Configure an IPsec tunnel on a Cisco SD-WAN(Viptela) router for Web Security Service.

book

Article ID: 171486

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

The Web Security Service (WSS) does not officially support Viptela routers.
However, it is possible to establish VPN tunnels over IPsec from these routers to the WSS.

For current instructions to configure an IPSEC connection with your Cisco SD-WAN(Viptela) router, refer to the support site here.

Environment

Cisco SD-WAN(Viptela)

Web Security Service

Resolution

The VPN over IPsec deployment from the Cisco SD-WAN(Viptela) router can be done using the following configuration as a guide. Change the text in bold based on your network.

router1# sh run vpn
vpn 0
dns 8.8.8.8 primary
interface ge0/0
  description        DESCRIPTION
 
ip dhcp-client
  nat
  !
 
tunnel-interface
   encapsulation ipsec
   color gold restrict
   no allow-service
bgp
   allow-service dhcp
   allow-service dns
   allow-service icmp
   no allow-service sshd
   no allow-service netconf
   allow-service ntp
   no allow-service ospf
   no allow-service stun
  !
  no shutdown
!
interface ge0/1
  description        DESCRIPTION-0
  ip address AAA.BBB.XX.XX/28
  no shutdown
!
ip route 0.0.0.0/0 AAA.BBB.XX.XX
!
vpn 1
interface ge0/2
  description        DESCRIPTION-1
  ip address 192.168.1.1/24 (EXAMPLE)
  tcp-mss-adjust 1300
  no shutdown
  dhcp-server
   address-pool 192.168.1.0/24 (EXAMPLE)
   offer-time   600
   lease-time   86400
   admin-state  up
   options
    default-gateway 192.168.1.1 (EXAMPLE)
    dns-servers     8.8.8.8
   !
  !
!
interface ipsec1
  description        DESCRIPTION-2
  ip address 192.168.255.1/30 (EXAMPLE)
  tunnel-source      AAA.BBB.XX.XX
  tunnel-destination DATACENTER'S IP
  ike
   version      1
   mode         main
   rekey        3600
   cipher-suite aes256-cbc-sha1
   group        2
   authentication-type
    pre-shared-key
     pre-shared-secret *****
    !
   !
  !
  ipsec
   rekey         3600
   replay-window 64
   cipher-suite  aes256-cbc-sha1
  !
  no shutdown
!
interface ipsec2
  description        DESCRIPTION-3
  ip address 192.168.254.1/30 (EXAMPLE)
  tunnel-source      XX.XX.XX.XX (EXAMPLE)
  tunnel-destination DATACENTER'S IP
  ike
   version      1
   mode         main
   rekey        14400
   cipher-suite aes256-cbc-sha1
   group        2
   authentication-type
    pre-shared-key
     pre-shared-secret *****
    !
   !
  !
  ipsec
   rekey         3600
   replay-window 64
   cipher-suite  aes256-cbc-sha1
  !
  no shutdown
!
ip route XX.XX.XX.XX/32 192.168.254.2 (EXAMPLE)
ip route XX.XX.XX.XX/32 192.168.255.2 (EXAMPLE)
!

 

--------------------------------------------------------------------------------------------------------------

 

router2# sh run vpn
vpn 0
interface ge0/0
  description        DESCRIPTION
 
ip dhcp-client
  nat
  !
 
tunnel-interface
   encapsulation ipsec
   color gold restrict
   no allow-service
bgp
   allow-service dhcp
   allow-service dns
   allow-service icmp
   no allow-service sshd
   no allow-service netconf
   allow-service ntp
   no allow-service ospf
   allow-service stun
  !
  no shutdown
!

vpn 1
interface ge0/2
  description        DESCRIPTION
  ip address 192.168.2.1/24 (EXAMPLE)
  tcp-mss-adjust 1300
  no shutdown
  dhcp-server
   address-pool 192.168.2.0/24 (EXAMPLE)
   offer-time   600
   lease-time   86400
   admin-state  up
   options
    default-gateway 192.168.2.1 (EXAMPLE)
    dns-servers     8.8.8.8 (EXAMPLE)
   !
  !
!
!

 

--------------------------------------------------------------------------------------------------------------

 

These are the Cloud data center IPs where the VPN tunnel can be pointed to.