Skip to content

5.17 Multi-Vendor Integration

Document Information

Field Value
Document Title Multi-Vendor Integration
Version 1.0
Last Updated December 2025
Author Abhavtech
Classification Internal Use
Target Audience Network Engineers, Integration Teams

Overview

This section provides comprehensive guidance for integrating third-party devices and services with the Abhavtech SD-WAN deployment. Multi-vendor integration ensures seamless connectivity with existing infrastructure, partner networks, and cloud service providers.

Integration Architecture

MULTI-VENDOR INTEGRATION TOPOLOGY
==================================

                    +------------------+
                    |   Cloud/SaaS     |
                    |  AWS, Azure, M365|
                    +--------+---------+
                             |
                             | IPsec/GRE
                             |
+------------------+    +----+----+    +------------------+
|  Third-Party     |    |         |    |  Legacy          |
|  SD-WAN Vendor   +----+ SD-WAN  +----+  Devices         |
|  (Site-to-Site)  |    | Edge    |    |  (Non-SD-WAN)    |
+------------------+    +----+----+    +------------------+
                             |
            +----------------+----------------+
            |                |                |
     +------+------+  +------+------+  +------+------+
     | Security    |  |   MPLS      |  |  Partner    |
     | Vendors     |  |   Provider  |  |  Networks   |
     | (Firewall)  |  |   CE/PE     |  |  (B2B)      |
     +-------------+  +-------------+  +-------------+

Integration Types:
├── IPsec Site-to-Site (Third-party SD-WAN, Cloud)
├── GRE Tunnels (Legacy sites, MPLS underlay)
├── BGP Peering (Service providers, Partners)
├── Service Insertion (Security vendors)
└── API Integration (Cloud services, Orchestration)

Third-Party SD-WAN Integration

Site-to-Site IPsec Tunnels

Scenario: Connecting to partner/acquired company using different SD-WAN vendor.

THIRD-PARTY SD-WAN INTEGRATION
==============================

Abhavtech                                Partner (Velocloud/Fortinet/etc.)
+-------------+                          +-------------+
| WAN Edge    |====IPsec IKEv2====>     | Third-Party |
| C8300       |                          | SD-WAN Edge |
| Mumbai DC   |                          | Partner HQ  |
+-------------+                          +-------------+
    |                                          |
    | SD-Access                                | Partner LAN
    | Fabric                                   | Network

IKEv2 IPsec Configuration

!------------------------------------------------------------
! WAN Edge Configuration - Third-Party IPsec Tunnel
!------------------------------------------------------------

! Crypto Keyring
crypto ikev2 keyring PARTNER-KEYRING
  peer PARTNER-HQ
    address 203.0.113.50
    pre-shared-key local <strong_psk_key>
    pre-shared-key remote <strong_psk_key>

! IKEv2 Proposal
crypto ikev2 proposal PARTNER-PROPOSAL
  encryption aes-cbc-256
  integrity sha512
  group 20

! IKEv2 Policy
crypto ikev2 policy PARTNER-POLICY
  match address local 198.51.100.10
  proposal PARTNER-PROPOSAL

! IKEv2 Profile
crypto ikev2 profile PARTNER-PROFILE
  match identity remote address 203.0.113.50 255.255.255.255
  identity local address 198.51.100.10
  authentication remote pre-share
  authentication local pre-share
  keyring local PARTNER-KEYRING
  dpd 10 5 periodic

! IPsec Transform Set
crypto ipsec transform-set PARTNER-TRANSFORM esp-aes 256 esp-sha512-hmac
  mode tunnel

! IPsec Profile
crypto ipsec profile PARTNER-IPSEC-PROFILE
  set transform-set PARTNER-TRANSFORM
  set ikev2-profile PARTNER-PROFILE
  set pfs group20

