From Cisco IOS XE Release 17.4.1 and Cisco vManage Release 20.4.1, all SIG related workflows for automatic and manual tunnels have been consolidated into the Cisco SIG template. If you are using Cisco IOS XE Release 17.4.1 and Cisco vManage Release 20.4.1, or later, use the Cisco SIG template to configure GRE or IPSec tunnels to a third-party SIG, or GRE tunnels to a Zscaler SIG.

For a software release earlier than Cisco IOS XE Release 17.4.1, Cisco vManage Release 20.4.1, see Configuring a GRE Tunnel or IPsec Tunnel from Cisco vManage.

Layer 7 Health Check: The option to create trackers and monitor the health of manually created tunnels is available from Cisco IOS XE Release 17.8.1a, Cisco vManage Relase 20.8.1. In earlier releases, the Layer 7 Health Check feature is only available if you use VPN Interface GRE/IPSEC templates, and not with Cisco SIG templates.

1. From the Cisco vManage menu, choose Configuration > Templates.

2. Click Feature Templates.

   Note	In Cisco vManage Release 20.7.x and earlier releases, Feature Templates is called Feature.

3. Click Add Template.

4. Choose the device for which you are creating the template.

5. Under VPN, click Cisco Secure Internet Gateway (SIG).

6. In the Template Name field, enter a name for the feature template.

   This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 to 9, hyphens (-), and underscores (_). It cannot contain spaces or any other characters.

7. In the Description field, enter a description for the feature template.

8. (Optional) To create one or more trackers to monitor tunnel health, do the following in the Tracker section:

   Note	The option to create trackers and monitor tunnel health is available from Cisco IOS XE Release 17.8.1a, Cisco vManage Relase 20.8.1.

   1. Source IP Address: Enter a source IP address for the probe packets.

   2. Click New Tracker.

   3. Configure the following:

      Field	Description
      Name	Enter a name for the tracker. The name can be up to 128 alphanumeric characters.
      Threshold	Enter the wait time for the probe to return a response before declaring that the configured endpoint is down. Range: 100 to 1000 milliseconds Default: 300 milliseconds
      Interval	Enter the time interval between probes to determine the status of the configured endpoint. Range: 20 to 600 seconds Default: 60 seconds
      Multiplier	Enter the number of times to resend probes before determining that a tunnel is down. Range: 1 to 10 Default: 3
      API url of endpoint	Specify the API URL for the SIG endpoint of the tunnel. Note   Both HTTP and HTTPS API URLs are supported.

   4. Click Add.

   5. To add more trackers, repeat sub-step b to sub-step d.

9. To create tunnels, do the following in the Configuration section:

   1. SIG Provider: Click Generic.

      Cisco vManage Release 20.4.x and earlier: Click Third Party.

   2. Click Add Tunnel.

   3. Under Basic Settings, configure the following:

      Field	Description
      Tunnel Type	Based on the type of tunnel you wish to create, click ipsec or gre.
      Interface Name (0..255)	Enter the interface name. Note   If you have attached the Cisco VPN Interface IPSec feature template or the Cisco VPN Interface GRE feature template to the same device, ensure that the interface number you enter is different from what you have entered in the IPSec or GRE templates.
      Description	(Optional) Enter a description for the interface.
      Source Type	Click INTERFACE. For Cisco IOS XE SD-WAN devices, INTERFACE is the only supported Source Type.
      Tracker	(Optional) Choose a tracker to monitor tunnel health. Note   From Cisco IOS XE Release 17.8.1a and Cisco vManage Relase 20.8.1, you can create trackers to monitor tunnel health.
      Track this interface for SIG	Enable or disable tracker for the tunnel. By default, Cisco vManage enables a tracker for automatic tunnels. Default: On.
      Tunnel Source Interface	Enter the name of the source interface of the tunnel. This interface should be an egress interface and is typically the internet-facing interface.
      Tunnel Destination IP Address/FQDN	Enter the IP address of the SIG provider endpoint.
      Preshared Key	This field is displayed only if you choose ipsec as the Tunnel Type. Enter the password to use with the preshared key.

