Supported Platforms

ISR 4461, 4451, 4431, 4351, 4331, 4321, 4221X, 4221, CSR, ISRv and ISR 1K, Catalyst 8500L, 8300, 8200 and 8000V.

Topology

Step-by-step Configuration

Gather the following data

Log into Umbrella portal and navigate to Deployments >> Network Tunnels and click on the "+" Add button to add "Add A New Tunnel"

Fill in the box as appropriate with a Tunnel Name, Device Type and Associated Tunnel with Site.

Next fill out the "Client Reachable Prefixes", this is nothing by the LAN facing subnet traffic that you would like to send to Umbrella SIG. In our topology we are just going to send the Wired Employees traffic subnet 192.168.101.2/24 network to Umbrella SIG via the IKEv2 IPsec tunnel. Umbrella portal already pre populates the RFC 1918 address space so no need to add any thing here.

Next is to Tunnel ID and Pass Phrase.

Once this is done, you will see Tunnel ID and Passphrase in clear text on the portal, copy and paste it on a notepad.  This will be required to configure the IKEv2 tunnel on the router.

Configure IKEv2 Proposal

The proposal that you choose has to match with what Umbrella supports.  Pls. refer this link and choose the encryption algorithm, integrity and Diffie Hellman Group https://docs.umbrella.com/umbrella-user-guide/docs/supported-ipsec-parameters

crypto ikev2 proposal umbrella-proposal 
 encryption aes-cbc-256
 integrity sha256
 group 19 20

Configure IKEv2 Policy

The match address local like is only needed if you have multiple IKEv2 proposal configured with diff. encryption, group etc. If there is just one proposal then you do not need the "match address local" command.

crypto ikev2 policy umbrella-pol
 proposal umbrella-proposal
 match address local 192.168.128.5 ==> WAN facing interface address

Configure IKEv2 Keyring

Next step is to configure the keyring. For address choose the IP address of the Umbrella DC that is closest to you. Refer this link:

https://docs.umbrella.com/umbrella-user-guide/docs/cisco-umbrella-data-centers

crypto ikev2 keyring umbrella-kr
 peer umbrella
  address 146.112.67.8 ===> Closest Umbrella DC
  pre-shared-key XXXXXXXXXX ===> Fill in the pre-shared key from the Umbrella Portal

Configure IKEv2 Profile

This step also requires the data that you gathered from the Umbrella Portal

crypto ikev2 profile umbrella-ikev2-profile
 match identity remote address 146.112.67.8 255.255.255.255
 identity local email ISR1121X@2249825-YYYYYY-umbrella.com  
 authentication remote pre-share
 authentication local pre-share
 keyring local umbrella-kr
 dpd 10 2 periodic

Configure IPsec Transform Set

What we configure here on the router should match what Umbrella end supported. Pls. refer this link https://docs.umbrella.com/umbrella-user-guide/docs/supported-ipsec-parameters and choose what Umbrella Supports. 

crypto ipsec transform-set umbrella-tset esp-aes 256 esp-sha256-hmac
mode tunnel

Configure IPsec Profile

crypto ipsec profile umbrella-ipsec-profile
 set transform-set umbrella-tset
 set ikev2-profile umbrella-ikev2-profile

Configure the Tunnel Interface

Tunnel destination is the Umbrella DC IP that is closest to you that you chose to configure Keyring step above.

interface Tunnel1
 ip unnumbered GigabitEthernet0/0/0 ==> WAN Interface
 tunnel source GigabitEthernet0/0/0 ==> WAN Interface
 tunnel mode ipsec ipv4
 tunnel destination 146.112.67.8 ===> Closest Umbrella DC
 tunnel protection ipsec profile umbrella-ipsec-profile

Send traffic to the tunnel

You could add a default route on the router and set the next hop to the tunnel 1 interface or do the following that we did in this setup. In this setup we chose to sent guest user traffic (Vlan 102) directly in the clear to the internet - just applying DNS-layer security for the wireless users. However, all the employees traffic (Vlan 101) will be sent in the IPsec tunnel to Umbrella SIG.

To accomplish that we configured an ACL, route-map where we set the next-hop to the tunnel 1 interface. We also made sure that this interface does not have NAT or FW configured. Umbrella will provide NAT and there is no reason to apply FW for packets that will ride over the tunnel.

 ip access-list ext To_Umbrella
  permit ip 192.168.101.0 0.0.0.255 any
 
route-map umbrella-routemap permit 10
  match ip address To_Umbrella
  set interface Tunnel1
  
 interface vlan101
 	ip policy route-map umbrella-routemap

This completes the router configuration. Once this is done tunnel should come up.

Verification

Show IKEv2 session

kusankar-1121X#show crypto ikev2 session 
 IPv4 Crypto IKEv2 Session 

Session-id:43, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         192.168.128.5/4500    146.112.67.8/4500     none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:20, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/8084 sec
      CE id: 0, Session-id: 43
      Local spi: 2DB9D463EBD77607       Remote spi: 898DC0640ACA0422
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
          remote selector 0.0.0.0/0 - 255.255.255.255/65535
          ESP spi in/out: 0x3CB167C1/0xC4FF1DDA  

 IPv6 Crypto IKEv2 Session 

Show IPsec sa

kusankar-1121X#sh crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 192.168.128.5

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 146.112.67.8 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 37243, #pkts encrypt: 37243, #pkts digest: 37243
    #pkts decaps: 44758, #pkts decrypt: 44758, #pkts verify: 44758
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.128.5, remote crypto endpt.: 146.112.67.8
     plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
     current outbound spi: 0xC4FF1DDA(3305053658)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x3CB167C1(1018259393)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2067, flow_id: ESG:67, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
         sa timing: remaining key lifetime (k/sec): (4603810/1422)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:
          
     inbound pcp sas:

     outbound esp sas:
      spi: 0xC4FF1DDA(3305053658)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2068, flow_id: ESG:68, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
         sa timing: remaining key lifetime (k/sec): (4606818/1422)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

Encaps and decaps are going up. Meaning traffic is being sent as well as received.  Now the final thing is to configure some rules to block certain categories and test the traffic from a host behind Vlan 101.

Create Web Policy on Umbrella Portal

Log into the Umbrella Portal and navigate to Policies >> Web Policy

Up on the top right click the "+" to add a new web policy. Create Rule 1. In our case I created Rule 1 and blocked 4 categories such as Games, Gambling, Auction and Computers and Internet and applied that to our Tunnel as you can see in this image below.

Now test from a host behind Vlan 101

Browse over to 888.com, ebay.com or other websites that belong in the 4 categories that we blocked. You will see a blocked page like this one below. You could also use cs.co/checkumbrella on the host to see what OrgID you belong to etc.