Reconfigure IPSec Tunnels in ePO Cloud

If you have configured IPSec tunnels in ePO Cloud (https://manage.trellix.com).

1. Sign in to ePO Cloud.
2. Go to Web Protection > Authentication Settings > IPsec Site-to-Site Settings.
3. For each enabled IPSec tunnel, gather the Name, External IP, Local Network, and Pre-shared key.
4. If Authentication is enabled for any of the tunnels, gather the SAML authentication information.
5. Sign in to Skyhigh Security Cloud (https://auth.ui.trellix.com).
6. If you used SAML authentication for any tunnels:
   • For each SAML Configuration, go to Configuration > Infrastructure > Web Gateway Setup > Setup SAML > New SAML. 
   • Configure each IdP to match the settings in ePO Cloud.
7. Go to Configuration > Infrastructure > Web Gateway Setup > Configure Locations > New Location. 
8. Create a matching Location for each tunnel that was configured and enabled in ePO Cloud.
   • Enter the Name of the tunnel copied from ePO Cloud.
   • If SAML was configured for the tunnel, select the appropriate SAML configuration. 
   • Select the Log Data Residency for the tunnel.
   • Define the IPSec Mapping to match the ePO Cloud settings for the tunnel:
     • Client ID Type. Select Use Client Address. (Other options are now available, but originally ePO Cloud only allowed this Client ID Type.)
     • Enter the Client Address from ePO Cloud.
     • Enter the Pre-shared Key from ePO Cloud.
     • Enter the subnet to protect from ePO Cloud. (Multiple disjoint subnets are supported, but originally ePO Cloud only allowed a single subnet per tunnel.)
     • Click Save.
9. Reconfigure your tunnel endpoints to point to these locally resolved addresses:
   • 1.network.c<customerid>.wgcs.skyhigh.cloud
   • 2.network.c<customerid>.wgcs.skyhigh.cloud (if you have a secondary)