Cisco
Login
Search
Software Secure Access
Activity Manage

Cisco Secure Access Help Network Tunnel Configuration Configure a Site-to-Site VPN tunnel with Microsoft Azure Configure S2S Tunnels with Static Routing Step 3: Create two local network gateways in Azure with S2S connections

Last updated: Aug 07, 2025

Step 3: Create two local network gateways in Azure with S2S connections

Create and configure two local network gateways in Azure, then connect them to Secure Access. The local network gateway acts as the remote site connected by tunnel to the Secure Access CNHE DC.

  1. In the Azure admin portal, navigate to Overview > Resource group (click the name of your resource group) > + Create.
  2. Search the marketplace for Local network gateway, then click Create.
  3. Configure the Basics tab of the first local network gateway.
    1. Select the Subscription and Resource group of your virtual network.
    2. Name: This example uses primary-dc.
    3. Endpoint: IP address
    4. IP address: For the first local network gateway, enter the Primary DC IP Address from Secure Access Step 4 - Data for Tunnel Setup.
    5. Address Space(s): Add one or more IP ranges for branch sites that will connect to the Secure Access network tunnel group. Address spaces should not overlap with other IP ranges in your network. This example uses 209.165.201.0/27.

    • Review the configuration, then click Create. Azure will deploy the local network gateway and update the dashboard with the local network gateway resource when deployment is complete.

  4. Repeat step 3 to create the secondary local network gateway with the Secondary DC IP Address from Secure Access.
  5. Create the S2S connection for the primary local network gateway.
    1. In the Azure admin portal, navigate to Overview > Resource group (click the name of your resource group) > Resources, then click the name of your virtual network gateway.
    2. Navigate to Connections, then click + Add.
    3. Configure the Basics tab of the connection.
      1. Select the Subscription and Resource group of your virtual network.
      2. Connection type: Site-to-site (IPsec).
    4. Configure the Settings tab of the connection.
      1. Select your virtual network gateway.
      2. Local network gateway: Select the primary gateway.
      3. Shared Key (PSK): Enter the passphrase configured for the Secure Access network tunnel group in step 2.
      4. IPsec / IKE policy: Custom.
      5. IKE Phase 1: The following configuration is recommended.
        1. Encryption: GCMAE256.
        2. Integrity/PRF: SHA256.
        3. DH Group: ECP384.
        4. For information about cipher parameters supported by Secure Access, see Supported IPsec Parameters. For information about cipher parameters supported by Azure, see Microsoft documentation on Default IPsec/IKE parameters.
      6. IPsec SA lifetime in seconds: 14400
      7. DPD timeout in seconds: 30

    • Review the configuration, then click Create. Azure will deploy the S2S connection and update the dashboard when deployment is complete.

  6. Repeat step 5 for the secondary local network gateway.
  7. Both S2S VPN tunnels are now established with static routing between your Azure virtual network gateway and the Secure Access cloud native head end (CNHE) service.
Previous topic Step 2: Create a network tunnel group in Secure Access Next topic Step 4: Create a static route table in Azure