You can establish an IPsec (Internet Protocol Security) IKEv2 (Internet Key Exchange, version 2) tunnel from any network device and as new tunnels are added, Umbrella-based rules are automatically applied for easy setup and consistent enforcement.
Note: Organizations have a default limit of 50 network tunnels. To increase this limit, contact support or your account manager.
IPsec tunnels created for the cloud-delivered firewall automatically forward traffic on ports 80 and 443 to the Umbrella secure web gateway (SWG). You can use IPSec tunnels for deploying SWG even if you choose not to use the IP/Port/Protocol controls in the CDFW.
The Umbrella cloud-delivered firewall (CDFW) expects an RFC 1918 IP address as the source IP address for outbound packets. If you use routable IP addresses on your internal network, you must contact Umbrella Support and provide the range of IP addresses that you use. Without this information, Umbrella cannot determine the IP address and may drop packets. For information about address allocation and private networks, see RFC 1918.
- Umbrella SIG data center (DC) public IP address, to which the tunnel will connect. For the latest Umbrella SIG DC locations and their IPs, see Connect to Cisco Umbrella Through Tunnel.
- An Umbrella organization ID. See Find Your Organization ID.
- A router (ISR-G2, ISR4K or CSR, or Cisco ASA) with a security K9 license to establish an IPsec tunnel. Other devices may work but have not been tested.
- A valid Cisco Umbrella SIG Essentials subscription or a free SIG trial.
- Allow ports on any upstream device: UDP ports 500 and 4500.
With the certificate or passphrase credentials generated in the Umbrella portal, establish an IPsec IKEv2 tunnel to the Umbrella head-end
<umbrella_dc_ip> represents the public IP address in sample commands). Umbrella recommends setting your MTU size to 1360 to optimize performance.
Each tunnel is limited to approximately 250mbps. To achieve higher throughput, you will need to establish multiple tunnels (by default, organizations are limited to 50 tunnels; to increase this limit, contact support or your account manager). To use multiple tunnels to the best advantage, some means of dividing traffic among tunnels is recommended. These include load balancing with ECMP (Equal-cost multi-path routing) or assigning traffic through policy-based routing. For basic information about ECMP, refer to RFC 2991.
Network Tunnel Identities
A unique set of Network Tunnel credentials must be used for each IPsec tunnel. Two IPsec tunnels cannot connect to the same datacenter with the same credentials. Using unique credentials for every tunnel prevents inadvertent outages should one tunnel get re-routed to a nearby datacenter via anycast failover.
Updated about 12 hours ago