Skip to main content

Tutorial: Connect Your Cisco Router to CloudConnexa with IPsec

Abstract

Configure an IPsec tunnel between a Cisco router and CloudConnexa, including network setup, authentication, advanced settings, and connectivity verification.

This tutorial walks you through setting up an IPsec tunnel between your Cisco router and CloudConnexa.

To complete this setup, you'll configure components on both the CloudConnexa side and your Cisco router, including:

  • A Network in CloudConnexa to represent your private network.

  • A Network Connector configured for IPsec.

  • Tunnel parameters such as authentication, encryption, and routing.

  • Your Cisco router using the provided configuration details.

Once configured, users and networks connected to CloudConnexa can securely access resources in your private network.

Before you begin

  • Ensure you have a CloudConnexa account and Cloud ID.

  • Ensure your Cisco router supports IPsec.

  • Ensure you have access to your router configuration instance.

Step 1: Create a Network in CloudConnexa

  2. Navigate to Networks → Networks.

  3. Click Add Network.

  4. Select at least one Network Scenario. Refer to these tutorials for details:

  5. Click Continue.

  6. For the Network Configuration, enter a name and description (optional).

  7. Select IPsec as the Connector Tunneling Protocol.

  8. For the Connector, enter a name and description (optional).

  9. Click Next.

Step 2: Configure the Network Connector

In the Configure Network Connector step, configure the IPsec Network Connector:

  1. Configure the platform: In Platform to Connect, select Cisco.

  2. Enter connection details: In Remote Site Public IPv4 Address, enter the public IP address of your router or VPN gateway.

  3. Configure authentication:

    • Option 1: Shared Secret — Enter the pre-shared key (PSK), hostname, and domain for the IPsec Network Connector.

      Tip

      CloudConnexa doesn't generate a PSK. You need to create and configure the same key on both CloudConnexa and your network device. Use only alphanumeric characters, as some characters aren't supported.

      Example (Linux/macOS):

      openssl rand -hex 32

    • Option 2: Certificate-based — Upload the required files and provide a passphrase.

      Tip

      Ensure the certificates and private key:

      • Match each other (the private key corresponds to the uploaded certificate).

      • Are trusted by both peers (the correct CA certificate is provided).

  4. (Optional) Configure advanced settings: Expand Advanced Configuration to customize IPsec parameters:

    • IKE Version: Select the version: IKEv1 or IKEv2.

      Tip

      If using IKEv2 and only GCM encryption algorithms (AES-128-GCM-16 and/or AES-256-GCM-16), the integrity algorithm and a DH group are optional in phase 2.

      For non-GCM encryption algorithms, an integrity algorithm and a DH group are required. The default values are applied automatically.

    • Phase 1 settings:

      Setting

      Description

      Encryption Algorithm

      Select one or more supported encryption algorithms.

      Integrity Algorithm

      Select a supported integrity algorithm.

      Diffie-Hellman Group

      Select a DH group supported by your device.

      Lifetime (sec)

      Enter a value between 901 and 86400.

    • Phase 2 settings:

      Setting

      Description

      Encryption Algorithm

      Select one or more supported encryption algorithms.

      Integrity Algorithm

      Select a supported integrity algorithm.

      Diffie-Hellman Group

      Select a DH group supported by your device.

      Lifetime (sec)

      Enter a value between 900 and 28800.

    • IKE rekey settings:

      Setting

      Description

      Rekey Margin Time (sec)

      Value between 60 and half of Phase 2 lifetime.

      Rekey Fuzz (%)

      Value between 0 and 100.

      Replay Window Size (packets)

      Value between 64 and 2048.

    • Connection behavior:

      Setting

      Description

      Startup Action

      Defines how the tunnel is initiated.

      CloudConnexa Connection Restoration

      Controls whether the tunnel automatically reconnects if interrupted:

      • Defaults to Yes when Startup Action = Start.

      • Automatically set to No when Startup Action = Attach and can't be changed.

Step 3: Review remote tunnel configuration

CloudConnexa provides configuration details required for your network router.

  1. Locate the Remote Tunnel Configuration section.

  2. Note the values provided for:

    • Firewall configuration.

    • IPsec tunnel parameters.

    • Connection initiation and restoration parameters.

    • Static routes.

    • DNS settings.

  3. Keep this information available for configuring your router.

Step 4: Configure your network router

  • Use the values from the Remote Tunnel Configuration section to configure your IPsec device.

Step 5: Verify connectivity

After configuring both sides of the tunnel, verify that the connection is established.

  1. In the Verify Connectivity section, click Test Connection.

    CloudConnexa attempts to establish a connection to your remote network.

  2. Check the connection status:

    • Connected — The tunnel is successfully established.

    • Offline — The connection failed or hasn't been established yet.

      Tip

      If the connection status is Offline:

      • Click View Logs to review connection details.

      • Verify the following:

        • PSK or certificates match on both sides.

        • IPsec parameters (encryption, DH group, lifetimes) are aligned.

        • Firewall rules allow IPsec traffic.

        • The correct public IP address is configured.

Step 6: Complete the setup

  1. Click Finish to complete the Network configuration.

  2. Confirm that:

    • The Network is created.

    • The Connector shows a Connected status.

In this section: