Configure the Nuage Networks Remote Network

Configure the remote network between the Nuage Networks SD-WAN and Prisma Access by completing the following workflows:

Set up the Remote Network Tunnel in Prisma Access

Complete the following task to configure the remote network connection as a site-to-site IPSec tunnel.
  1. Select
    Network Profiles
    IKE Crypto
    an IKE crypto profile for the IPSec tunnel.
    Make sure you have specified the
    before starting this task.
  2. Give the profile a name and specify IKE settings.
    Make a note of these settings; you specify the same settings when you create the IPSec tunnel in the Nuage Networks SD-WAN.
  3. Select
    Network Profiles
    IPSec Crypto
    a new IPSec crypto profile.
  4. Specify a name for the profile and specify IPSec crypto parameters.
    Make a note of these parameters; you specify these same parameters when you configure the Nuage Networks side of the remote network tunnel in a later task.
  5. Select
    Network Profiles
    IKE Gateways
    a new IKE gateway.
  6. Specify a
    Peer IP Address Type
    , and
    , and specify a
    Peer Identification
    that will be synchronized with the Nuage Networks configuration.
    Make note of the of the
    User FQDN (email address)
    that you use for the
    Peer Identification
    and the
    Pre-Shared key
    you use; you must match these settings for the Nuage Networks side of the connection in 6 when you Set Up the Remote Network Tunnel in Nuage Networks.
  7. Click the
    Advanced Options
    tab and make sure that
    Enable Passive Mode
    Enable NAT Traversal
    are selected.
    The Nuage Network Services Gateway (NSG) initiates the IKE negotiation, and allows the negotiation to occur even if Nuage Networks side is behind NAT.
  8. Select
    IPSec Tunnels
    an IPSec tunnel.
  9. Select the
    IKE Gateway
    IPSec Crypto Profile
    you created earlier in this task.
  10. Select the
    Proxy IDs
    tab and create a default route for all local and remote prefixes.
    Creating this route ensures that all prefixes in the VPN use this IPSec tunnel.
    1. Select
      Cloud Services
      Remote Networks
      the connection.
    2. Enter a
      , select the
      , and select the
      IPSec Tunnel
      you specified in a previous step, and specify a route to the Nuage Networks SD-WAN.
      You cannot change the name of this tunnel after you create it.
      This example specifies a
      Static Route
      to the Nuage Networks SD-WAN with an IP address of
  11. Commit the configuration changes to Panorama and push the configuration out to Prisma Access for remote networks.
    1. Click
      Commit to Panorama
    2. Click
      Commit and Push
      . Click
      Edit Selections
      Prisma Access
      , and select both Prisma Access for remote networks and Prisma Access for service setup to push the configuration out to the service.
    3. Click
      , then click
      Commit and Push
      Prisma Access displays a success page after the commit succeeds.
  12. Make a note of the
    Service IP address
    of the Prisma Access side of the tunnel. To find this address in Panorama, select
    Cloud Services
    Network Details
    , click the
    Remote Networks
    radio button, and find the address in the
    Service IP Address

Set Up the Remote Network Tunnel in Nuage Networks

After you configure the remote network tunnel in Prisma Access, configure the tunnel in Nuage Networks by completing the following task.
Note that Dead Peer Detection (DPD) is only configured in Nuage Networks. No DPD configuration is required in Prisma Access because the NSG is the DPD initiator and Prisma Access can only reply to requests.
  1. In your organization, create the Gateway using the Nuage Networks IKE gateway object.
    In the
    IP Address
    field, enter the
    Service IP address
    that you retrieved after you completed the setup of the remote network tunnel in Prisma Access (Step 13.
  2. Define the remote subnet for which traffic will be sent to the gateway.
    The IKE gateway connection uses the underlay breakout mechanism as shown in the following diagram:
    All traffic to Prisma Access is through the underlay. If you enable underlay, and if the remote subnet associated with Prisma Access matches the destination IP in the customer packet, then the Nuage Networks SD-WAN sends the packet to Prisma Access. If the destination IP does not match, the SD-WAN sends the packet to internet breakout using underlay breakout and port address translation (PAT) rules.
  3. Specify a default route to the gateway so that the network sends all internet traffic to Prisma Access.
  4. Create an IKE encryption profile.
    This profile must match the values that you specified in the Prisma Access IPSec configuration.
  5. Create an IKE gateway profile.
    1. Enter a
      for the gateway profile.
    2. Select
      Check anti-replay
    3. Select the
      Service class
    4. Select the
      Encryption Profile
      , using the settings you created for Prisma Access.
    The example in the following screenshot uses one pre-shared key per connection, which means that the IKE Gateway profile won't use a pre-shared key object, and the
    Authentication Method
    field is empty.
  6. Associate the remote network connection with the NSG uplink port.
    You associate the remote network connection with the Nuage Networks NSG at the uplink VLAN level. This association contains an NSG identifier in RFC 822 format and includes the pre-shared key that is used for the connection.
  7. Check the status of the tunnel connection by entering the following command.
    A status of
    indicates that the connection is successful.
    A:vsc1# tools vswitch command "nuage-nsg-ike-cli show tunnel-status-summary" ------------------------------------------------------------------------------- Gateway Name Local IP Remote IP Phase1 Phase2 ------------------------------------------------------------------------------- paloalto up up -------------------------------------------------------------------------------
  8. Next steps: Learn how Nuage Networks monitors the remote network, and troubleshoot the Nuage Networks remote network connection to Prisma Access, if required.

Recommended For You