Set up IPsec tunnels
Internet Protocol Security (IPsec) is a suite of protocols developed by the Internet Engineering Task Force (IETF) that offer confidentiality, integrity, and authentication of data. IPsec allows secure communication between two hosts or network entities over an untrusted network. You can use IPsec to direct web traffic from your network to SIA Proxy for scanning. This method requires that you use a supported SD-WAN solution or a supported router. With this integration in place, you can create IPsec tunnels that optimally and securely transport traffic from your branches to SIA.
To use IPsec as a fully proxy method, you must also enable SIA Proxy, set up the man-in-the-middle (MITM) CA certificate, and complete the steps that are required for the full web proxy. For more information, see About SIA Proxy and Enable full web proxy.
If your organization uses SIA Client, make sure you disable the client in policies that are associated with the IPsec tunnel locations.
For a list of cipher suites that SIA supports with IPsec, see Supported cipher suites for IPsec.
This graphic illustrates how your SD-WAN solution or router directs traffic to SIA Proxy.
In this graphic:
-
A supported SD-WAN appliance or router forwards traffic from the organization’s branch. Traffic from branches that are configured as known locations in SIA are forwarded and accepted by SIA.
The SD-WAN Orchestrator or the portal used to manage the SD-WAN solution is where an administrator configures the primary and secondary tunnels that send and receive traffic. The secondary tunnel serves as a backup tunnel in case of failure. An SIA administrator configures specific settings in SIA to establish communication with the IPsec tunnel.
-
The IPsec tunnels that are created direct traffic to SIA Proxy.
-
SIA Proxy inspects traffic and handles it based on SIA policy. If traffic is allowed, it is directed to the origin.
To configure an IPsec tunnel, you need this information:
-
Pre-Shared Key (PSK). A PSK is a random sequence of bytes that’s used for authentication between SIA and your SD-WAN solution. SIA and the SD-WAN solution exchange hash values to confirm identity and establish a secure channel. As part of the tunnel creation process, you provide the PSK in SIA and in the SD-WAN solution.
-
IKE Identifier. The Internet Key Exchange (IKE) Identifier is a unique ID for your organization. You configure this identifier in SIA and provide it in your SD-WAN solution. The IKE Identifier consists of a custom prefix that you configure and a predefined suffix that includes your SIA configuration ID.
-
IPsec Fully Qualified Domain Names. Depending on the SD-WAN solution, you’ll need these FQDNs or the IP addresses that are associated with these FQDNs:
-
primary.ipsec.akaetp.net
-
secondary.ipsec.akaetp.net
These FQDNs or the IP addresses that resolve to them allow you to direct traffic from the SD-WAN to SIA Proxy.
-
If your locations are configured with a static IP address, you configure IPsec credentials in the Connection Credentials of Enterprise Center (Clients & Connectors > Connection Credentials). If you identify locations with the IKE ID, you configure your IPsec credentials when you create a location. For more information, see Configure IPsec credentials in SIA.
IPsec Tunnel Activity report
SIA includes an activity report that lets you review the traffic that’s directed from the branch to SIA Proxy. The report identifies the branch IP address, the IP address that’s associated with SIA Proxy, the IKE Identifier that’s used for the tunnel, the overall status of the tunnel as detected by SIA, and the total number of inbound and outbound traffic. For more information, see IPsec tunnel activity.
Updated over 1 year ago