Configure the Viptela Remote Network
Configure the remote network between the Viptela
SD-WAN and Prisma Access by completing the steps in the following workflows:
Create a Remote Network Configuration in Prisma Access
You can configure the IPSec tunnel in Prisma
Access before you perform the IPSec tunnel configuration in Viptela.
Before
you start, get the IP address of the Viptela SD-WAN device that
you will be using as the other side of the remote network connection;
you enter this information in your
IKE Gateway
profile.- Follow the steps to Connect a Remote Network Site to Prisma Access (Cloud Management).
- Choose aPrisma Access Locationthat is close to the remote network location that you want to onboard.
- When creating the IPSec tunnel, use aBranch Device TypeofOther Devices.
- SelectIPSec Advanced OptionsandCreate Newto create a new IPSec crypto profile for the remote network tunnel using the recommended settings.
- SelectIKE Advanced OptionsandCreate Newto create a new IKE cryptographic profile for the remote network tunnel.Be sure to use crypto values that are supported with Viptela and make a note of the values you use.
- Set up routing for the remote network.Set UpRouting andAddthe IP subnets for Static Routing.Choose Static Routing andAdda subnet. A /30 subnet is sufficient for a Viptela-Prisma Access SD-WAN integration, because you need only two IP addresses for this configuration:
- 10.10.10.1, which you specified as the IP address for the ge0/4 interface.
- 10.10.10.2, for which you specify a default route when you configure the remote network connection in Viptela.
- Push your configuration changes.
- Return to and select .
- SelectRemote Networks.
- Pushyour changes.
- Make a note of theService IPof the Prisma Access side of the tunnel. To find this address in Cloud Managed Prisma Access, select , click theRemote Networks. Look for theService IPfield corresponding to the remote network configuration you created.
- Complete configuration of the IPSec tunnel.
- Return to the IPSec tunnel configuration.
- ChangeLocal IdentificationtoIP addressand add theService IPyou just retrieved (13.1.1.1 in this example).Be sure to make a note of theService IP; you configure this as the peer IP address for the IPSec tunnel between the Viptela SD-WAN device and Prisma Access.
Create a Remote Network Connection in Viptela
Use the following steps to configure the IPSec
tunnel in Viptela. The examples in this section use command-line
interface (CLI) commands.
This configuration completes the
remote network connection between Prisma Access and the Viptela
SD-WAN. The following figure shows what you define in the Viptela
side:
- On the LAN side of the Viptela SD-WAN device, create a ge0/0 interface with an IP address of 10.50.50.1. This matches the IP address you specified when you configured theIKE Gatewayin Prisma Access.The Viptela SD-WAN performs NAT on the source IP address for the LAN (73.146.228.139).
- On the remote network tunnel (WAN) side, create an interface namedipsec2with a type, slot, and port of ge0/4 whose IP address is 10.10.10.1/30.This address must be within the subnet range you specified for theBranch IP Subnetwhen you onboarded your remote network in Prisma Access. In this example, the administrator specified aBranch IP Subnetof 10.10.10.0/30 in Prisma Access, and you use the other available IP address (10.10.10.1/30) on the Viptela side of the remote network connection.
- Specify atunnel-destinationIP address that matches the Prisma AccessService IP. This example uses13.1.1.1.
- Specify aloopbackIP address that Prisma Access can use for tunnel monitoring.In this example, the administrator configured aloopback100interface with an IP address of 10.1.50.1/32. This value matches theTunnel MonitorDestination IPaddress you specified in theIPSec Tunnelconfiguration that you configured in Prisma Access.
- Open a CLI session with the Viptela SD-WAN device and enter the following commands to define the control plane for the Viptela Overlay Management Protocol (OMP).The following commands enable a graceful restart for the OMP and advertise static and connected routes.omp no shutdown graceful-restart advertise connected advertise static
- Define the security types for the IPSec tunnel.The following commands enable the AH-SHA1 HMAC and ESP HMAC-SHA1 authentication types.security ipsec authentication-type sha1-hmac ah-sha1-hmac
- Configure VPNs to segment the Viptela overlay network.The following commands create a VPNVPN 0namedTransport VPNand associates thege0/4interface with this VPN. You use this interface and VPN for the Viptela SD-WAN side of the remote network tunnel (IPSec tunnel) between Viptela and Prisma Access.vpn 0 name "Transport VPN" interface ge0/4 ip dhcp-client tunnel-interface encapsulation ipsec color biz-internet allow-service all no allow-service bgp allow-service dhcp allow-service dns allow-service icmp no allow-service sshd no allow-service netconf no allow-service ntp no allow-service ospf no allow-service stun
- Enter theno shutdowncommand to enable thege0/4interface.
- Create another VPN namedVPN 1, associate thege0/0interface with this VPN, then define parameters for it.The following example defines the parameters to allow the Viptela SD-WAN to route traffic from the LAN to its ge0/0 interface.vpn 1 interface ge0/0 ip address 10.50.50.1/24 no shutdown dhcp-server address-pool 10.50.50.0/24 exclude 10.50.50.1 offer-time 600 lease-time 86400 admin-state up options default-gateway 10.50.50.1 dns-servers 8.8.8.8 8.8.4.4
- Create an interface namedipsec2and apply it to thege0/4interface. These commands define the parameters for the remote network tunnel between the Viptela SD-WAN and Prisma Access.Enter the following values:
- Enter anip addressto allow the Viptela SD-WAN to route traffic to Prisma Access.This address must be within the subnet range you specified for theBranch Subnetwhen you onboarded your remote network in Prisma Access. A /30 address is sufficient to allow routing to Prisma Access.
- Specify the sametunnel-source-interfacethat you used forVPN 0(ge0/4in this example).
- Specify atunnel-destinationusing theService IPfrom Prisma Access. This example uses13.1.1.1as theService IP.
- Make sure that theikeandipsecparameters that you specify match the parameters you specified in Prisma Access.
- Enter apre-shared-secretthat matches thePre-shared key(PSK) that you entered in Prisma Access. This example uses a PSK ofsecretkey.
interface ipsec2 ip address 10.10.10.1/30 tunnel-source-interface ge0/4 tunnel-destination 13.1.1.1 ike version 1 mode main rekey 14400 cipher-suite aes128-cbc-sha1 group 2 authentication-type pre-shared-key pre-shared-secret secretkey ! ! ! ipsec rekey 3600 replay-window 512 cipher-suite aes256-cbc-sha1 - Enter theno shutdowncommand on the ipsec2 interface to enable it.
- Create a loopback interface to be used for tunnel monitoring.interface loopback100 ip address 10.1.50.1/32 no shutdown
- Create a default route for the network.This route uses the second IP address (10.10.10.2in this example) of the /30 subnet you used when you onboarded your remote network in Prisma Access. The Viptela side of the network can route to this IP address and uses it as a next hop for routing.ip route 0.0.0.0/0 10.10.10.2
- Enter a VPN and give it a name.vpn 512 name "Transport VPN"
- Apply policies for the network.policy app-visibility flow-visibility
