Set Up an IPSec Tunnel (Tunnel Mode) (Strata Cloud Manager)
Focus
Focus
Network Security

Set Up an IPSec Tunnel (Tunnel Mode) (Strata Cloud Manager)

Table of Contents


Set Up an IPSec Tunnel (Tunnel Mode) (Strata Cloud Manager)

Set up a Strata Cloud Manager Managed Prisma Access IPSec tunnel for your service connection or a remote network site.
Use the following steps to set up an IPSec tunnel for your service connection or a remote network site.
The first tunnel you create is the primary tunnel for the service connection or a remote network site. You can then repeat this workflow to optionally set up a secondary tunnel. When both tunnels are up, the primary tunnel takes priority over the secondary tunnel. If the primary tunnel for a service connection or a remote network site goes down, the connection falls back to the secondary tunnel until the primary tunnel comes back up.
Based on the IPSec device you use to establish the tunnel for your service connection or a remote network site, Prisma Access provides built-in, recommended IKE and IPSec security settings. You can use the recommended settings to get started quickly, or customize them as needed for your environment.

Add Primary and Secondary IPSec VPN Tunnels

  1. For a service connection, go to SettingsPrisma Access SetupService Connections and Set Up the primary tunnel. For a remote network site, go to SettingsPrisma Access SetupRemote Networks and Set Up the primary tunnel. If you’ve already set up a primary tunnel, you can continue here to also add a secondary tunnel.
    1. Give the tunnel a descriptive Name.
    2. Select the Branch Device Type for the IPSec device at the HQ/DC (for a service connection) or at the remote network site that you’re using to establish the tunnel with Prisma Access.
    3. For the Branch Device IP Address, choose to use either a Static IP address that identifies the tunnel endpoint or a Dynamic IP address.
      (For a service connection) If you set the Branch Device IP Address to Dynamic, you must also add the IKE ID for the HQ/DC (IKE Local Identification) or for Prisma Access (IKE Peer Identification) to enable the IPSec peers to authenticate.
      Because you do not have the values to use for the Prisma Access IKE ID (IKE Peer Identification) until the service connection is fully deployed, you would typically want to set the IKE ID for the HQ/DC (IKE Local Identification) rather than the Prisma Access IKE ID.
      (For a remote network site) If you set the Branch Device IP Address to Dynamic, you must also add the IKE ID for the remote network site (IKE Local Identification) or for Prisma Access (IKE Peer Identification) to enable the IPSec peers to authenticate.
      Because you do not have the values to use for the Prisma Access IKE ID (IKE Peer Identification) until the remote network is fully deployed, you would typically want to set the IKE ID for the remote network site (IKE Local Identification) rather than the Prisma Access IKE ID.
  2. Turn on Tunnel Monitoring.
    Enter a Tunnel Monitoring Destination IP address on the HQ/DC network for Prisma Access to use determine whether the tunnel is up and, if your IPSec device uses policy-based VPN, enter the associated Proxy ID.
    The tunnel monitoring IP address you enter is automatically added to the list of branch subnetworks.
  3. Save the tunnel settings.
    To continue: