Configure the Nuage Networks Remote Network

Configure the remote network between the Nuage Networks SD-WAN and Prisma Access by completing the following workflows:

Set up the Remote Network Tunnel in Prisma Access

Complete the following task to configure the remote network connection as a site-to-site IPSec tunnel.
    1. Enter a
      Site Name
      and select a
      Prisma Access Location
      that is close to the remote network location that you want to onboard.
    2. Select the
      IPSec Termination Node
      to use for the remote network.
  1. Configure the primary tunnel.
    1. Set Up
      the primary tunnel.
      When configuring the tunnel, use the validated settings.
    2. Specify a name for the
      IPSec Tunnel
      and click
      Create New
    3. Enter a
      Tunnel Name
    4. Set the
      Branch Device Type
      Other Devices
    5. Set the Authentication type to
      Pre-Shared Key
      and then enter
      Pre-Shared Key
      Confirm Pre-Shared Key
    6. Specify how the peers will identify each other.
      • Set the
        IKE Local Identification
        IKE Peer Identification
        User FQDN (email address)
        Make note of the value that you use for the Peer Identification and the
        Pre-Shared key
        you use; you must match these settings for the Nuage Networks side of the connection in 6 when you Set Up the Remote Network Tunnel in Nuage Networks.
    7. Enable
      IKE Passive Mode
  2. In the Proxy ID section and
    a default route for all local and remote prefixes.
    Creating this route ensures that all prefixes in the VPN use this IPSec tunnel.
  3. Select
    IPSec Advanced Options
    Create New
    to create a new IPSec crypto profile for the remote network tunnel using the recommended settings.
    Make sure you use IPSec crypto settings that are supported with Prisma Access and Nuage Networks SD-WAN
  4. Select
    IKE Advanced Options
    Create New
    to create a new IKE cryptographic profile for the remote network tunnel.
    Make sure you enable
    IKE NAT Traversal
    . The Nuage Network Services Gateway (NSG) initiates the IKE negotiation, and allows the negotiation to occur even if Nuage Networks side is behind NAT. Refer to the IKE crypto settings that are supported with Nuage for the rest of the settings and make a note of the values you use.
  5. Save
    the tunnel configuration.
  6. Push your configuration changes.
    1. Return to
      Service Setup
      Remote Networks
      and select
      Push Config
    2. Select
      Remote Networks
    3. Push
      your changes.
  7. Find the IP address used on the Prisma Access side of the IPSec tunnel.
    1. Go to
      Service Setup
      Remote Networks
      and make a note of the
      Service IP
      You use this IP address as the peer address when you set up the IPSec tunnel on the Meraki SD-WAN.

Set Up the Remote Network Tunnel in Nuage Networks

After you configure the remote network tunnel in Prisma Access, configure the tunnel in Nuage Networks by completing the following task.
Note that Dead Peer Detection (DPD) is only configured in Nuage Networks. No DPD configuration is required in Prisma Access because the NSG is the DPD initiator and Prisma Access can only reply to requests.
  1. In your organization, create the Gateway using the Nuage Networks IKE gateway object.
    In the
    IP Address
    field, enter the
    Service IP address
    that you retrieved after you completed the setup of the remote network tunnel in Prisma Access (Step 8.
  2. Define the remote subnet for which traffic will be sent to the gateway.
    The IKE gateway connection uses the underlay breakout mechanism as shown in the following diagram:
    All traffic to Prisma Access is through the underlay. If you enable underlay, and if the remote subnet associated with Prisma Access matches the destination IP in the customer packet, then the Nuage Networks SD-WAN sends the packet to Prisma Access. If the destination IP does not match, the SD-WAN sends the packet to internet breakout using underlay breakout and port address translation (PAT) rules.
  3. Specify a default route to the gateway so that the network sends all internet traffic to Prisma Access.
  4. Create an IKE encryption profile.
    This profile must match the values that you specified in the Prisma Access IPSec configuration.
  5. Create an IKE gateway profile.
    1. Enter a
      for the gateway profile.
    2. Select
      Check anti-replay
    3. Select the
      Service class
    4. Select the
      Encryption Profile
      , using the settings you created for Prisma Access.
    The example in the following screenshot uses one pre-shared key per connection, which means that the IKE Gateway profile won't use a pre-shared key object, and the
    Authentication Method
    field is empty.
  6. Associate the remote network connection with the NSG uplink port.
    You associate the remote network connection with the Nuage Networks NSG at the uplink VLAN level. This association contains an NSG identifier in RFC 822 format and includes the pre-shared key that is used for the connection.
  7. Check the status of the tunnel connection by entering the following command.
    A status of
    indicates that the connection is successful.
    A:vsc1# tools vswitch command "nuage-nsg-ike-cli show tunnel-status-summary" ------------------------------------------------------------------------------- Gateway Name Local IP Remote IP Phase1 Phase2 ------------------------------------------------------------------------------- paloalto up up -------------------------------------------------------------------------------
  8. Next steps: Learn how Nuage Networks monitors the remote network, and troubleshoot the Nuage Networks remote network connection to Prisma Access, if required.

Recommended For You