Network Tunnel Configuration
You can establish an IPsec (Internet Protocol Security) IKEv2 (Internet Key Exchange, version 2) tunnel from a network device deployed in your environment to Cisco Secure Access. IPsec tunnels created for Secure Access accept traffic on all ports and protocols with a throughput of 1GB.
Table of Contents
Establish a Tunnel
You can establish an IPsec IKEv2 tunnel on a supported network device to the Secure Access head end of the tunnel. Use the tunnel passphrase credentials that you generated in Secure Access to configure the IPsec tunnel .
The network device – tunnel configuration guides describe the steps to configure tunnels from a network device to Secure Access. The sample commands in the guides use the <secure_access_dc_ip>
variable to represent the public IP address of the Secure Access data center.
Maximum Transmission Unit (MTU) Size
The MTU determines the maximum packet size that can be sent over a network tunnel, thus setting an optimal MTU here is important. A suboptimal MTU for the tunnel results in significantly poor performance for your users.
An optimal tunnel MTU is equal to or lower than the following key values:
IPsec tunnels for Secure Access must have an MTU that is no larger than 1390 bytes. Secure Access automatically clamps the TCP MSS to 1350 or below.
Tunnel Size
Secure Access supports the following tunnel size ranges:
- The maximum concurrent load for a tunnel is 1 Gbps throughput in either direction.
- There are no restrictions on throughput measured in packets per second.
- There are no restrictions on the number of users per tunnel.
If you exceed the throughput limit your tunnel may have degraded performance including increased latency and packet loss.
Client Reachable Prefixes
Secure Access expects a private RFC 1918 address as the source IP for outbound packets. If you use non-RFC 1918 addresses, you can add them under Client Reachable Prefixes when configuring your tunnel. This overrides the default behavior, which allows all traffic destined for RFC 1918 addresses to return through the tunnel. For information about address allocation and private networks, see RFC 1918.
Secure Access supports the following options for client-reachable prefixes:
- Static IP addresses, which must be globally unique in the customer org; i.e. no other network tunnel group can be configured with the same address.
- BGP-based dynamic routing. BGP dynamic routing enables advertisement of self-service (private) network prefixes to physical network devices that support BGP such as routers, and removes the dependency on static routes.
Note: After updating client reachable prefixes for an established tunnel, wait at least five minutes, disconnect and shut down the tunnel for at least 10 seconds, and then reconnect the tunnel.
Throughput and Multiple Tunnels
Each tunnel is limited to approximately 1 Gbps. To achieve higher throughput, you can establish multiple tunnels.
If you set up multiple tunnels:
- We recommend that you divide the traffic between the tunnels either through load balancing with ECMP (Equal-cost multi-path routing) or assigning traffic through policy-based routing.
- You can initiate multiple IPsec tunnels from the same device to increase the bandwidth (1 Gbps per tunnel); however, you cannot aggregate multiple tunnels from different devices in the same network tunnel group. Multiple tunnels in one network tunnel group must originate from the same network device.
- The number of supported ECMP tunnels is 10. For information about ECMP, see RFC 2991.
Note: To protect against a loss of connectivity, you should set up redundant tunnel headends for a network tunnel group and monitor your IPSec tunnels. You'll need to update their local routing to send traffic to the secondary headend when the primary is unreachable.
Supported IPsec Parameters < Network Tunnel Configuration > Routing Options and Guidelines
Updated about 1 month ago