The Umbrella User Guide Developer Hub

Welcome to the Umbrella User Guide developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella User Guide as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Configure Tunnels Automatically with Viptela cEdge and vEdge

Cisco SD-WAN solution (Viptela) simplifies the configuration of Secure Internet Gateway SIG) IPsec tunnels by automating both the Umbrella tunnels creation as well as all IPsec-related configuration in the cEdge and vEdge edge devices. The same templates can be applied to hundreds of devices, making it simple to deploy and maintain.

Table of Contents


  • Umbrella SIG subscription
  • IOS-XE 17.2.1 or Viptela 20.1 or later (IOS-XE 17.4.1 or Viptela 20.4.1 or later for active/active tunnel pairs).
  • A Management API Key and Secret (generated from the Umbrella Dashboard)

Configure the Tunnel Automatically

At a high level, the Viptela configuration process consists of the following steps:

  1. Enable NAT in the outside interface (internet facing interface in VPN0).
  2. Add one loopback interface for each IPSec tunnel.
  3. Add an Umbrella SIG credentials feature template (Umbrella Management API key and secret).
  4. Add an Umbrella SIG tunnel feature template.
  5. Link feature templates to the device template.
  6. Route traffic to SIG and configure data policy for direct internet access.

Configure the Outside Interface NAT

By enabling NAT on the internet facing interface, Viptela automates the NAT port address translation (PAT) configuration. Traffic sourced from private IP is automatically NATed to the interface in VPN0 after the routing decision.

  1. Navigate to Configuration > Templates > Feature Templates.
  2. Set NAT to ON and select Interface for the NAT Type.

Configure a Loopback Interface

When configuring multiple tunnels from the same local public IP address to the same destination (Umbrella datacenter IP address), only one tunnel will come up if no unique information exists to identify the tunnel locally, as all tunnels will have the same source and destination IP address and UDP ports.

Sourcing tunnels from different loopback interfaces and NATing to the outside public IP will create dynamic port address entries and each tunnel will have a different source port. Umbrella forces NAT transversal so both IKE and ESP transport is over UDP 4500. This dynamic UDP source port is used by the local device and Umbrella to identify the tunnel. An upstream NAT device or multiple public IPs assigned to the edge device (one public IP per tunnel) is also supported, but on device NAT is the recommended option.

  1. Navigate to Configuration > Templates > Feature Templates and click Add Template.
  2. Select the device type and click Cisco VPN Interface Ethernet.
  1. Provide a name and description for the template, name for the interface, and an IP address.
  1. Click Save and repeat these steps as many times as needed for the number of IPSec tunnels to be deployed.

Add an Umbrella SIG Credentials Feature Template

The SIG credentials template is used by edge devices (cEdge / vEdge) to authenticate to Umbrella API services. Once you add the Umbrella Management API key and secret and the Umbrella organization identity (found in the Umbrella dashboard URL) to the template, edge devices do an API call to Umbrella and create the tunnel in the Umbrella dashboard.

  1. Navigate to Configuration > Templates > Feature Templates and add a new template.
  2. Choose a device type, select Cisco SIG Credentials template and provide a name and description for the template.
  1. Provide the Umbrella organization ID, Registration key, and secret, and then click Save.

Note: If linked to Smart Account, you can get the Umbrella API and organization info by clicking on Get Keys.

Add an Umbrella SIG Tunnel Feature Template

The Umbrella SIG feature template has all the IPsec tunnel-related configuration. Depending on the Viptela code version you can have more than one active tunnel (the latest version of Viptela supports up to 4 active tunnels and 4 passive tunnel). Equal-Cost Multi-Path (ECMP) can be used over up to 4 active tunnels for higher throughput, but the passive tunnels are used for faster failover in case a Umbrella data center goes offline with pre-provisioned tunnel to a different datacenter the failover happens faster, but this is not required if very fast data center failover is not required, Umbrella tunnels are part of a high available zone with 3 data centers in the zone.

  1. Navigate to Configuration > Templates > Feature Templates and add a new template.
  2. Choose the device type, select Cisco Secure Internet Gateway (SIG) template, and provide a name and description for the template.
  1. For Tracker, provide a private IP address.
    The tracker automatically configures an HTTP GET probe to and the result is used to check the Umbrella service chain. A return of code 200 verifies the service chain to the (SIG) is functional. if probe fails the tunnel is not used for traffic forwarding, additional trackers can be added if required.
  2. For Configuration, click Add Tunnel and provide the following:
    • Interface Name—A name for the interface, such as "ipsec 1" or "ipsec 2".
    • Tunnel Source Interface—The loopback interface if multiple tunnels or if a single tunnel. The actual internet-facing interface can be used, but loopback is always the preferred method.
    • Data -Center—Select Primary for all active tunnels and if required, select Secondary for passive tunnels.
    • Tunnel Route-via Interface
  1. Click Add and repeat this step up to 8 times. Use a different loopback interface for each source tunnel.
  2. Under High Availability, add up to 4 pairs and select the previously created IPsec tunnels.
    If sourcing from different internet links, you can provide Active Weight for the link and the traffic load sharing will take the link speed (weight) into consideration.
  1. Under Advanced Settings, you can specify a data center for the primary and for secondary data centers respectively, or keep the default auto selection. Click Save.

Configure a Device Template

Once you create all the feature templates, you must link the feature template to one or more edge devices.

  1. Navigate to Configuration > Templates > Device Templates and click the device or devices where you want SIG tunnels.
  2. Under Transport & Management VPN, add the loopbacks interfaces and SIG Tunnel Template.
  1. Under Additional Templates, select the SIG credentials template you created and click Update.

Once the configuration is deployed, the tunnel is established and ready for traffic forwarding.

Route Traffic to Umbrella SIG

  1. Navigate to Configuration > Templates > Feature Templates and click the service side VPN feature template.
  2. Under Service Route, click New Service Route and add a default route and service SIG.
    If multiple SIG tunnels exist, the traffic will automatically be load-shared across the tunnels.
  1. To route specific traffic out of the SIG tunnel (DIA), you need to edit or create a data policy.

    a. Under Traffic Rules click Add Policy if none exists or edit an existing policy.

b. Under Match Conditions, select the apps for DIA and under Actions select NAT VPN. Click Save Match and Actions.


Most tunnel problems are related to API calls. vManage sends Umbrella Management API credentials to the edge devices (cEdge / vEdge) which do an API call to The device should be able to resolve this FQDN and management API should be correct so it authenticates to the right Umbrella organization.

  1. Check the DNS resolutions.
    SSH to the edge device and try to resolve Umbrella API endpoint by typing ping
  1. Check the tunnel creation status.
    Enter show sdwan secure-internet-gateway umbrella tunnels. If there are any issues with API calls this will be shown in the output.

Configure Tunnels Manually with Viptela cEdge< Configure Tunnels Automatically with Viptela cEdge and vEdge > Configure Tunnels with Meraki MX – Option 1

Updated 3 months ago

Configure Tunnels Automatically with Viptela cEdge and vEdge

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.