Set up IPsec tunnels

Internet Protocol Security (IPsec) is a suite of protocols developed by the Internet Engineering Task Force (IETF) that offer confidentiality, integrity, and authentication of data. IPsec allows secure communication between two hosts or network entities over an untrusted network. You can use IPsec to direct web traffic from your network to ​SIA​ Proxy for scanning. This method requires that you use a supported SD-WAN solution or a supported router. With this integration in place, you can create IPsec tunnels that optimally and securely transport traffic from your branches to ​SIA​.

📘

To use IPsec as a fully proxy method, you must also enable ​SIA​ Proxy, set up the man-in-the-middle (MITM) CA certificate, and complete the steps that are required for the full web proxy. For more information, see About ​SIA​ Proxy and Enable full web proxy.

🚧

If your organization uses ​SIA​ Client, make sure you disable the client in policies that are associated with the IPsec tunnel locations.

For a list of cipher suites that ​SIA​ supports with IPsec, see Supported cipher suites for IPsec.

This graphic illustrates how your SD-WAN solution or router directs traffic to ​SIA​ Proxy.

In this graphic:

  1. A supported SD-WAN appliance or router forwards traffic from the organization’s branch. Traffic from branches that are configured as known locations in ​SIA​ are forwarded and accepted by ​SIA​.

    The SD-WAN Orchestrator or the portal used to manage the SD-WAN solution is where an administrator configures the primary and secondary tunnels that send and receive traffic. The secondary tunnel serves as a backup tunnel in case of failure. An ​SIA​ administrator configures specific settings in ​SIA​ to establish communication with the IPsec tunnel.

  2. The IPsec tunnels that are created direct traffic to ​SIA​ Proxy.

  3. ​SIA​ Proxy inspects traffic and handles it based on ​SIA​ policy. If traffic is allowed, it is directed to the origin.

To configure an IPsec tunnel, you need this information:

  • Pre-Shared Key (PSK). A PSK is a random sequence of bytes that’s used for authentication between ​SIA​ and your SD-WAN solution. ​SIA​ and the SD-WAN solution exchange hash values to confirm identity and establish a secure channel. As part of the tunnel creation process, you provide the PSK in ​SIA​ and in the SD-WAN solution.

  • IKE Identifier. The Internet Key Exchange (IKE) Identifier is a unique ID for your organization. You configure this identifier in ​SIA​ and provide it in your SD-WAN solution. The IKE Identifier consists of a custom prefix that you configure and a predefined suffix that includes your ​SIA​ configuration ID.

  • IPsec Fully Qualified Domain Names. Depending on the SD-WAN solution, you’ll need these FQDNs or the IP addresses that are associated with these FQDNs:

    • primary.ipsec.akaetp.net

    • secondary.ipsec.akaetp.net

      These FQDNs or the IP addresses that resolve to them allow you to direct traffic from the SD-WAN to ​SIA​ Proxy.


📘

If your locations are configured with a static IP address, you configure IPsec credentials in the Connection Credentials of Enterprise Center (Clients & Connectors > Connection Credentials). If you identify locations with the IKE ID, you configure your IPsec credentials when you create a location. For more information, see Configure IPsec credentials in ​SIA​.

IPsec Tunnel Activity report

​SIA​ includes an activity report that lets you review the traffic that’s directed from the branch to ​SIA​ Proxy. The report identifies the branch IP address, the IP address that’s associated with ​SIA​ Proxy, the IKE Identifier that’s used for the tunnel, the overall status of the tunnel as detected by ​SIA​, and the total number of inbound and outbound traffic. For more information, see IPsec tunnel activity.