Configure Tunnels with NEC IX2000/3000 Series Router
This document provide information about how to setup IPsec tunnels between NEC IX2000/3000 Series Router and Cisco Umbrella to enable threat protection for endpoints through an IPsec Tunnel. This document will cover site-to-site IPsec tunnel setting up between NEC IX2000/3000 Series Router and Umbrella.
Table of Contents
- Configure a Cisco Umbrella Tunnel
- Prerequisites for Configuring a Cisco Umbrella Tunnel
- Configure a Tunnel in Cisco Umbrella
- Configure an NEC IX2000/3000 Series Router IPSec Tunnel
- Verify the IPSec Status
- Other Resources
Configure a Cisco Umbrella Tunnel
This section provides information about the process involved in configuring a Cisco Umbrella tunnel.
Prerequisites for Configuring a Cisco Umbrella Tunnel
Ensure that the following prerequisites are met before configuring a Cisco Umbrella tunnel:
- A valid Cisco Umbrella SIG Essentials or SIG Add-On subscription or a free SIG trial version.
- Have an Umbrella SIG Data Center IP address to create an IPsec tunnel. We recommend that you choose this IP address based on the data center located near your device.
- The UDP ports 500 and 4500 must be open to connect to the IPsec tunnel.
Configure a Tunnel in Cisco Umbrella
- From the Umbrella dashboard, navigate to Deployments > Core Identities > Network Tunnels, and click Add.
- In the Add a New Tunnel window, enter a meaningful name, for example, Tunnel 1, in the Tunnel Name field and choose Other from the Device Type drop-down list.
- In the Tunnel ID field, enter the ID (you get Tunnel ID and Passphrase while doing network tunnel configuration, see Add Network Tunnel Identity) in the specified format, and the pre-shared key (PSK) passphrase in the Passphrase and the Confirm Passphrase fields.
Note:
The Tunnel ID and Passphrase are mandatory to configure the IKEv2 tunnel on the router.
- Choose an appropriate site from the Associate Tunnel with Site drop-down list.
- Add additional IP addresses (besides the auto-populated RFC 1918 addresses) to the Client Reachable Prefixes field or delete any of the auto-populated addresses, if required, and click Save.
The new tunnel is displayed on the Umbrella dashboard with the status as Not Established. However, the status gets updated to Established after the configuration is complete and the tunnel is connected with the appropriate device.
Configure an NEC IX2000/3000 Series Router IPSec Tunnel
Note:
- In the sample commands provided in in this section, <umbrella_dc_ip> refers to the Umbrella SIG Data Center IP address that you require to create an IPsec tunnel.
- The NEC router does not require public static IPv4 addresses to be configured on the interface that will connect to the public internet and the Cisco Umbrella SIG service. The NEC router can be behind a NAT device. This is because you can specify the IKE ID, which, in combination with the PSK, is used to successfully authenticate the NEC IX router with the Cisco Umbrella SIG service.
The following tasks show how to configure an NEC IX2000/3000 Series router IPsec tunnel:
- From the NEC IX router’s CLI, run the following commands to configure the WAN and the LAN interface:
interface GigaEthernet0.0
description WAN1
ip address <WAN ip-address>
ip tcp adjust-mss auto
interface GigaEthernet1.0
description LAN1
ip address <LAN ip-address>
- Create IKEv2 authentication:
ikev2 authentication psk id rfc822-addr <umbrella-tunnel-id> key char <umbrella-tunnel-passphrase>
Note:
should be in the format [email protected].
- Create an IKEv2 profile:
ikev2 default-profile
child-lifetime 3600
child-pfs off
child-proposal enc aes-gcm-256-16
child-proposal integrity sha1
dpd interval 10
local-authentication psk id rfc822-addr <umbrella-tunnel-id>
sa-lifetime 14400
sa-proposal enc aes-gcm-256-16
sa-proposal dh 2048-bit
- Create a tunnel interface:
interface Tunnel0.0
tunnel mode ipsec-ikev2
ip unnumbered GigaEthernet0.0
ip tcp adjust-mss 1280
ikev2 connect-type auto
ikev2 local-authentication id rfc822-addr <umbrella-tunnel-id>
ikev2 nat-traversal keepalive 20
ikev2 peer \<umbrella_dc_ip>
- Create a default route for all the traffic going through the tunnel:
ip route default Tunnel0.0
- Apply the IKEv2 outgoing interface to the tunnel interface:
interface Tunnel0.0
ikev2 outgoing-interface GigaEthernet0.0 <WAN next-hop-ip-address>
- Enable the establishment of a tunnel between the Umbrella Data Center IP address and the NEC IX router:
ip access-list umbrella-ipsec permit ip src <umbrella_dc_ip > dest any
ip route <umbrella_dc_ip> <WAN next-hop-ip-address>
interface GigaEthernet0.0
ip filter umbrella-ipsec 1 in
Verify the IPSec Status
Run the following commands on the NEC IX router to verify the IPsec tunnel’s connectivity and traffic-processing capabilities:
show ikev2 sa
show ikev2 child-sa
show logging (logging subsystem ikev2)
Other Resources
IPsec Parameters Supported by Cisco Umbrella: Supported IPsec Parameters
NEC Univerge IX Series Manual (Japanese/English):https://jpn.nec.com/univerge/ix/Manual/index.html#ex
Configure Tunnels with Checkpoint GAiA < Configure Tunnels with NEC IX2000/3000 Series Router > Manage Accounts
Updated 2 months ago