The Umbrella User Guide Developer Hub

Welcome to the Umbrella User Guide developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella User Guide as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Configure Tunnels with Viptela cEdge and vEdge

Follow these steps to add a tunnel to connect a Cisco Viptela cEdge or vEdge device to Cisco Umbrella’s cloud-delivered firewall (CDFW) and Secure Web Gateway (SWG) security services.

For more information about Cisco Viptela cEdge and vEdge devices and related topics, see Cisco's SD-WAN product documentation.

Table of Contents


  • Umbrella SIG Essentials subscription.
  • You must enable NAT in the feature template that faces the internet.
  • You can access the vManage console with a web browser. By default, the HTTPS port is 8443, but this may vary based on how your vManage is configured.
    Note: If you get a "Not Secure" warning when accessing the link, you can ignore it. When the vManage login screen appears, enter your credentials.

For information about using Umbrella SIG with previous versions of cEdge devices, see How to build a Umbrella SIG Manual Tunnel with Viptela cEdge devices running 16.12.

Configure Tunnel in Umbrella

Before you configure the tunnel in the vManage template for the device, add a network tunnel identity to Umbrella. A tunnel identity configuration includes: tunnel ID, tunnel passphrase, and optionally IP address ranges. When you add a network tunnel identity, choose a tunnel ID and create a pre-shared key (PSK). Use the tunnel ID and passphrase to define the tunnel configuration in the feature template for the cEdge or vEdge device.

In Deployments > Core Identities > Network Tunnels, choose Add Tunnel, and then choose Viptela cEdge or Viptela vEdge for the device type. For more information, see Add Network Tunnel Identity.

Configure vManage Templates

In vManage, all the features are configured through templates. Once the Viptela cEdge or vEdge devices are registered with vManage, you cannot configure anything through the CLI.

You can use the Device and Feature vManage Templates to establish a tunnel from the device. First define the device template and then the feature template.

Define the Feature Template

  1. Log into the vManage console and navigate to Configuration > Templates.
  2. Confirm that the Feature Templates tab is selected, then click Add Template.
  1. Under Select Services select device types, then choose VPN Interface IPSec WAN.
  1. Configure Tunnel Parameters:

    a. Choose a template name and description for the Tunnel interface.
    b. Under Basic Configuration, set Shutdown to the global option and choose NO.
    c. Choose the Interface Name from 1 to 255. For example,ipsec1.
    d. Configure the IPv4 address by selecting the Global attribute and set the IP.
    e. Set the IPSec Source Interface to ge0/0. This must be the WAN interface in VPN 0, which has the internet connectivity.
    f. Set the IPSec Destination to the closest Cisco Umbrella data center.

g. Dead Peer Detection Value: Leave this at the default setting unless you have a specific requirement otherwise.

  1. Choose the Global Attribute to change any IKE and IPSec defaults:

IKE Settings

  • Set the IKE Version to 2.
  • Set the IKE Rekey Interval to 28800.
  • Leave the default Cipher Suite, which is AES-256-CBC-SHA1.
  • Set the IKE DH Group to 14 2048-bit Modulus.
  • The pre-shared key (PSK) is configured on the Umbrella dashboard. For more information, see Configure Tunnel in Umbrella.
  • The Remote endpoint is Umbrella IP CDFW Headend.
  • For the Local endpoint, enter the named tunnel you generated in the Umbrella dashboard. For more information, see Configure Tunnel in Umbrella.

IPsec Settings

  • Leave the IPsec Rekey Interval & Replay Window values at their defaults.
  • Use the default Cipher Suite AES 256 GCM.
  • Set the Perfect Forward Secrecy value to "NONE".

Cipher Suite Encryption

If performance is an issue with the default cipher, both AES 256 CBC SHA1 and Null SHA1 are also supported. You can test these to determine whether one offers better performance for a particular platform. Note that Null SHA1 isn't necessarily faster than the default AES 256 GCM because of the cost of the SHA1 hashing. In addition, Null SHA1 is not recommended due to security concerns of unencrypted transport.

  1. Click Update to save the configuration template.

Add the IPsec Interface Template

  1. Navigate to Configuration > Templates > Device and then choose the device template for the CDFW tunnel.
  2. Select Edit from the rightmost dropdown menu.
  1. Add the VPN IPSec tunnel interface in the VPN 0 Transport & Management VPN section.
    Choose the VPN Interface IPSec that you added as part of the feature template.
  1. Click Update. A success message appears.

Configure Static Routes

After configuring a template, you need to add static routes from the service VPN to redirect the traffic through the IPSec tunnel to CDFW headend.

  1. Navigate to Configuration > Templates > Feature.
  2. Right-click the right most column, then edit the template to add IPSec route via IPSec1 Tunnel interface.
  1. Add one more IPsec Tunnel interface (for example, IPSec2), and set that as the secondary tunnel interface.

In this example, the default IPsec route is set to the ipsec1 tunnel interface.

  1. Save configuration changes.

Verify Tunnel Status

  1. Log into the vManage console and navigate to Monitor > Network > vEdge > Device.
  2. Choose a device, then choose Interface to check the status of the IPSec tunnel for ipsec1.

Alternatively, the following is an example of checking the tunnel status through the CLI.

Updated 14 days ago

Configure Tunnels with Viptela cEdge and vEdge

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.