Skip to main content
The Service Gateway’s IPsec tunnel is how the router and the Netgraph platform communicate for session state, events, policy updates, and control-plane telemetry. Guest traffic itself doesn’t traverse the tunnel — it flows through the router’s data plane — but anything Sign In needs to coordinate with the platform passes through IPsec. The IPsec tab under Service Gateway is where you configure the remote peers that the routers pair with.

Remote peers

A remote peer is the Netgraph-side endpoint a Service Gateway router connects to. For each peer, Sign In stores:
  • Peer address — the IP or hostname of the Netgraph endpoint.
  • Shared secret — the pre-shared key used for authentication. Coordinate this with your router team; both sides must agree.
  • Phase 1 / Phase 2 parameters — encryption and DH group settings that must match the router’s IPsec configuration.
  • Tunnel health-check parameters — DPD (dead peer detection) and rekey timers.
Multiple peers can be defined so that different Service Gateways (or different routers within an HA pair) can use different Netgraph-side endpoints.

Setting up a tunnel

1

Coordinate parameters with the router team

Nail down phase-1 and phase-2 ciphers, DH group, lifetimes, and a strong shared secret. Document these so both sides install matching configuration.
2

Add the remote peer in Sign In

From the IPsec tab, click Add Remote Peer and enter the values.
3

Configure the router

On the Cisco side, configure the IPsec tunnel to the Netgraph peer address with the same parameters.
4

Verify the tunnel is up

The Dashboard’s IPsec Service Status card flips to active once the tunnel establishes. Check on the router with show crypto isakmp sa / show crypto ipsec sa (or your platform’s equivalent).

Shared secret handling

  • Treat the shared secret as a credential — don’t paste it into chat or ticketing systems.
  • Rotate when you rotate other network credentials. Coordinate a maintenance window because both sides need to change simultaneously.
  • The audit log records when the secret was last updated, and by whom, but not the value itself.

When tunnels flap

Tunnels dropping and re-establishing usually point to:
  • MTU mismatch — the path MTU between the router and Netgraph is lower than the tunnel’s clear-text MTU. Tune the tunnel MTU down.
  • NAT in the path — if NAT is present, NAT-traversal (NAT-T) must be enabled on both sides.
  • DPD timer mismatch — one side declares the peer dead before the other side renews.
Check the Service Gateway’s own logs first — they surface the specific negotiation step that failed.

Gateways

Each registered router references one IPsec peer.

BGP

BGP sessions usually run over the IPsec tunnel.