Add a Network Tunnel Group

To enable tunnel redundancy and high availability for IPsec tunnels connected to data center hubs, follow the steps to add a network tunnel group to Cisco Secure Access.

Provisioning high-availability network tunnel groups at a hub site allows a group of tunnels to share a primary and secondary hub. Network devices that are capable of establishing an IPsec tunnel can join a network tunnel group using the credentials created when the tunnel group is deployed.

Each data center hub in a network tunnel group can connect to multiple tunnels. A hub configured for NAT can support up to 100 tunnels. A hub that is not configured for NAT is limited to 10 tunnels.

1. In Secure Access, configure the attributes of the tunnel group and deploy the tunnel group. Once the tunnel group is deployed, the initial state of the tunnel group changes from Unestablished to Inactive.
2. Next, configure a tunnel in the network device that sends traffic to Secure Access. Use the deployed tunnel group's attributes to associate the network tunnel to the tunnel group. The network tunnel group attributes required by network devices to establish the IPsec IKEv2 tunnel are: tunnel ID, tunnel passphrase, and IP Address of the Secure Access data center.
3. Enable user computers to connect securely to the tunnel and begin to send traffic to Secure Access. Once Secure Access receives and logs traffic from a network tunnel, the tunnel state is considered Active. View the events for the tunnel in the Secure Access Overview and Activity Search.

Table of Contents

• Prerequisites
• Procedure
• Configure Tunnel on Network Device
• Verify Tunnel Traffic in Secure Access

Prerequisites

• Full Admin role in Secure Access. For more information, see Manage Accounts.

Procedure

Add a network tunnel in Secure Access for a device capable of establishing an IPsec IKEv2 tunnel.

1. Navigate to Connect > Network Connections > Network Tunnel Groups.
2. Click Add.

3. Enter the General Settings for your tunnel group:
   1. Give your tunnel group a meaningful name.
   2. Choose a Region.
   3. Choose a Device Type.
   4. Click Next.

4. Enter the Tunnel ID and Passphrase for your tunnel group:

   a. Choose a Tunnel ID Format, either Email or IP Address.

   • If the choice is email, use the format @.sse.cisco.com. Use the name you gave the tunnel group in General Settings.
   • If the choice is IP address, include both a primary and secondary IP address.

   b. Enter a Passphrase.

   • A tunnel passphrase is between 16 and 64 characters in length. The passphrase must contain at least one upper case letter, one lower case letter, and one number.
   • The passphrase cannot include any special characters.

   c. Reenter your passphrase.

   d. Click Next.

   

5. Choose the type of Routing for your tunnel group.

   1. Check Enable NAT / Outbound only if you determine that the IP address space behind the tunnel group overlaps with other IP address spaces in your network.

      Note: When you enable NAT for outbound traffic, routing options are disabled and private applications hosted behind these tunnels are not accessible.

      

   2. Choose Static routing to manually add IP address ranges for this tunnel group. You should add all public and private address ranges used internally by your organization.
      Note: Adding a default route in static routing is not supported and can lead to traffic disruptions.

      
      

   3. Choose Dynamic routing when you have a BGP peer for your on-premise router.
      Note: You'll need the router's autonomous system (AS) number to use dynamic routing.

      
      

   4. Optionally, expand Advanced Settings to block the advertisement of the default route when in dynamic routing mode. Advertising default routes via BGP is not supported and can lead to traffic disruptions.

      

   5. Click Save.

6. On the Data for Tunnel Setup page, review the network tunnel information for completeness. Click the Download CSV button to save the information to use to configure and deploy a tunnel in a network device.
   Note: This is the only time that your passphrase is displayed.

Configure Tunnel on Network Device

1. Follow the steps in one of the network device guides to deploy an IPsec tunnel with Secure Access. For more information see Network Tunnel Configuration.

Verify Tunnel Traffic in Secure Access

After you add a tunnel to Cisco Secure Access and deploy a network tunnel with a compatible network device, check that Secure Access receives and logs traffic from the tunnel.

1. Navigate to Overview and find your configured tunnel. Verify that the status of the tunnel is Active. For more information, see Secure Access Overview.

Device Compatibility and Network Tunnels< Add a Network Tunnel Group > Delete a Network Tunnel Group