Set up IPsec tunnels

Internet Protocol Security (IPsec) is a suite of protocols developed by the Internet Engineering Task Force (IETF) that offer confidentiality, integrity, and authentication of data. IPsec allows secure communication between two hosts or network entities over an untrusted network. You can use IPsec to direct web traffic from your network to ‚ÄčSIA‚Äč Proxy for scanning. This method requires that you integrate your software-defined wide area network (SD-WAN) solution with ‚ÄčSIA‚Äč. With this integration in place, you can create IPsec tunnels that optimally and securely transport traffic from your branches to ‚ÄčSIA‚Äč.


To use IPsec as a fully proxy method, you must also enable ‚ÄčSIA‚Äč Proxy, set up the man-in-the-middle (MITM) CA certificate, and complete the steps that are required for the full web proxy. For more information, see About ‚ÄčSIA‚Äč Proxy and Enable full web proxy.


If your organization uses ‚ÄčSIA‚Äč Client, make sure you disable the client in policies that are associated with the IPsec tunnel locations.

For a list of cipher suites that ‚ÄčSIA‚Äč supports with IPsec, see Supported cipher suites for IPsec.

This graphic illustrates how your SD-WAN solution directs traffic to ‚ÄčSIA‚Äč Proxy.

In this graphic:

  1. An SD-WAN appliance forwards traffic from the organization‚Äôs branch. Traffic from branches that are configured as known locations in ‚ÄčSIA‚Äč are forwarded and accepted by ‚ÄčSIA‚Äč.

    The SD-WAN Orchestrator or the portal used to manage the SD-WAN solution is where an administrator configures the primary and secondary tunnels that send and receive traffic. The secondary tunnel serves as a backup tunnel in case of failure. An ‚ÄčSIA‚Äč administrator configures specific settings in ‚ÄčSIA‚Äč to establish communication with the IPsec tunnel.

  2. The IPsec tunnels that are created direct traffic to ‚ÄčSIA‚Äč Proxy.

  3. ‚ÄčSIA‚Äč Proxy inspects traffic and handles it based on ‚ÄčSIA‚Äč policy. If traffic is allowed, it is directed to the origin.

To configure an IPsec tunnel in a SD-WAN solution, you need this information:

  • Pre-Shared Key (PSK). A PSK is a random sequence of bytes that‚Äôs used for authentication between ‚ÄčSIA‚Äč and your SD-WAN solution. ‚ÄčSIA‚Äč and the SD-WAN solution exchange hash values to confirm identity and establish a secure channel. As part of the tunnel creation process, you provide the PSK in ‚ÄčSIA‚Äč and in the SD-WAN solution.

  • IKE Identifier. The Internet Key Exchange (IKE) Identifier is a unique ID for your organization. You configure this identifier in ‚ÄčSIA‚Äč and provide it in your SD-WAN solution. The IKE Identifier consists of a custom prefix that you configure and a predefined suffix that includes your ‚ÄčSIA‚Äč configuration ID.

  • IPsec Fully Qualified Domain Names. Depending on the SD-WAN solution, you‚Äôll need these FQDNs or the IP addresses that are associated with these FQDNs:


    These FQDNs or the IP addresses that resolve to them allow you to direct traffic from the SD-WAN to ‚ÄčSIA‚Äč Proxy.

IPsec Tunnel Activity report

‚ÄčSIA‚Äč includes an activity report that lets you review the traffic that‚Äôs directed from the branch to ‚ÄčSIA‚Äč Proxy. The report identifies the branch IP address, the IP address that‚Äôs associated with ‚ÄčSIA‚Äč Proxy, the IKE Identifier that‚Äôs used for the tunnel, the overall status of the tunnel as detected by ‚ÄčSIA‚Äč, and the total number of inbound and outbound traffic. For more information, see IPsec tunnel activity.