! Tunnel Interface
interface Tunnel100
  description Partner-HQ-IPsec-Tunnel
  ip address 172.30.100.1 255.255.255.252
  tunnel source GigabitEthernet0/0/0
  tunnel mode ipsec ipv4
  tunnel destination 203.0.113.50
  tunnel protection ipsec profile PARTNER-IPSEC-PROFILE
  ip mtu 1400
  ip tcp adjust-mss 1360

! Routing
router bgp 65100
  neighbor 172.30.100.2 remote-as 65300
  neighbor 172.30.100.2 description Partner-eBGP
  neighbor 172.30.100.2 password <bgp_password>
  neighbor 172.30.100.2 ebgp-multihop 2
  address-family ipv4 unicast
    neighbor 172.30.100.2 activate
    neighbor 172.30.100.2 route-map PARTNER-IN in
    neighbor 172.30.100.2 route-map PARTNER-OUT out
    neighbor 172.30.100.2 prefix-list PARTNER-PREFIXES in
    neighbor 172.30.100.2 maximum-prefix 100 warning-only

! Route Maps
route-map PARTNER-IN permit 10
  set local-preference 100
  set community 65100:300

route-map PARTNER-OUT permit 10
  match ip address prefix-list ADVERTISE-TO-PARTNER

! Prefix Lists
ip prefix-list PARTNER-PREFIXES seq 10 permit 192.168.0.0/16 le 24
ip prefix-list PARTNER-PREFIXES seq 20 permit 172.16.0.0/12 le 24
ip prefix-list ADVERTISE-TO-PARTNER seq 10 permit 10.10.0.0/16 le 24
ip prefix-list ADVERTISE-TO-PARTNER seq 20 permit 10.20.0.0/16 le 24

SD-WAN Manager Third-Party Configuration Template

# Third-Party IPsec Feature Template
name: "Feature-ThirdParty-IPsec"
description: "IPsec tunnel to third-party SD-WAN"
device_type: ["vedge-C8000V", "vedge-C8300-1N1S-6T", "vedge-C8300-2N2S-6T"]

ipsec:
  tunnel:
    - tunnel_interface: "Tunnel{{thirdparty_tunnel_id}}"
      tunnel_source: "GigabitEthernet0/0/0"
      tunnel_destination: "{{partner_public_ip}}"
      tunnel_mode: "ipsec ipv4"

      ikev2:
        profile: "PARTNER-PROFILE"
        proposal:
          encryption: "aes-cbc-256"
          integrity: "sha512"
          dh_group: "20"
        keyring:
          peer_address: "{{partner_public_ip}}"
          pre_shared_key: "{{encrypted_psk}}"
        dpd:
          interval: 10
          retry: 5
          action: "periodic"

      ipsec:
        transform_set: "esp-aes-256 esp-sha512-hmac"
        mode: "tunnel"
        pfs: "group20"

      ip_config:
        address: "{{tunnel_local_ip}}"
        mask: "255.255.255.252"
        mtu: 1400
        tcp_mss: 1360

bgp:
  neighbor:
    - address: "{{tunnel_remote_ip}}"
      remote_as: "{{partner_asn}}"
      description: "Partner-eBGP-Peer"
      password: "{{bgp_password}}"
      ebgp_multihop: 2

variables:
  thirdparty_tunnel_id:
    type: "integer"
    range: "100-199"
  partner_public_ip:
    type: "ipv4"
  encrypted_psk:
    type: "passphrase"
  tunnel_local_ip:
    type: "ipv4"
  tunnel_remote_ip:
    type: "ipv4"
  partner_asn:
    type: "integer"
    range: "1-65535"
  bgp_password:
    type: "passphrase"

Legacy Device Integration

Non-SD-WAN Site Connectivity

Scenario: Connecting legacy routers at acquired offices before SD-WAN migration.

