassembly of fragmented IPSec traffic or IP packets for internet traffic. Thus, when a network device sends fragmented IPSec or IP packets to Umbrella, Umbrella drops the fragmented packets. IPSec tunnels for Secure Internet Access must have an MTU no larger than 1280 bytes. Fragmented packets in underlay or overlay are dropped. 

  1. Select Service Type as Secure Internet Access or Private Access. For Private Access you can specify Preferred Primary Data Center.  

Screenshot 2024-03-15 at 10.14.21 AM.pngFigure 3: Configure private access service

  1. Client Reachable Prefixes -enter a subnet or the subnets that remote users need to access. Traffic destined to these subnets are sent securely through the tunnel. 

  2. Set a Tunnel ID and Passphrase. These values must match the respective values on the datacenter device.  For more details see: Network Tunnel Configuration 

a. For Cisco devices, reference the instructions here

b. For non-Cisco devices, reference the instructions here

Secure Connect IPSec Headend Data Centers

Please note that the following DC's are enabled for Secure Connect so please use the below IP while connecting to the tunnel headend.

 

Region City IP Address FQDN

Americas

Los Angeles, CA, US

146.112.67.8

us1-a.vpn.sig.umbrella.com

Americas

Palo Alto, CA, US

146.112.66.8

us1-b.vpn.sig.umbrella.com

Americas

New York, NY, US

146.112.83.8

us2-a.vpn.sig.umbrella.com

Americas

Ashburn, VA, US

146.112.82.8

us2-b.vpn.sig.umbrella.com

Americas

Miami, FL, US

146.112.84.8

us3-a.vpn.sig.umbrella.com

Americas

Atlanta, GA, US

146.112.85.8

us3-b.vpn.sig.umbrella.com

Americas

Dallas-Fort Worth, TX, US

146.112.72.8

us4-a.vpn.sig.umbrella.com

Americas

Denver, CO, US

146.112.73.8

us4-b.vpn.sig.umbrella.com

Americas

Minneapolis, MN, US

146.112.81.8

us5-a.vpn.sig.umbrella.com

Americas

Chicago, IL, US

146.112.80.8

us5-b.vpn.sig.umbrella.com

EMEA

London, United Kingdom

146.112.97.8

eu1-a.vpn.sig.umbrella.com

EMEA

Frankfurt, Germany

146.112.96.8

eu1-b.vpn.sig.umbrella.com

EMEA

Paris, France

146.112.102.8

eu2-a.vpn.sig.umbrella.com

EMEA

Prague, Czech Republic

146.112.103.8

eu2-b.vpn.sig.umbrella.com

EMEA

Copenhagen, Denmark

146.112.100.8

eu3-b.vpn.sig.umbrella.com

EMEA

Stockholm, Sweden

146.112.101.8

eu3-a.vpn.sig.umbrella.com

EMEA

Milan, Italy

146.112.107.8

eu4-a.vpn.sig.umbrella.com

EMEA

Madrid, Spain

146.112.106.8

eu4-b.vpn.sig.umbrella.com

Africa

Johannesburg, South Africa

146.112.108.8

af1-a.vpn.sig.umbrella.com

Africa

Cape Town, South Africa

146.112.109.8

af1-b.vpn.sig.umbrella.com

Asia

Singapore, Singapore

146.112.113.8

as1-a.vpn.sig.umbrella.com

Asia

Tokyo, Japan

146.112.112.8

as1-b.vpn.sig.umbrella.com

Asia

Sydney, Australia

146.112.118.8

au1-a.vpn.sig.umbrella.com

Asia

Melbourne, Australia

148.112.119.8

au1-b.vpn.sig.umbrella.com

Canada

Toronto, Canada

146.112.65.8

ca1-a.vpn.sig.umbrella.com

Canada

Vancouver, Canada

146.112.64.8

ca1-b.vpn.sig.umbrella.com

South America

São Paulo, Brazil

146.112.92.8

br1-a.vpn.sig.umbrella.com

South America

Rio de Janeiro, Brazil

146.112.93.8

br1-b.vpn.sig.umbrella.com

Multiple Tunnels

Each manual IPSec tunnel is limited to approximately 250 Mbps. To achieve higher throughput, we can establish multiple tunnels. Creating multiple tunnels from the same device is possible with some devices. For more details, see examples in Multiple Tunnels Load Sharing and Can-I-create-multiple-IPSEC-Tunnels.

