Configure IKEv2 IPsec Tunnel with Umbrella

This document provides information to configure an IKEv2 IPsec tunnel to Cisco Umbrella in IOS-XE.


Table of Contents


  • Umbrella SIG subscription.
  • Any router physically or virtually running IOS-XE 17.2 or later.

Image Download Links

Catalyst 8500L -
Catalyst 8300 -
Catalyst 8200 -
Catalyst 8000V -
ISRv -

Supported Platforms

ISR 4461, 4451, 4431, 4351, 4331, 4321, 4221X, 4221, CSR, ISRv and ISR 1K, Catalyst 8500L, 8300, 8200, and 8000V.


Configure Tunnels in Umbrella

  1. Navigate to Deployments > Core Identities > Network Tunnels, and then click Add.
  1. Enter an appropriate name in the Tunnel Name field and choose an appropriate device from the Device Type drop-down list.
  1. Enter the Tunnel ID and the same Pre-Shared-Key (PSK) Passphrase in the Passphrase and the Confirm Passphrase fields.
    Note: The Tunnel ID and Passphrase are required to configure the IKEv2 tunnel on the router.
  1. Choose an appropriate site from the Associate Tunnel with Site drop-down list and optionally, enter an IP address to the Client Reachable Prefixes field which you would like to send to Umbrella SIG and then click Save.
    Note: Umbrella portal already pre populates the RFC 1918 addresses. You do not have to add any IP addresses.

The new tunnel appears in the Umbrella dashboard with a status of Not Established. The tunnel status is updated once it is fully configured and connected with appropriate device.

Configure IKEv2 Proposal

See Supported IPsec Parameters to choose encryption algorithm, integrity, and Diffie Hellman (DH) Group that should match with Umbrella support for appropriate proposal.

crypto ikev2 proposal umbrella-proposal
 encryption aes-gcm-256
 integrity sha256
 group 19 20

Configure IKEv2 Policy

The match address local is only needed if you have multiple IKEv2 proposal configured with different encryption, group, and so on. If there is only one proposal, then you do not need the match address local command.

crypto ikev2 policy umbrella-pol
 proposal umbrella-proposal
 match address local ==> WAN facing interface address

Configure IKEv2 Keyring

Choose the IP address of the Umbrella data center (DC) that is closest to you. See Connect to Cisco Umbrella Through Tunnel.

crypto ikev2 keyring umbrella-kr
 peer umbrella
 address ===> Closest Umbrella DC
 pre-shared-key XXXXXXXXXX ===> Fill in the pre-shared key from the Umbrella Portal

Configure IKEv2 Profile

This step requires the data that you gathered from the Umbrella portal.

crypto ikev2 profile umbrella-ikev2-profile
 match identity remote address
 identity local email [email protected]  
 authentication remote pre-share
 authentication local pre-share
 keyring local umbrella-kr
 dpd 10 2 periodic

Configure IPsec Transform Set

See Supported IPsec Parameters to choose the router's configuration that matches the parameters supported by Umbrella.

crypto ipsec transform-set umbrella-tset esp-aes 256 esp-sha256-hmac
mode tunnel

Configure IPsec Profile

crypto ipsec profile umbrella-ipsec-profile
 set transform-set umbrella-tset
 set ikev2-profile umbrella-ikev2-profile

Configure the Tunnel Interface

Tunnel destination is the Umbrella data center IP closest to you that you chose to configure Keyring.

interface Tunnel1
 ip unnumbered GigabitEthernet0/0/0 ==> WAN Interface
 tunnel source GigabitEthernet0/0/0 ==> WAN Interface
 tunnel mode ipsec ipv4
 tunnel destination ===> Closest Umbrella DC
 tunnel protection ipsec profile umbrella-ipsec-profile

Send Traffic to the Tunnel

You can add a default route on the router and set the next hop to the tunnel 1 interface or do the following:
Send guest user traffic (Vlan 102) directly in the clear to the internet by applying DNS-layer security for the wireless users. However, all employees traffic (Vlan 101) will be send in the IPsec tunnel to Umbrella SIG.

To configure an ACL, route-map to the tunnel 1 interface where next-hop is set. Make sure that this interface does not have NAT or FW configured. Umbrella will provide NAT and there is no need to apply FW for packets that will ride over the tunnel.

ip access-list ext To_Umbrella
 permit ip any
route-map umbrella-routemap permit 10
 match ip address To_Umbrella
 set interface Tunnel1
interface vlan101
 ip policy route-map umbrella-routemap

The router configuration is complete and the tunnel is up.


Show IKEv2 session

Run the following command to shoe the IKEv2 session.

kusankar-1121X#show crypto ikev2 session

The output is similar to:

 IPv4 Crypto IKEv2 Session 

Session-id:43, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1     none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:20, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/8084 sec
      CE id: 0, Session-id: 43
      Local spi: 2DB9D463EBD77607       Remote spi: 898DC0640ACA0422
Child sa: local selector -
          remote selector -
          ESP spi in/out: 0x3CB167C1/0xC4FF1DDA  

 IPv6 Crypto IKEv2 Session 

Show IPsec Sa

kusankar-1121X#sh crypto ipsec sa

The output is similar to:

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (
   remote ident (addr/mask/prot/port): (
   current_peer port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 37243, #pkts encrypt: 37243, #pkts digest: 37243
    #pkts decaps: 44758, #pkts decrypt: 44758, #pkts verify: 44758
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.:, remote crypto endpt.:
     plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
     current outbound spi: 0xC4FF1DDA(3305053658)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x3CB167C1(1018259393)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2067, flow_id: ESG:67, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
         sa timing: remaining key lifetime (k/sec): (4603810/1422)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:
     inbound pcp sas:

     outbound esp sas:
      spi: 0xC4FF1DDA(3305053658)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2068, flow_id: ESG:68, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
         sa timing: remaining key lifetime (k/sec): (4606818/1422)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

Encaps and decaps are going up; it means that the traffic is being send and received.

Finally, configure some rules to block certain categories and test the traffic from a host behind Vlan 101.

Create Umbrella Web Policy

  1. Navigate to Policies > Management > Web Policy, and then click Add.
  1. Click Add Rule and enter a meaningful name for Rule Name, such as Rule 1.
    For example, Rule 1 has been created and four categories are been blocked, such as Games, Gambling, Auctions, and Computers and Internet, and applied that to the Tunnel as shown in the following image.

Test from a Host behind Vlan 101

Browse,, or other websites that belong to the four categories that you have blocked. Umbrella displays a block page. You can also use on the host to see what OrgID you belong to.

Other Resources

Umbrella Cloud Firewall

Cisco 1000 Series Connected Grid Routers

Configure Tunnels with Cisco ISR < Configure IKEv2 IPsec Tunnel with Umbrella > Configure Tunnels Automatically with Cisco ASA and CDO