Deploy a SASE Tunnel on Umbrella

Cisco Umbrella is Cisco's cloud-based Secure Internet Gateway (SIG) platform that provides multiple levels of defense against internet-based threats. Umbrella integrates secure web gateway, DNS-layer security, and cloud access security broker (CASB) functionality to protect your systems against threats.

You can establish an IPsec IKEv2 tunnel from a threat defense device to Umbrella using the management center. This tunnel forwards all internet-bound traffic to the Umbrella SIG for inspection and filtering. This solution provides centralized security management so that network administrators don’t have to separately manage the security settings of each branch.

To directly configure and deploy Umbrella tunnels from a threat defense device, you can create a SASE topology using a simple wizard. SASE topology is a new type of site-to-site VPN topology that supports:

• Static VTI-based site-to-site VPN.

• Hub and spoke topology, where Umbrella is the hub and the managed threat defense devices are the spokes.

• Pre-shared key based authentication.

• Threat Defense deployed in HA mode.

• Multi-instance: In a multi-instance deployment, you can integrate only one Umbrella account.

For high availability, you can configure two tunnels from a threat defense device and use the second tunnel as the backup tunnel. Ensure that you configure different local tunnel IDs for each tunnel.

For ease of configuration, the management center configures the default IPsec and IKEv2 policies.

Default IKEv2 policy configuration:

• Integrity Algorithm: NULL

• Encryption Algorithm: AES-GCM-256

• PRF Algorithm: SHA-256

• DH Group: 19, 20

Default IKEv2 IPsec policy configuration:

• ESP Hash: SHA-256

• ESP Encryption: AES-GCM-256