Configure a SASE tunnel for Umbrella

Configure a SASE tunnel to establish secure connectivity between threat defense devices and Cisco Umbrella data centers for cloud-delivered security services.

SASE (Secure Access Service Edge) tunnels provide secure connections to Umbrella data centers, enabling cloud-based security functions. These tunnels use IKEv2 with pre-shared keys for authentication and static VTI interfaces for routing traffic.

Before you begin

Ensure that you review the prerequisites and guidelines in Prerequisites for configuring Umbrella SASE tunnels and Guidelines for configuring SASE tunnels on Umbrella.

Follow these steps to configure a SASE tunnel for Umbrella:

Procedure

Step 1

Choose Secure Connections > Site-to-Site VPN & SD-WAN, click +SASE Topology and enter a unique Topology Name.

Step 2

Pre-shared Key: This key is auto-generated according to the Umbrella PSK requirements. For a single topology, the pre-shared key is common for all threat defense spokes and Umbrella.

The device and Umbrella share this secret key, and IKEv2 uses it for authentication. If you want to configure this key, it must be between 16 and 64 characters in length, include at least one uppercase letter, one lowercase letter, one numeral, and have no special characters. Each topology must have a unique pre-shared key. If a topology has multiple tunnels, all the tunnels have the same pre-shared key.

Step 3

Choose a data center from the Umbrella Data center drop-down list. (Configure routing on the Firewall Threat Defense to ensure reachability of the umbrella DC from the Firewall Threat Defense.)

Step 4

Click Add to add a Firewall Threat Defense node.

  1. Choose a Firewall Threat Defense from the Device drop-down list.

    Only devices managed by the Cloud-Delivered Firewall Management Center appear in the list. For high availability pairs, the HA pair names appear in the endpoint list.

  2. Choose a static VTI interface from the VPN Interface drop-down list.

    To create a new static VTI interface, click Add add icon. The Add Virtual Tunnel Interface dialog box appears with the following pre-populated default configurations.

    • Tunnel Type is static.

    • Name is <tunnel_source interface logical name>+ static_vti +<tunnel ID>. For example, outside_static_vti_2.

    • Tunnel ID is auto-populated with a unique ID.

    • Tunnel Source Interface is auto-populated with an interface with an 'outside' prefix.

    • IPsec tunnel mode is IPv4.

    • IP address is from the 169.254.x.x/30 private IP address range.

  3. Enter a prefix for the local tunnel ID in the Local Tunnel ID field.

    The prefix can have a minimum of eight characters and a maximum of 100 characters. Umbrella generates the complete tunnel ID (<prefix>@<umbrella generated ID>-umbrella.com) after the management center deploys the tunnel on Umbrella. The management center then retrieves and updates the complete tunnel ID and deploys it on the threat defense device. Each tunnel has a unique local tunnel ID.

  4. Click Save to add the endpoint device to the topology.

    You can add multiple endpoints in a SASE topology.

Step 5

Click Next to view the summary of the Umbrella SASE tunnel configuration.

  • Endpoints pane: Displays the summary of the configured endpoints.

  • Encryption Settings pane: Displays the default IKEv2 policies and IKEv2 IPsec transform sets for the topology.

Step 6

Check the Deploy configuration on threat defense nodes check box to trigger deployment of the network tunnels to the threat defense. This deployment occurs after the tunnels are deployed on Umbrella. Local tunnel ID is required for the threat defense deployment.

Step 7

Click Save.

This action:

  1. Saves the topology in the management center.

  2. Triggers deployment of the network tunnels to the Umbrella.

  3. Triggers deployment of the network tunnels to the threat defense devices, if the option is enabled. This action commits and deploys all the updated configurations and policies, including non-VPN policies, since the last deployment on the device.

  4. Opens the Cisco Umbrella Configuration window and displays the status of the tunnel deployment on Umbrella. For more details, see View SASE tunnel status.

What to do next

For the interesting traffic intended to flow through the SASE tunnel, configure a PBR policy with a specific match criteria to send the traffic through the VTI interface.

Ensure that you configure a PBR policy for each endpoint of the SASE topology.