If you set up multiple tunnels, there are limitations to follow:

  1. For Secure Internet Access all traffic should be initiated from behind the IPSec tunnel. We recommend that you divide the traffic between the tunnels either through load balancing with ECMP (Equal-cost multi-path routing) or assigning traffic through policy-based routing. This configuration is done on customer device if supported. 
  2. For Secure Private Access remote access users or branch users will be initiating traffic toward the servers behind the IPSec tunnel. ECMP is supported only if tunnels are terminating at the same Data Center headend. If the same overlapping prefixes with same subnet are advertised over each tunnel, cloud environment will automatically configure the ECMP for traffic toward the IPSec tunnel.
  3. A unique set of Network Tunnel credentials must be used for each IPSec tunnel. Two IPSec tunnels cannot connect to the same data center with the same credentials (IP addresses) at the same time. There are two ways multi tunnels can be used:
    • Active - Standby . Failover in this scenario will take as long as it takes to establish new IPSec tunnel.
    • Active - Active: Use 2 different public IP addresses on the customer device, or two different loopback addresses that are NATed using different port numbers will activate the both tunnels at the same time. Example how to accomplish this can be found here.

 

  • If a tunnel is showing as “Not Established” (Deployments > Network Tunnels page) check the device has been configured using our supported IPsec paramters.   

  • If a tunnel is showing as “Inactive” ensure traffic is being generated which should be routed down the VPN.   

 

secureconnectbutton.png
Figure 4: Return to Secure Connect link

  1. In the upper right hand corner of the screen, click Return TO SECURE CONNECT.

Once the tunnel is established traffic will not flow until traffic, such as a ping, is sent from the network where the private application resides.  Once this is complete, traffic will flow bidirectionally.  

Modifying Tunnel

Presently, the IPSec tunnel for Secure Connect is configured in the Umbrella dashboard. To modify the IPsec tunnel settings, please follow the following steps.

Accessing Tunnel Edit Options

  1. From the Meraki Secure Connect dashboard, navigate to the Secure Connect menu > Identities & Connections > click on the Network Tunnel link. The page will be redirected to the Umbrella dashboard where you can configure the Deployments > Core Identities > Network Tunnels.cpsc_ipsec_modification_menu.png
  2. From the Network Tunnels page > click on the horizontal ellipsis button (. . .) next to the private tunnel that you would like to make the change > and then click Details.cpsc_ipsec_tunnel_modification_01.png
  3. Within the Network Tunnels details page click on the horizontal ellipsis button (. . .) > and then click Edit to show the Tunnel Edit options. cpsc_ipsec_tunnel_modification_02.png

    The following are the available tunnel settings that can be modified:

    • Tunnel Name
    • Tunnel ID
    • Passphrase
    • Client Reachable Prefixes
    cpsc_ipsec_tunnel_modification_03.png

Updating Tunnel ID

From the Network Tunnel edit options > click Edit under the Tunnel ID to access the Update Tunnel ID popup window > enter New Tunnel ID name > click the acknowledgment checkbox > and then click Save​​​​​.

cpsc_ipsec_update_tunnel_id.png

Updating Tunnel Passphrase

From the Network Tunnel edit options > click Edit under the Passphrase to access the Update Tunnel Passphrase popup window > enter New Passphrase and Confirm Passphrase > click the acknowledgment checkbox > and then click Save​​​​.

cpsc_ipsec_update_tunnel_passphrase.png

Updating Client Reachable Prefixes

From the Network Tunnel edit options > click Edit under the Client Reachable Prefixes to access the Edit Client Reachable Prefixes popup window enter the IP ranges and CIDR addresses that remote users need to access via the IPSec tunnel click on the checkbox to Acknowledge Disconnect & Reconnect Requirement > and then click Save. 

 cpsc_ipsec_update_client_reachable_prefixes.png

Please note route changes do not apply until you manually disconnect and then reconnect the user's IPsec tunnel.