Define the Feature Template
- Log into the Cisco Catalyst SD-WAN Manager console and navigate to Configuration > Templates.
- Confirm that the Feature Templates tab is selected, then click Add Template.
- Choose the device for which you are creating the template.
- Under VPN, click Cisco Secure Internet Gateway (SIG).
- Under Select Services select device types, then choose VPN Interface IPSec WAN.
- Configure Tunnel Parameters:
-
Choose a template name and description for the Tunnel interface.
-
Under Basic Configuration, set Shutdown to the global option and choose NO.
-
Choose the Interface Name from 1 to 255. For example,
ipsec1. -
Configure the IPv4 address by selecting the Global attribute and set the IP.
-
Set the IPSec Source Interface to
ge0/0. This must be the WAN interface in VPN 0, which has the internet connectivity. -
Set the IPSec Destination to the closest data center).
-
Dead Peer Detection Value: Leave this at the default setting unless you have a specific requirement otherwise.
-
- Choose the Global Attribute to change any IKE and IPSec defaults:
IKE Settings
- Set the IKE Version to 2.
- Set the IKE Rekey Interval to 28800.
- Leave the default Cipher Suite, which is AES-256-CBC-SHA1.
- Set the IKE DH Group to 14 2048-bit Modulus.
IPsec Settings
- Leave the IPsec Rekey Interval & Replay Window values at their defaults.
- Use the default Cipher Suite
AES 256 GCM. - Set the Perfect Forward Secrecy value to "NONE".
Cipher Suite EncryptionIf performance is an issue with the default cipher, both
AES 256 CBC SHA1andNull SHA1are also supported. You can test these to determine whether one offers better performance for a particular platform. Note thatNull SHA1isn't necessarily faster than the defaultAES 256 GCMbecause of the cost of the SHA1 hashing. In addition,Null SHA1is not recommended due to security concerns of unencrypted transport.
- Click Update to save the configuration template.
