Configure a Non SD-WAN Destination via Gateway in SD-WAN Orchestrator to establish a secure IPSec tunnel to the Netskope portal through SD-WAN Gateway.
To configure a Non SD-WAN Destination via Gateway:
Prerequisites
Ensure that you have already configured an IPsec tunnel in the Netskope NG SWG Portal. See Configure VPN Credentials on the Netskope Portal.
Procedure
- Login to SD-WAN Orchestrator and verify that the customers instances are created, and the Edges are online.
- In the Non SD-WAN Destinations via Gateway pane, click New to create a new Non SD-WAN Destination.
- In the New Non SD-WAN Destination via Gateway window, configure the following:
Option Description Name Enter a descriptive name for the Non SD-WAN Destination. Type Select the type as Generic IKEv2 Router (Route Based VPN). Primary VPN Gateway Enter the IP address of the Primary POP used to setup the VPN tunnel in the Netskope portal. Secondary VPN Gateway Enter the IP address of the Secondary POP used to setup the VPN tunnel in the Netskope portal. Click Next. - In the next window, configure the following settings:
The Name and Type of the Non SD-WAN Destination are displayed. Select the Enable Tunnel(s) check box to activate the tunnel.Click Advanced to configure the other IPsec tunnel parameters for the Primary and Secondary VPN Gateways as follows:Option Description Encryption Select the AES algorithms key from the drop-down list, to encrypt data. If you do not want to encrypt the data, select Null. The default value is AES 128. DH Group Select the Diffie-Hellman (DH) Group algorithm to be used when exchanging the pre-shared key. The DH Group sets the strength of the algorithm in bits. The supported DH Groups are 2, 5, 14, 15, and 16. It is recommended to use DH Group 14. PFS Select the Perfect Forward Secrecy (PFS) level for additional security. The supported PFS levels are 2, 5, 14, 15, and 16. The default value is deactivated. Hash Select the authentication algorithm for the VPN header from the drop-down list. The following Secure Hash Algorithm (SHA) options are available: - SHA 1
- SHA 256
- SHA 384
- SHA 512
The default value is SHA 256.
IKE SA Lifetime(min) Enter the IKE SA lifetime in minutes. The rekeying should be initiated for Edges before the time expires. The range is from 10 to 1440 minutes. The default value is 1440 minutes. IPsec SA Lifetime(min) Enter the IPsec SA lifetime in minutes. The rekeying should be initiated for Edges before the time expires. The range is from 3 to 480 minutes. The default value is 480 minutes. DPD Timeout Timer(sec) Enter the maximum time that the device should wait to receive a response to a DPD message before considering the peer as dead. The default value is 20 seconds. You can deactivate the DPD by configuring the DPD timeout timer as Zero (0). Redundant VeloCloud Cloud VPN – Select the checkbox to establish the IPSEC tunnels from the Primary and Secondary SD-WAN Gateways.Site Subnets – Add subnets for the Non SD-WAN Destination using the Plus ( +) Icon. If you do not need subnets for the site, select the Deactivate Site Subnets checkbox.Local Auth Id Select the Local authentication ID from drop-down list, to define the format and identification of the local gateway. The following option are available:- Default – By default, the Interface Public IP address of the SD-WAN Gateway is used as the local authentication ID.
- FQDN - The Fully Qualified Domain Name or hostname. For example, google.com.
- User FQDN - The User Fully Qualified Domain Name in the form of email address. For example, [email protected].
- IPv4 - The IP address used to communicate with the local gateway.
Click Save Changes and close the window.
Results
The new Non SD-WAN Destination via Gateway is displayed in the Network Services window:
What to do next
Configure Profile to use the new Non SD-WAN Destination via Gateway. See Configure Profile with Non SD-WAN Destination via Gateway.
