The Umbrella User Guide Developer Hub

Welcome to the Umbrella User Guide developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella User Guide as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Manual: vEdge

Follow these steps to add a tunnel to connect a Cisco vEdge device to Cisco Umbrella’s cloud-delivered firewall and secure web gateway security services.

For more information about Cisco vEdge devices and related topics, see Cisco's SD-WAN product documentation.

Prerequisites

  • You must enable NAT in the vEdge feature template that faces the internet.
  • A working configuration must have public DNS configured in the transport vpn to be able to resolve DNS queries used in the tunnel formation. For example, management.api.umbrella.com.

Access to the vManage Console

You can access the vManage console with a web browser. By default, the HTTPS port is 8443, but this may vary based on how your vManage is configured.

If you get a "Not Secure" warning when accessing the link, you can ignore it. When the vManage login screen appears, enter your credentials.

Overview of vManage Templates

In vManage, all the features are configured through templates, once the vEdge devices are registered with vManage, we wouldn’t be able to configure anything through the CLI.

There are two types of Templates, Device & Feature Templates. First define the device template, then the feature template.

Define the Feature Template

  1. Log into the vManage console.
  1. Click Configuration > Templates.
    The template page opens.
  1. Confirm that the Feature Templates tab is selected, then click Add Template.
    Select the relevant device types in the left panel and then choose VPN Interface IPSec WAN.
  1. Configure Tunnel Parameters:
    • Choose a template name and description for the Tunnel interface.
    • Under Basic Configuration, choose the Global option and set the shutdown option to NO.
    • Choose the Interface name from 1 to 255. In this example, we have set ipsec1 as the interface name.
    • Configure IPv4 address by selecting the Global attribute and set the IP. In this example, we are using 10.10.10.1/30.
    • Set the IPSec Source Interface to ge0/0, This must be the WAN interface in VPN 0, which has the internet connectivity.
    • Set the IPSec Destination to the closest Cisco Umbrella data center.

Dead Peer Detection Value: Leave this at the default setting unless you have a specific requirement otherwise.

  1. Choose the Global Attribute to change any IKE and IPSec defaults:

IKE Settings

  • Set the IKE Version to 2.
  • Set the IKE Rekey Interval to 28800.
  • Leave the default Cipher Suite, which is AES-256-CBC-SHA1.
  • Set the IKE DH Group to 14 2048-bit Modulus.
  • The Pre-shared key (PSK) is configured on the Umbrella dashboard.
  • The Remote endpoint is Umbrella IP CDFW Headend.
  • For the Local endpoint enter the named tunnel you generated in the Umbrella dashboard:

IPSec Settings

  • Leave the IPSec Rekey Interval & Replay Window values at their defaults.
  • Use the default Cipher Suite AES 256 GCM.
  • Set the Perfect Forward Secrecy value to "NONE".

Cipher Suite Encryption

If performance is an issue with the default cipher, both AES 256 CBC SHA1 and Null SHA1 are also supported. You can test these to determine whether one offers better performance for a particular platform. Note that Null SHA1 isn't necessarily faster than the default AES 256 GCM because of the cost of the SHA1 hashing. In addition, Null SHA1 is not recommended due to security concerns of unencrypted transport.

  1. Click Update to save the configuration template.

Add the IPSec Interface template

  1. Select Configuration > Templates > Device and then choose the device template for the CDFW tunnel. The example below uses the "vEdgeCloud-02" device template.
  2. Select Edit from the pull-down list.
  1. Add the VPN IPSec tunnel interface in the VPN 0 Transport & Management VPN section.
    Choose the VPN Interface IPSec that you added as part of the feature template.
  1. Click Update. A success message appears.

Configure Static Routes

The next process is to add static routes from the service VPN to redirect the traffic through the IPSec tunnel to CDFW headend. The example below uses the VPN1-IPSec feature template.

  1. Select Configuration > Templates > Feature.
  2. Right-click the rightmost column, then edit the template to add IPSec route 0.0.0.0/0 via IPSec1 Tunnel interface.
  1. Add one more IPSec Tunnel interface (for example, IPSec2), and set that as the secondary tunnel interface.

In this example, the default IPSec route is set to the ipsec1 tunnel interface.

  1. Save configuration changes.

Verify Tunnel Status

  1. Choose Monitor > Network > vEdge > Device.
  1. Choose a device, then choose Interface to check the status of the IPSec tunnel for ipsec1.

Alternatively, the following is an example of checking the tunnel status through the CLI.

Updated 4 days ago

Manual: vEdge


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.