Skip to main content
Versa Networks

Versa Secure SD-WAN Integration with Netskope Security Cloud

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

This article describes how to integrate Versa Secure SD-WAN with Netskope Security Cloud Platform and deploy Versa Secure SD-WAN and Netskope solutions.

Versa Operating SystemTM (VOSTM) devices integrate with Netskope using a site-to-site IPsec VPN tunnel from the Versa SD-WAN edge device (CPE) to a Netskope secure web gateway (SWG). Versa Director provides workflow-based automation to configure IPsec tunnels from Versa SD-WAN CPEs to Netskope using the Netskope API, and Netskope provides the parameters.

Versa Director supports IPsec tunneling between the CPE and Netskope servers. For multiple LAN VRs configured on the CPE, you can choose one or more VRs from which traffic is forwarded to Netskope servers. For each internet link, a primary tunnel is created to the primary Netskope server and a backup tunnel is created to the secondary Netskope server.

Deploy a VOS Branch in Netskope Using a CMS Connector in Versa Director

This section describes how to create a CMS connector on a Director node to automate bringing up a VOS branch in Netskope, how to configure an IPsec tunnel in a Workflows template, and associate the template with a VOS device using the device workflows.

  1. Create a CMS Cloud Connector in Versa Director
  2. Configure a Site-to-Site Tunnel in a Workflow Template for Netskope
  3. Configure a Site-to-Site Tunnel in a Device Workflow for Netskope
  4. Verify IPsec Tunnel Services

Before You Begin 

Before you begin, you must do the following:

  • Create an organization using Workflows in Versa Director.
  • Get an access token from Netskope. You need to enter the token ID when you configure the CMS cloud connector in Versa Director. You must send an email to Netskope along with a tenant name to request an access token for the given tenant.

Create a CMS Cloud Connector in Versa Director 

To establish a connection between a VOS device and Netskope, and manage that connection through Versa Director, you must first configure a CMS connector on Versa Director. Note that you can create only one CMS connector per tenant for Netskope integration.

To create a CMS cloud connector in Versa Director:

  1. Log in to Versa Director.
  2. In Director view, select the Administration tab in the top menu bar.
  3. Select Connectors > CMS in the left menu bar. The CMS connectors table displays.

    cms-connector-add.png
  4. Click the + Add icon. In the Add CMS Connector window, enter information for the following fields.

    add-cms-connector.png
     

    Field

    		 Description
    CMS Name (Required) Enter the name of the CMS connector. The name is a text string.
    Organization (Required) Select "alliances" as the organization for the CMS connector.
    CMS Flavor Select Netskope for the type of cloud device.
    Netskope API Token Enter the API token ID received from Netskope to access the Netscope server.
  5. Click OK.

Verify the CMS Connector 

To verify that a CMS connector is working:

  1. In Director view, select the Administration tab in the top menu bar.
  2. Select Connectors > CMS in the left menu bar. The main pane displays the configured CMS connectors.
  3. Select the CMS connector to verify, and then click validate-icon.png Validate Connector in the horizontal menu bar. This command triggers an API call to the CMS connector to verify its Netskope Cloud Platform user rights. If the validation is successful, the message "Valid credentials" displays.

    validate-cms-connector.png

Configure a Site-to-Site Tunnel in a Workflow Template for Netskope 

  1. In Director view, select the Workflows tab in the top menu bar.
  2. Select Template > Templates in the horizontal menu bar.
  3. Select an SD-WAN post-staging template in the main pane. To create a new workflow template, see Create and Manage Staging and Post-Staging Templates.

    workflow-template-sd-wan.png
  4. Click Step 3, Tunnels. In the Partner Site-to-Site Tunnels section, click the + Add icon.

    tunnels-partner-site-to-site-tunnels.png
  5. In the Partner Site-to-Site Tunnels window, enter information for the following fields.

    partner-site-to-site-tunnels.png
     
    Field Description
    Name (Required) Enter a name for the site-to-site tunnel.
    Peer Type Select the Netskope peer type.
    Tunnel Protocol Select the IPsec tunnel protocol to use to reach the peer.
    WAN Network

    Select one or more WAN networks to use. This network is the originating endpoint of the tunnel. The highest priority is 1.
    Organization Select the organization for which the site-to-site tunnel is created.
    LAN VRF Select one or more virtual routing instances to use to reach the LAN.
  6. Click OK, and then click Save.
  7. If modifying an existing device:
    1. Click Step 7, Review, and then click Re-Deploy.
    2. Commit the template.

Configure a Site-to-Site Tunnel in a Device Workflow for Netskope

To configure a Versa Director–Netskope IPsec site-to-site tunnel for a device:

  1. In Director view, select the Workflows tab in the top menu bar.
  2. Select Devices > Devices in the left menu bar.
  3. Select a device in the main pane.

    workflow-devices.png
  4. Click Step 3, Tunnel Information. Select a tunnel name, and then click the add-icon.png Add icon. The tunnel displays in the Netskope tunnels list. Note that you cannot configure a public IP address for tunnels created using an IPsec tunnel protocol. To create a new device workflow, see Configure Basic Features.

    tunnel-information-netskope.png
  5. In the Configure Site-to-Site Tunnel screen, enter information for the following fields, and then click OK.

    tunnel-configure-sitetosite.png
     
    Field Description
    Public IP (Required) Enter a unique IP address.
    Primary POPS (Required) Select the geographically closest primary Netskope point of presence (POP) in your country.
    Secondary POPS (Required) Select the geographically closest secondary Netskope point of presence (POP) in your country.
    Bandwidth (Required) Enter the maximum bandwidth for the IPsec tunnel.
  6. Click Step 5, Bind Data. Select the User Input tab, and then select the Post Staging Template.
  7. Select Static Routes and enter the static route information.

    bind-data-static-routes.png
  8. Click Save.
  9. If modifying an existing device:
    1. Click Step 7, Review, and then click Re-Deploy.
    2. Commit the template.

Verify IPsec Tunnel Services

To verify IPsec tunnel services for a site-to-site tunnel:

  1. In Director view:
    1. Select the Monitor tab in the top menu bar.
    2. Select Devices in the horizontal menu bar.
    3. Select a device in the main pane. The view changes to Appliance view.
  2. Select Tools in the horizontal device menu bar, and then click an interface to view the details.

    monitor-device-tools.png
  3. Select Services > IPsec in the horizontal device menu bar.
  4. On the IPsec tab, select IKE History, and then select an IPsec tunnel. Click an entity to view the IKE history.

    monitor-device-ipsec-ike-history.png
  5. Select IKE Security Association, and then select an IPsec tunnel. Click an entity to view the IKE security details.

    monitor-device-ipsec-ike-security.png
  6. Select IPsec History, and then select an IPsec tunnel. Click an entity to view the IPsec history.

    monitor-device-ipsec-ipsec-history.png
  7. Select IPsec Security Association, and then select an IPsec tunnel. Click an entity to view the IPsec security details.

    monitor-device-ipsec-security.png

Supported Software Information 

Releases 23.1.1 and later support all content described in this article.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.