Configure Tunnels with Catalyst SD-WAN cEdge and vEdge

Follow these steps to add a tunnel to connect a Cisco Catalyst SD-WAN (formerly known as Viptela) cEdge or vEdge device to Cisco Umbrella’s cloud-delivered firewall (CDFW) and Secure Web Gateway (SWG) security services.

For more information about Cisco Catalyst SD-WAN cEdge and vEdge devices and related topics, see Cisco's SD-WAN product documentation.

Table of Contents


  • Umbrella SIG Essentials subscription.
  • You must enable NAT in the feature template that faces the internet.
  • You can access the Cisco Catalyst SD-WAN (vManage) console with a web browser. By default, the HTTPS port is 8443, but this may vary based on how your Cisco Catalyst SD-WAN (vManage) is configured.
    Note: If you get a "Not Secure" warning when accessing the link, you can ignore it. When the Cisco Catalyst SD-WAN (vManage) login screen appears, enter your credentials.

For information about using Umbrella SIG with previous versions of Cisco Catalyst SD-WAN cEdge devices, see How to build a Umbrella SIG Manual Tunnel with Cisco Catalyst SD-WAN devices running 16.12.

Configure Tunnel in Umbrella

Before you configure the tunnel in the Cisco Catalyst SD-WAN (vManage) template for the device, add a network tunnel identity to Umbrella. A tunnel identity configuration includes: tunnel ID, tunnel passphrase, and optionally IP address ranges. When you add a network tunnel identity, choose a tunnel ID and create a pre-shared key (PSK). Use the tunnel ID and passphrase to define the tunnel configuration in the feature template for the cEdge or vEdge device.

In Deployments > Core Identities > Network Tunnels, choose Add Tunnel, and then choose Cisco Catalyst SD-WAN cEdge or Cisco Catalyst SD-WAN vEdge for the device type. For more information, see Add Network Tunnel Identity.

Configure Cisco Catalyst SD-WAN Templates

In Cisco Catalyst SD-WAN (vManage), all the features are configured through templates. Once the Cisco Catalyst SD-WAN cEdge or vEdge devices are registered with Cisco Catalyst SD-WAN (vManage), you cannot configure anything through the CLI.

You can use the Cisco Catalyst SD-WAN (vManage) Device and Feature Templates to establish a tunnel from the device. First define the device template and then the feature template.

Define the Feature Template

  1. Log into the Cisco Catalyst SD-WAN (vManage) console and navigate to Configuration > Templates.
  2. Confirm that the Feature Templates tab is selected, then click Add Template.
  1. Under Select Services select device types, then choose VPN Interface IPSec WAN.
  1. Configure Tunnel Parameters:

    a. Choose a template name and description for the Tunnel interface.
    b. Under Basic Configuration, set Shutdown to the global option and choose NO.
    c. Choose the Interface Name from 1 to 255. For example,ipsec1.
    d. Configure the IPv4 address by selecting the Global attribute and set the IP.
    e. Set the IPSec Source Interface to ge0/0. This must be the WAN interface in VPN 0, which has the internet connectivity.
    f. Set the IPSec Destination to the closest Cisco Umbrella data center.


g. Dead Peer Detection Value: Leave this at the default setting unless you have a specific requirement otherwise.

  1. Choose the Global Attribute to change any IKE and IPSec defaults:

IKE Settings

  • Set the IKE Version to 2.
  • Set the IKE Rekey Interval to 28800.
  • Leave the default Cipher Suite, which is AES-256-CBC-SHA1.
  • Set the IKE DH Group to 14 2048-bit Modulus.
  • The pre-shared key (PSK) is configured on the Umbrella dashboard. For more information, see Configure Tunnel in Umbrella.
  • The Remote endpoint is Umbrella IP CDFW Headend.
  • For the Local endpoint, enter the named tunnel you generated in the Umbrella dashboard. For more information, see Configure Tunnel in Umbrella.

IPsec Settings

  • Leave the IPsec Rekey Interval & Replay Window values at their defaults.
  • Use the default Cipher Suite AES 256 GCM.
  • Set the Perfect Forward Secrecy value to "NONE".


Cipher Suite Encryption

If performance is an issue with the default cipher, both AES 256 CBC SHA1 and Null SHA1 are also supported. You can test these to determine whether one offers better performance for a particular platform. Note that Null SHA1 isn't necessarily faster than the default AES 256 GCM because of the cost of the SHA1 hashing. In addition, Null SHA1 is not recommended due to security concerns of unencrypted transport.

  1. Click Update to save the configuration template.

Add the IPsec Interface Template

  1. Navigate to Configuration > Templates > Device and then choose the device template for the CDFW tunnel.
  2. Select Edit from the rightmost dropdown menu.
  1. Add the VPN IPSec tunnel interface in the VPN 0 Transport & Management VPN section.
    Choose the VPN Interface IPSec that you added as part of the feature template.
  1. Click Update. A success message appears.

Configure Static Routes

After configuring a template, you need to add static routes from the service VPN to redirect the traffic through the IPSec tunnel to CDFW headend.

  1. Navigate to Configuration > Templates > Feature.
  2. Right-click the right most column, then edit the template to add IPSec route via IPSec1 Tunnel interface.
  1. Add one more IPsec Tunnel interface (for example, IPSec2), and set that as the secondary tunnel interface.

In this example, the default IPsec route is set to the ipsec1 tunnel interface.

  1. Save configuration changes.

Verify Tunnel Status

  1. Log into the Cisco Catalyst SD-WAN (vManage) console and navigate to Monitor > Network > vEdge > Device.
  2. Choose a device, then choose Interface to check the status of the IPSec tunnel for ipsec1.

Alternatively, the following is an example of checking the tunnel status through the CLI.


Network Tunnel Configuration < Configure Tunnels Manually with Catalyst SD-WAN cEdge and vEdge > Configure Tunnels Automatically with Catalyst SD-WAN cEdge and vEdge