Configure Non SD-WAN Destination via Gateway

Configure a Non SD-WAN Destination via Gateway in Orchestrator to establish a secure IPSec tunnel to the Netskope portal through Gateway.

Ensure you have configured an IPsec tunnel in the Netskope NG SWG Portal. See Configure VPN Credentials on the Netskope Portal.

To configure a Non SD-WAN Destination via Gateway:

  1. Login to Orchestrator to verify the presence of customers instances and you have active Edges.
    Figure 1. Verifying the Customer Instance
  2. Select the link to a customer name to navigate to the Enterprise portal.
  3. In the Enterprise portal, select Configure > Network Services .
  4. In the Non SD-WAN Destinations via Gateway pane, select New to create a new Non SD-WAN Destination.
    Figure 2. Configuring a New Non SD-WAN Destination via Gateway
  5. In the New Non SD-WAN Destination via Gateway window, configure the following:
    Figure 3. Adding a New Non SD-WAN Destination via Gateway Parameters
    Table 1. New Non SD-WAN Destination via Gateway Option Descriptions
    Option Description
    Name Enter a descriptive name for the Non SD-WAN Destination.
    Type Select the type as Generic IKEv2 Router (Route Based VPN).
    Primary VPN Gateway Enter the IP address of the Primary POP used to setup the VPN tunnel in the Netskope portal.
    Secondary VPN Gateway Enter the IP address of the Secondary POP used to setup the VPN tunnel in the Netskope portal.
  6. Select Next.
  7. In the next window, configure the following settings:
    Figure 4. Netskope Customer Tunnel
    Figure 5. Netskope Customer Tunnel - VPN Gateway 1
    Figure 6. Netskope Customer Tunnel - VPN Gateway 2
  8. The Name and Type of the Non SD-WAN Destination displays. Select Enable Tunnel(s) to activate the tunnel.
  9. Select Advanced to configure the other IPsec tunnel parameters for the Primary and Secondary VPN Gateways as follows:
    Table 2. IPsec Tunnel Option Descriptions
    Option Description
    Encryption Select the AES algorithms key from the drop-down list, to encrypt data. If you do not want to encrypt the data, select Null. The default value is AES 128.
    DH Group Select the Diffie-Hellman (DH) Group algorithm to be used when exchanging the pre-shared key. The DH Group sets the strength of the algorithm in bits. The supported DH Groups are 2, 5, 14, 15, and 16. It is recommended to use DH Group 14.
    PFS Select the Perfect Forward Secrecy (PFS) level for additional security. The supported PFS levels are 2, 5, 14, 15, and 16. The default value is deactivated.
    Hash Select the authentication algorithm for the VPN header from the drop-down list. The following Secure Hash Algorithm (SHA) options are available:
    • SHA 1
    • SHA 256
    • SHA 384
    • SHA 512

    The default value is SHA 256.
    IKE SA Lifetime(min) Enter the IKE SA lifetime in minutes. The rekeying should be initiated for Edges before the time expires. The range is from 10 to 1440 minutes. The default value is 1440 minutes.
    IPsec SA Lifetime(min) Enter the IPsec SA lifetime in minutes. The rekeying should be initiated for Edges before the time expires. The range is from 3 to 480 minutes. The default value is 480 minutes.
    DPD Timeout Timer(sec) Enter the maximum time that the device should wait to receive a response to a DPD message before considering the peer as dead. The default value is 20 seconds. You can deactivate the DPD by configuring the DPD timeout timer as Zero (0).
  10. Configure a Redundant VeloCloud Cloud VPN:
    1. Select the checkbox to establish the IPSEC tunnels from the Primary and Secondary Gateways.
  11. Configure Site Subnets:
    1. Add subnets for the Non SD-WAN Destination using the + icon. If you do not need subnets for the site, select Deactivate Site Subnets.
  12. Configure the Local Auth Id by selecting the local authentication from the list and define the format and identification of the local gateway.
    Select one of the following options:
    • Default – By default, the Interface Public IP address of the Gateway is used as the local authentication ID.
    • FQDN- The Fully Qualified Domain Name or hostname. For example, company.com.
    • User FQDN- The User Fully Qualified Domain Name in the form of email address. For example, This email address is being protected from spambots. You need JavaScript enabled to view it..
    • IPv4- The IP address used to communicate with the local gateway.
  13. Select Save Changes and close the window.
    The new Non SD-WAN Destination via Gateway displays in the Network Services window.
    Figure 7. Displaying the SD-WAN Destination

Configure a profile to use the new Non SD-WAN Destination via Gateway. See Configure Profile with Non SD-WAN Destination via Gateway.

Configure Profile with Non SD-WAN Destination via Gateway

Configure the profile to establish a VPN connection between a branch and a Non SD-WAN Destination via Gateway.

Ensure that you have created a Non SD-WAN Destination via Gateway with the required IPsec tunnel parameters. To create a Non SD-WAN Destination via Gateway, see Configure Non SD-WAN Destination via Gateway.

  1. In the Enterprise portal, select Configure > Profiles .
  2. Select Device for a profile, or select a profile and select the Device tab.
  3. In the Device tab, scroll down to the Cloud VPN section and select the slider to ON position.
  4. To establish a VPN connection between a Branch and Non SD-WAN Destination via Gateway, select Enable under Branch to Non SD-WAN Destinations via Gateway.
    Figure 8. Enabling the VPN Connection
  5. Select a Non SD-WAN Destination via Gateway from the menu to establish VPN connection. Select the + to add more.
  6. Select Save Changes.

Create a Business Policy to route the traffic from the Non SD-WAN Destination tunnel to Netskope portal. See Create Business Policy for Non SD-WAN Destination.

Create Business Policy for Non SD-WAN Destination

After you establish a VPN connection between a branch and a Non SD-WAN Destination via Gateway, create a Business Policy to route the traffic from the Non SD-WAN Destination tunnel.

Ensure that you have established the VPN connection between branch and Non SD-WAN Destination via Gateway. See Configure Profile with Non SD-WAN Destination via Gateway.

  1. In the Enterprise portal, select Configure > Profiles .
  2. Select a profile from the list and select the Business Policy tab.
  3. Select New Rule or Actions > New Rule .
  4. Enter a name for the business rule.
    Figure 9. Business Rule Name
  5. In the Match area, select Define and choose Internet as the Destination.
    Figure 10. Destination > Internet
  6. Select the Application as Web.
  7. In the Action area, select Internet Backhaul as the Network Service and choose Non SD-WAN Destination via Gateway and select the Non SD-WAN Destination service created with the Netskope tunnel parameters..
    Figure 11. Internet Backhaul
  8. Choose the other actions as required and select Create.

    The Business Policy redirects the Internet destined HTTP/HTTPS traffic to Netskope POP using the IPSEC tunnel. The newly created policy installed at the top and inspected first.

    Figure 12. Displaying the Business Rule

    You can verify that the tunnel is online by monitoring the Network Services. See Monitor Non SD-WAN Destination via Gateway.

Monitor Non SD-WAN Destination via Gateway

You can monitor and verify the Non SD-WAN Destination Tunnel configuration using the Monitoring tab.

To monitor the Non SD-WAN Destination Tunnel configuration:

  1. In the Enterprise portal, select Monitor > Network Services .
  2. The Non SD-WAN Destination via Gateway section displays the configured Non SD-WAN Destination along with the status.
    Figure 13. Monitoring the Non SD-WAN Destination via Gateway