   4. (Optional) Under Advanced Options, configure the following:

      Table 13. (Tunnel Type: gre) General

      Field	Description
      Shutdown	Click No to enable the interface; click Yes to disable. Default: No.
      IP MTU	Specify the maximum MTU size of packets on the interface. Range: 576 to 2000 bytes Default: 1400 bytes
      TCP MSS	Specify the maximum segment size (MSS) of TPC SYN packets. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented. Range: 500 to 1460 bytes Default: None

      Table 14. (Tunnel Type: ipsec) General

      Field	Description
      Shutdown	Click No to enable the interface; click Yes to disable. Default: No.
      IP MTU	Specify the maximum MTU size of packets on the interface. Range: 576 to 2000 bytes Default: 1400 bytes
      TCP MSS	Specify the maximum segment size (MSS) of TPC SYN packets. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented. Range: 500 to 1460 bytes Default: None
      DPD Interval	Specify the interval for IKE to send Hello packets on the connection. Range: 0 to 65535 seconds Default: 10
      DPD Retries	Specify how many unacknowledged packets to send before declaring an IKE peer to be dead and then removing the tunnel to the peer. Range: 0 to 255 Default:3

      Table 15. (Tunnel Type: ipsec) IKE

      Field	Description
      IKE Rekey Interval	Specify the interval for refreshing IKE keys Range: 300 to 1209600 seconds (1 hour to 14 days) Default: 14400 seconds
      IKE Cipher Suite	Specify the type of authentication and encryption to use during IKE key exchange. Choose one of the following: AES 256 CBC SHA1 AES 256 CBC SHA2 AES 128 CBC SHA1 AES 128 CBC SHA2 Default: AES 256 CBC SHA1
      IKE Diffie-Hellman Group	Specify the Diffie-Hellman group to use in IKE key exchange, whether IKEv1 or IKEv2. Choose one of the following: 2 1024-bit modulus 14 2048-bit modulus 15 3072-bit modulus 16 4096-bit modulus Default: 16 4096-bit modulus
      IKE ID for Local Endpoint	If the remote IKE peer requires a local end point identifier, specify the same. Range: 1 to 64 characters Default: Tunnel's source IP address
      IKE ID for Remote Endpoint	If the remote IKE peer requires a remote end point identifier, specify the same. Range: 1 to 64 characters Default: Tunnel's destination IP address

      Table 16. (Tunnel Type: ipsec) IPSEC

      Field	Description
      IPsec Rekey Interval	Specify the interval for refreshing IPSec keys. Range: 300 to 1209600 seconds (1 hour to 14 days) Default: 3600 seconds
      IPsec Replay Window	Specify the replay window size for the IPsec tunnel. Options: 64, 128, 256, 512, 1024, 2048, 4096. Default: 512
      IPsec Cipher Suite	Specify the authentication and encryption to use on the IPsec tunnel. Choose one of the following: AES 256 CBC SHA1 AES 256 CBC SHA 384 AES 256 CBC SHA 256 AES 256 CBC SHA 512 AES 256 GCM NULL SHA 384 NULL SHA 256 NULL SHA 512 Default: NULL SHA 512
      Perfect Forward Secrecy	Specify the PFS settings to use on the IPsec tunnel. Choose one of the following Diffie-Hellman prime modulus groups: Group-2 1024-bit modulus Group-14 2048-bit modulus Group-15 3072-bit modulus Group-16 4096-bit modulus None: disable PFS. Default: Group-16 4096-bit modulus

   5. Click Add.

   6. To create more tunnels, repeat sub-step b to sub-step e.

10. To designate active and back-up tunnels and distribute traffic among tunnels, configure the following in the High Availability section:

    Table 17. High Availability

    Field	Description
    Active	Choose a tunnel that connects to the primary data center.
    Active Weight	Enter a weight (weight range 1 to 255) for load balancing. Load balancing helps in distributing traffic over multiple tunnels and this helps increase the network bandwidth. If you enter the same weights, you can achieve ECMP load balancing across the tunnels. However, if you enter a higher weight for a tunnel, that tunnel has higher priority for traffic flow. For example, if you set up two active tunnels, where the first tunnel is configured with a weight of 10, and the second tunnel with weight configured as 20, then the traffic is load-balanced between the tunnels in a 10:20 ratio.
    Backup	To designate a back-up tunnel, choose a tunnel that connects to the secondary data center. To omit designating a back-up tunnel, choose None.
    Backup Weight	Enter a weight (weight range 1 to 255) for load balancing. Load balancing helps in distributing traffic over multiple tunnels and this helps increase the network bandwidth. If you enter the same weights, you can achieve ECMP load balancing across the tunnels. However, if you enter a higher weight for a tunnel, that tunnel has higher priority for traffic flow. For example, if you set up two back-up tunnels, where the first tunnel is configured with a weight of 10, and the second tunnel with weight configured as 20, then the traffic is load-balanced between the tunnels in a 10:20 ratio.

11. Click Save.