Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Adding Cloud Breakout Settings

You use the Add Cloud Breakout Settings page to add cloud breakout settings that you can then apply to sites.

To add cloud breakout settings:

  1. Select Configuration > SD-WAN > Breakout Profiles.

    The Breakout Profiles page appears.

  2. On the Cloud Breakout Settings tab, click the add icon (+).

    The Add Cloud Breakout Settings page appears.

  3. Complete the configuration according to the guidelines provided in Table 1.
    Note:

    Fields marked with an asterisk (*) are mandatory.

  4. Click OK.
    Note:

    If the gateway is unreachable, an error message Gateway is unreachable. Do you want to proceed with profile creation? is displayed. If you want to continue with the cloud breakout profile creation, click Yes, else click Cancel.

    You are returned to the Breakout Profiles page (Cloud Breakout Settings tab) and a confirmation message indicating that the breakout settings are added is displayed.

    After you add cloud breakout settings, you can assign the settings to one or more sites. Assigning cloud breakout settings to sites provisions the cloud breakout node (Zscaler) overlay. For traffic to flow, you must reference the cloud breakout profile in an SD-WAN policy intent.

Note:

Sites with SD-WAN Essentials service do not support cloud breakout profiles.
Table 1: Fields on the Add Cloud Breakout Settings Page

Field

Description

Name

Enter a unique name for the cloud breakout settings. You can use alphanumeric characters and hyphens (-); the maximum length is 15 characters.

Tunnel Type

Select the type of overlay tunnel (IPSEC or GRE) used to break out the traffic to the cloud breakout node.
IPsec Configuration Parameters

Domain Name

Displays the domain name that is used to generate the fully qualified domain name (FQDN) for SD-WAN policies. The FQDN is used by the cloud security providers to identify the IPsec tunnels. The domain name is populated based on the customer domain name that you provided while onboarding the tenant (Administration Portal > Tenants > Add Tenant > Tenant Properties > Cloud Breakout Settings).

Though the domain name is populated automatically, you can modify the domain name.

Phase 1

In Phase 1, the SD-WAN branch site and the cloud breakout node establish a secure tunnel to negotiate the IPsec security associations (SAs).

Encryption Type

Select an encryption type for IPsec proposals:

  • AES-256-CBC (default)—Advanced Encryption Standard (AES) 256-bit encryption algorithm in Cipher Block Chaining (CBC) mode.

  • AES-192-CBC—AES 192-bit encryption algorithm.

  • AES-128-CBC—AES 128-bit encryption algorithm.

  • 3DES-CBC—Triple Data Encryption Algorithm (3DES) in CBC mode. Has a block size of 24 bytes; the key size is 192 bits long.

Authentication Type

Select an IPsec authentication algorithm for security association:

  • SHA-256 (default)—Secure Hash Algorithm (SHA) that converts a text of any length into a string of 256 bits.

  • SHA-384—Produces a 384-bit string.

  • SHA1—Produces a 160-bit string.

DH Group

Specify the Diffie-Hellman (DH) group to match the IPsec encryption algorithm:

  • GROUP2 (default)—1024-bit Modular Exponential (MODP) algorithm.

  • GROUP5—1536-bit MODP algorithm.

  • GROUP14—2048-bit MODP algorithm.

Phase 2

In Phase 2, the SD-WAN spoke site and the cloud breakout node negotiate the IPsec SAs for encrypting and authenticating the exchange of data.

Encryption Type

Select an encryption type for IPsec proposals.

  • NULL (default)—No encryption. This is the default.

  • AES-256-CBC—AES 256-bit encryption algorithm.

  • AES-192-CBC—AES 192-bit encryption algorithm.

  • AES-128-CBC—AES 128-bit encryption algorithm.

Authentication Type

Select an IPsec authentication algorithm for security association.

  • HMAC-MD5-96 (default)—Produces a 128-bit digest. This is the default.

  • HMAC-SHA-256-128—Produces a 256-bit digest, truncated to 128 bits.

  • HMAC-SHA1-96—Produces a 160-bit digest.

Protocol

Displays the protocol as ESP (default). Encapsulating Security Payload (ESP) protocol provides a means to ensure privacy (encryption), source authentication and content integrity (authentication).

Note:

You cannot edit the protocol.
Primary Gateway

Configuration for the primary cloud breakout node.

Link Type

Select the preferred type of WAN link (MPLS or Internet) to be used for breaking out the traffic to the primary cloud breakout node.

If a WAN link type that matches the preferred path is enabled for breakout, then that WAN link type is used for breakout traffic.

IP Address/Hostname

Enter the IPv4 address or host name of the primary cloud breakout node. Currently, Zscaler is the only cloud-based security platform supported.

The IP address or hostname, is validated. If the IP address or host name is not reachable, the Host Unreachable message is displayed.

Preshared Key

Enter the preshared key used for IKE authentication with the primary cloud breakout node. The preshared key is provided by the Zscaler.

The key that you enter is masked.

Confirm Preshared Key

Reenter the preshared key for confirmation.
Secondary Gateway

Configuration for the secondary cloud breakout node.

Link Type

Select the preferred type of WAN link (MPLS or Internet) to be used for breaking out the traffic to the secondary cloud breakout node.

If a WAN link type that matches the preferred path is enabled for breakout, then that WAN link type is used for breakout traffic.

IP Address/Hostname

Enter the IPv4 address or host name of the secondary cloud breakout node. Currently, Zscaler is the only cloud-based security platform supported.

The IP address or hostname, is validated. If the IP address or host name is not reachable, the Host Unreachable message is displayed.

Preshared Key

Enter the preshared key used for IKE authentication with the secondary cloud breakout node. The preshared key is provided by the Zscaler.

The key that you enter is masked.

Confirm Preshared Key

Reenter the preshared key for confirmation.

Related Documentation