Add a Network Tunnel Group

To enable tunnel redundancy and high availability for IPsec tunnels connected to data center hubs, follow the steps to add a network tunnel group to Cisco Secure Access.

Table of Contents

About Network Tunnel Groups

Provisioning high-availability network tunnel groups at a hub site allows a group of tunnels to share a primary and secondary hub. Network devices that are capable of establishing an IPsec tunnel can join a network tunnel group using the credentials created when the tunnel group is deployed.

Each data center hub in a network tunnel group can connect to multiple tunnels. A hub configured for NAT can support up to 100 tunnels. A hub that is not configured for NAT is limited to 10 tunnels.

  1. In Secure Access, configure the attributes of the tunnel group and deploy the tunnel group. Once the tunnel group is deployed, the initial state of the tunnel group changes from Unestablished to Inactive.
  2. Next, configure a tunnel in the network device that sends traffic to Secure Access. Use the deployed tunnel group's attributes to associate the network tunnel to the tunnel group. The network tunnel group attributes required by network devices to establish the IPsec IKEv2 tunnel are: tunnel ID, tunnel passphrase, and IP Address of the Secure Access data center.
  3. Enable user computers to connect securely to the tunnel and begin to send traffic to Secure Access. Once Secure Access receives and logs traffic from a network tunnel, the tunnel state is considered Active. View the events for the tunnel in the Secure Access Overview and Activity Search.

Prerequisites

  • Full Admin role in Secure Access. For more information, see Manage Accounts.

Procedure

Perform the following tasks to add a network tunnel group to Secure Access. Network tunnel groups work to enable tunnel redundancy and high availability for IPsec tunnels connected to data center hubs.

Step 1 - Configure General Settings

  1. Navigate to Connect > Network Connections > Network Tunnel Groups.
  2. Click Add.
  1. Enter the General Settings for your tunnel group:
    1. Give your tunnel group a meaningful name.
    2. Choose a Region.
    3. Choose a Device Type.
    4. Click Next.

Step 2 - Configure Tunnel ID and Passphrase

Configure the tunnel ID and passphrase that devices will use to connect to this tunnel group.

  1. Choose a Tunnel ID Format, either Email or IP Address.
    • If the choice is email, use the format @.sse.cisco.com. Use the name you gave the tunnel group in General Settings.
    • If the choice is IP address, include both a primary and secondary IP address.
  2. Enter a tunnel Passphrase between 16 and 64 characters in length. The passphrase must contain at least one upper case letter, one lower case letter, and one number. The passphrase cannot include any special characters.
  3. Reenter your passphrase to confirm.
  4. Click Next to continue.

Step 3 - Configure Routing Options

Configure the routing options for this network tunnel group.

  1. Check Enable NAT / Outbound only if you determine that the IP address space behind the tunnel group overlaps with other IP address spaces in your network.

    Note: When you enable NAT for outbound traffic, routing options are disabled and private applications hosted behind these tunnels are not accessible.

  2. Choose a Routing option for this network tunnel group.

    1. Choose Static routing to manually add IP address ranges for this tunnel group. You should add all public and private address ranges used internally by your organization.

      Note: Adding a default route in static routing is not supported and can lead to traffic disruptions.


    2. Choose Dynamic routing when you have a BGP peer for your on-premise router.


      Note: You'll need the router's autonomous system (AS) number to use dynamic routing.


  3. Optionally, expand Advanced Settings to select additional dynamic routing options.

    1. Check Multihop BGP to enable the ability for BGP peers to establish a connection (hop) when not directly connected.

      1. Enter the IP Ranges that support establishing the BGP peering sessions.

      2. (Optional) Enter the Hop count to limit the number of hops over which the BGP multihop session is established. The range is 1 to 254 hops. The hop count is disabled until IP addresses are entered, with a default value of 1.

        Note: The hop count equates to the TTL (Time to Live) parameter.


    2. Check Block route sharing between regions. By default, routes are shared across all network tunnel groups in your organization.

    3. Check Block default route advertisement to block the advertisement of the default route when in dynamic routing mode. Advertising default routes via BGP is not supported and can lead to traffic disruptions.

    4. Check Use tunnel group for internet backhaul to have Secure Access ...

  4. Click Save.

Step 4 - Review Data for Tunnel Setup

The final step to adding a network tunnel group is to review the configuration data.

  1. On the Data for Tunnel Setup page, review the network tunnel information for completeness.

  2. Click the Download CSV button to save the setup information. You can the information to configure and deploy a tunnel in a network device.
    Note: This is the only time that your passphrase is displayed.

What to do Next

Configure Tunnels on a Network Device

  1. Follow the steps in one of the network device guides to deploy an IPsec tunnel with Secure Access. For more information see Network Tunnel Configuration.

Verify Tunnel Traffic in Secure Access

After you add a tunnel to Cisco Secure Access and deploy a network tunnel with a compatible network device, check that Secure Access receives and logs traffic from the tunnel.

  1. Navigate to Overview and find your configured tunnel. Verify that the status of the tunnel is Active. For more information, see Secure Access Overview.

Device Compatibility and Network Tunnels< Add a Network Tunnel Group > Delete a Network Tunnel Group