Network Tunnel Configuration

You can establish an IPsec (Internet Protocol Security) IKEv2 (Internet Key Exchange, version 2) tunnel from a network device to Umbrella. IPsec tunnels created for the cloud-delivered firewall (CDFW) automatically forward HTTP/HTTPS traffic on ports 80 and 443 to the Umbrella secure web gateway (SWG). You can use IPsec tunnels to deploy the secure web gateway even if you choose not to use the IP, port, and protocol controls in the cloud-delivered firewall.


RFC 1918

The Umbrella cloud-delivered firewall (CDFW) expects an RFC 1918 IP address as the source IP address for outbound packets. If you use routable IP addresses on your internal network, you must contact Umbrella Support and provide the range of IP addresses that you use. Without this information, Umbrella cannot determine the IP address and may drop packets. For information about address allocation and private networks, see RFC 1918.

Table of Contents


  • Umbrella SIG data center (DC) public IP address, to which the tunnel will connect. For the latest Umbrella SIG DC locations and their IPs, see Connect to Cisco Umbrella Through Tunnel.
  • An Umbrella organization ID. For more information, see Find Your Organization ID.
  • A router (ISR-G2, ISR4K or CSR, or Cisco ASA) with a security K9 license to establish an IPsec tunnel. Other devices may work but have not been tested.
  • A valid Cisco Umbrella SIG Essentials subscription or a free SIG trial.
  • Allow ports on any upstream device: UDP ports 500 and 4500.

Note: Organizations have a default limit of 50 network tunnels. To increase this limit, contact support or your account manager.

Establish a Tunnel

With the certificate or passphrase credentials generated in the Umbrella portal, establish an IPsec IKEv2 tunnel to the Umbrella head-end <umbrella_dc_ip> (<umbrella_dc_ip> represents the public IP address in sample commands). Umbrella recommends setting your MTU size to 1350 to optimize performance.

Throughput and Multiple Tunnels

Each tunnel is limited to approximately 250 Mbps. To achieve higher throughput, you can establish multiple tunnels. If you set up multiple tunnels, we recommend that you divide the traffic between the tunnels either through load balancing with ECMP (Equal-cost multi-path routing) or assigning traffic through policy-based routing. For information about ECMP, see RFC 2991.


Network Tunnel Identities

A unique set of Network Tunnel credentials must be used for each IPsec tunnel. Two IPsec tunnels cannot connect to the same datacenter with the same credentials. Using unique credentials for every tunnel prevents inadvertent outages should one tunnel get rerouted to a nearby datacenter through anycast failover.

Network Tunnel and Secure Web Gateway

For web traffic sent through the Network Tunnel to the secure web gateway (SWG), we do not require that you exclude certain destinations.

If you choose to exclude traffic through the Network Tunnel, follow these general guidelines:

  • You can not exclude a destination for the IPsec tunnel in the Umbrella dashboard. Instead, exclude a destination on the network device which establishes the IPsec tunnel to Umbrella.
  • You must not exclude traffic to ( in the Network Tunnel. You must route SAML traffic through the same path as the secure web gateway traffic.

Traffic sent through the IPsec tunnel to the secure web gateway functions in two modes: Transparent and Explicit.

Transparent Mode

The secure web gateway (SWG) transparent mode is the default mode. Umbrella transparently filters web traffic that crosses the IPSec tunnel.

Explicit Mode

  • In explicit mode, Umbrella does not require configuration changes to send traffic through the IPsec tunnel to the secure web gateway.
  • If you use a PAC file, you must host a copy of the PAC file downloaded from Umbrella on an internal web server. You cannot use the secure web gateway in explicit mode with Umbrella's hosted PAC file.
  • If you exclude the secure web gateway ingress destination range ( from the IPsec tunnel, you can choose not to send web traffic through the IPsec tunnel. As a result, traffic sent to the secure web gateway is not affected by the bandwidth of the IPsec tunnel.

Configure the IPsec tunnel to exclude secure web gateway traffic

  • On the network device, exclude the IP address range to the IPsec tunnel.
  • You must control web traffic with a PAC file, proxy chaining, or AnyConnect secure web gateway (SWG) security module.
  • If you configure web traffic with a PAC file, you must not bypass in the PAC file. Traffic configured with a PAC file must follow the same route as the secure web gateway traffic.
  • Umbrella only supports proxy chain traffic for Network deployments. You should not send proxy chain traffic through IPsec tunnels as features such as XFF are not supported.

Note: Umbrella sends SAML authentication requests to the domain through the secure web gateway using a PAC file or an on-premise proxy chaining configuration. For more information, see Manage Umbrella's PAC File and Manage Proxy Chaining.

Configuration Guides

We provide configuration guides for various network devices. For devices in which the setup is not documented, we cannot guarantee that the device can establish an IPsec tunnel to Umbrella.

Supported IPSec Parameters < Network Tunnel Configuration > Manual: vEdge