Set up IPsec tunnels

Your organization can use IP Security (IPsec) tunnels to direct web traffic to the proxy for scanning. This method of configuring the full proxy requires that you integrate your software-defined wide area network (SD-WAN) solution with ETP. With this integration in place, you can create IPsec tunnels that optimally and securely transport traffic from your branches to ETP.

📘

To use IPsec as a fully proxy method, you must also enable ETP Proxy, set up the man-in-the-middle (MITM) CA certificate, and complete the steps that are required for the full web proxy. For more information, see About ETP Proxy and Enable full web proxy.

This graphic illustrates how your SD-WAN solution directs traffic to ETP Proxy.

In this graphic:

  1. An SD-WAN appliance forwards traffic from the organization’s branch. Traffic from branches that are configured as known locations in ETP are forwarded and accepted by ETP.

    The SD-WAN Orchestrator or the portal used to manage the SD-WAN solution is where an administrator configures the primary and secondary tunnels that send and receive traffic. The secondary tunnel serves as a backup tunnel in case of failure. An ETP administrator configures specific settings in ETP to establish communication with the IPsec tunnel.

  2. The IPsec tunnels that are created direct traffic to ETP Proxy.

  3. ETP Proxy inspects traffic and handles it based on ETP policy. If traffic is allowed, it is directed to the origin.

📘

This feature is currently in beta. To participate in the beta, contact your ​Akamai​ representative.

To configure an IPsec tunnel in a SD-WAN solution, you need this information:

  • Pre-Shared Key (PSK). A PSK is a random sequence of bytes that’s used for authentication between ETP and your SD-WAN solution. ETP and the SD-WAN solution exchange hash values to confirm identity and establish a secure channel. As part of the tunnel creation process, you provide the PSK in ETP and in the SD-WAN solution.

  • IKE Identifier. The Internet Key Exchange (IKE) Identifier is a unique ID for your organization. You configure this identifier in ETP and provide it in your SD-WAN solution. The IKE Identifier consists of a custom prefix that you configure and a predefined suffix that includes your ETP configuration ID.

  • IPsec Fully Qualified Domain Names. Depending on the SD-WAN solution, you’ll need these FQDNs or the IP addresses that are associated with these FQDNs:

    • primary.ipsec.akaetp.net
    • secondary.ipsec.akaetp.net

    These FQDNs or the IP addresses that resolve to them allow you to direct traffic from the SD-WAN to ETP Proxy.

IPsec Tunnel Activity report

ETP includes an activity report that lets you review the traffic that’s directed from the branch to ETP Proxy. The report identifies the branch IP address, the IP address that’s associated with ETP Proxy, the IKE Identifier that’s used for the tunnel, the overall status of the tunnel as detected by ETP, and the total number of inbound and outbound traffic. For more information, see IPsec tunnel activity.


Did this page help you?