Network Tunnel Configuration

You can establish an IPsec (Internet Protocol Security) IKEv2 (Internet Key Exchange, version 2) tunnel from a network device deployed in your environment to Cisco Secure Access. IPsec tunnels created for Secure Access accept traffic on all ports and protocols with a throughput of 1GB.

Table of Contents

Establish a Tunnel

You can establish an IPsec IKEv2 tunnel on a supported network device to the Secure Access head end of the tunnel. Use the tunnel passphrase credentials that you generated in Secure Access to configure the IPsec tunnel .

The network device – tunnel configuration guides describe the steps to configure tunnels from a network device to Secure Access. The sample commands in the guides use the <secure_access_dc_ip> variable to represent the public IP address of the Secure Access data center.

Maximum Transmission Unit (MTU) Size

IPsec tunnels for Secure Internet Access must have an MTU no larger than 1280 bytes, with an MSS no larger than 1240 bytes. Fragmented packets in underlay or overlay are dropped. Slightly larger MTU and MSS may work depending on your specific IPsec configuration.

Tunnel Size

Secure Access supports the following tunnel size ranges:

  • The maximum concurrent load for a tunnel is 1 Gbps throughput in either direction.
  • There are no restrictions on throughput measured in packets per second.
  • There are no restrictions on the number of users per tunnel.

If you exceed the throughput limit your tunnel may have degraded performance including increased latency and packet loss.

Client Reachable Prefixes

Secure Access expects a private RFC 1918 address as the source IP for outbound packets. If you use non-RFC 1918 addresses, you can add them under Client Reachable Prefixes when configuring your tunnel. This overrides the default behavior, which allows all traffic destined for RFC 1918 addresses to return through the tunnel. For information about address allocation and private networks, see RFC 1918.

Secure Access supports the following options for client-reachable prefixes:

  • Static IP addresses, which must be globally unique in the customer org; i.e. no other network tunnel group can be configured with the same address.
  • BGP-based dynamic routing. BGP dynamic routing enables advertisement of self-service (private) network prefixes to physical network devices that support BGP such as routers, and removes the dependency on static routes.

Note: After updating client reachable prefixes for an established tunnel, wait at least five minutes, disconnect and shut down the tunnel for at least 10 seconds, and then reconnect the tunnel.

Throughput and Multiple Tunnels

Each tunnel is limited to approximately 1 Gbps. To achieve higher throughput, you can establish multiple tunnels. If you set up multiple tunnels, we recommend that you divide the traffic between the tunnels by assigning traffic through policy-based routing.

If you set up multiple tunnels, we recommend that you divide the traffic between the tunnels either through load balancing with ECMP (Equal-cost multi-path routing) or assigning traffic through policy-based routing. The number of supported ECMP tunnels is 10. For information about ECMP, see RFC 2991.

Note: To protect against a loss of connectivity, you should set up redundant tunnel headends for a network tunnel group and monitor your IPSec tunnels. You'll need to update their local routing to send traffic to the secondary headend when the primary is unreachable.

Supported IPsec Parameters < Network Tunnel Configuration > Configure Tunnels with Catalyst SD-WAN cEdge and vEdge