Establish the IPsec tunnel using Virtual Tunnel Interfaces (VTI).
Before you begin
Create an IKEv2 profile, a transform set and two access-lists.
This technique relies on using policy-based routing over VTI interfaces and creating dummy subnets that are used to force web traffic to be routed into the appropriate tunnel
interface.The dummy subnets need to be a minimum of /30 in size to provide two usable interface addresses. One address is allocated to the VTI interface and the other is used in the
policy-based routing configuration to represent the Forcepoint ONE SSE data center. For example, assume that 192.168.254.0/30 and 192.168.254.4/30 are two unused /30 blocks within your internal address plan. This would allow the following addressing to
be used on the ISR:
- dummy_subnet1_ip1 — 192.168.254.1
- dummy_subnet1_ip2 — 192.168.254.2
- dummy_subnet2_ip1 — 192.168.254.5
- dummy_subnet2_ip2 — 192.168.254.6
Steps
-
Create an IPsec profile and associate the transform set and IKEv2 profile that you created.
-
Enter an IPsec profile name for the IPsec tunnels:
crypto ipsec profile <IPsec profile Name>
-
Enter the transform set you defined for the IPsec tunnels:
set transform-set <Transform Set Name>
-
Enter the IKEv2 profile name you configured for the IPsec tunnels:
set ikev2-profile <IKEv2 Profile Name>
-
Create primary tunnel interface, configure the tunnel source and destination IP addresses, and associate the IPsec profile:
-
Create your primary tunnel interface with an ID:
interface <Primary Tunnel Interface>
-
Enter a local IP address for the interface.
ip address <dummy_subnet1_ip1>
-
Set the tunnel source interface, that is the egress IP of the edge device.
tunnel source <public_egress_IP>
-
Define the tunnel mode:
-
Set the tunnel destination IP address of the primary data center, which you can find in tunnel Setup Info dialog:
tunnel destination <Primary_destination_address>
-
Enter the profile name you configured for the IPsec tunnels:
tunnel protection ipsec profile <IPsec Profile Name>
-
Create secondary tunnel interface, configure the tunnel source and destination IP addresses, and associate the IPsec profile:
-
Create your secondary tunnel interface with an ID:
interface <secondary Tunnel Interface>
-
Enter a local IP address for the interface.
ip address <dummy_subnet2_ip1>
-
Set the tunnel source interface, that is the egress IP of the edge device.
tunnel source <public_egress_IP>
-
Define the tunnel mode:
-
Set the tunnel destination IP address of the secondary data center, which you can find in tunnel Setup Info dialog:
tunnel destination <Secondary_destination_address>
-
Enter the profile name you configured for the IPsec tunnels:
tunnel protection ipsec profile <IPsec Profile Name>
-
Create route-maps, set the tunnel interfaces, and associate the access-list that you created.
-
Define a route map to match traffic against:
route-map <Route Map Name> permit 10
-
Assign the access-list to the route map you created:
match ip address <access_list_number>
-
Set IP next-hop:
set ip next-hop <dummy_subnet1_ip2> <dummy_subnet2_ip2>
-
Associate route-map to the incoming interface.
interface <incoming_interface>
ip policy route-map <Route Map Name>