LEGACY SITE INTEGRATION
=======================

+-----------------+        IPsec/GRE        +----------------+
| SD-WAN Fabric   |========================>| Legacy Router  |
| Mumbai DC       |                         | (ISR 4331)     |
+-----------------+                         +----------------+
      |                                            |
      | OMP Routes                                 | Static/OSPF
      |                                            |
+-----+-----+                               +------+------+
| SD-WAN    |                               | Legacy LAN  |
| Overlay   |                               | 192.168.x.x |
+-----------+                               +-------------+

Methods:
1. IPsec Tunnel (Internet transport)
2. GRE over IPsec (Multi-protocol support)
3. DMVPN spoke (Existing DMVPN infrastructure)

GRE over IPsec Configuration

!------------------------------------------------------------
! SD-WAN WAN Edge - Legacy Site GRE/IPsec
!------------------------------------------------------------

! Crypto Configuration
crypto ikev2 keyring LEGACY-KEYRING
  peer LEGACY-SITE-01
    address 203.0.113.100
    pre-shared-key <legacy_psk>

crypto ikev2 profile LEGACY-IKEv2
  match identity remote address 203.0.113.100 255.255.255.255
  authentication remote pre-share
  authentication local pre-share
  keyring local LEGACY-KEYRING

crypto ipsec transform-set LEGACY-TRANSFORM esp-aes 256 esp-sha256-hmac
  mode transport

crypto ipsec profile LEGACY-IPSEC
  set transform-set LEGACY-TRANSFORM
  set ikev2-profile LEGACY-IKEv2

! GRE Tunnel over IPsec
interface Tunnel200
  description Legacy-Site-01-GRE-over-IPsec
  ip address 172.30.200.1 255.255.255.252
  ip mtu 1400
  ip tcp adjust-mss 1360
  tunnel source GigabitEthernet0/0/0
  tunnel destination 203.0.113.100
  tunnel mode gre ip
  tunnel protection ipsec profile LEGACY-IPSEC
  keepalive 10 3

! Routing to Legacy Site
ip route 192.168.10.0 255.255.255.0 Tunnel200

! Or use OSPF for dynamic routing
router ospf 100
  network 172.30.200.0 0.0.0.3 area 0
  redistribute omp subnets route-map OMP-TO-LEGACY

route-map OMP-TO-LEGACY permit 10
  match ip address prefix-list LEGACY-ALLOWED
  set metric 100
  set metric-type type-1

ip prefix-list LEGACY-ALLOWED seq 10 permit 10.0.0.0/8 le 24

!------------------------------------------------------------
! Legacy ISR 4331 Configuration
!------------------------------------------------------------

crypto ikev2 keyring SDWAN-KEYRING
  peer SDWAN-HUB
    address 198.51.100.10
    pre-shared-key <legacy_psk>

crypto ikev2 profile SDWAN-IKEv2
  match identity remote address 198.51.100.10 255.255.255.255
  authentication remote pre-share
  authentication local pre-share
  keyring local SDWAN-KEYRING

crypto ipsec transform-set SDWAN-TRANSFORM esp-aes 256 esp-sha256-hmac
  mode transport

crypto ipsec profile SDWAN-IPSEC
  set transform-set SDWAN-TRANSFORM
  set ikev2-profile SDWAN-IKEv2

interface Tunnel200
  description To-SD-WAN-Hub
  ip address 172.30.200.2 255.255.255.252
  ip mtu 1400
  tunnel source GigabitEthernet0/0/1
  tunnel destination 198.51.100.10
  tunnel mode gre ip
  tunnel protection ipsec profile SDWAN-IPSEC

router ospf 100
  network 172.30.200.0 0.0.0.3 area 0
  network 192.168.10.0 0.0.0.255 area 0

DMVPN Integration

Scenario: Integrating existing DMVPN infrastructure with SD-WAN.

DMVPN HUB INTEGRATION
=====================

                  +------------------+
                  |   SD-WAN WAN     |
                  |   Edge (Hub)     |
                  +--------+---------+
                           |
              DMVPN Hub    | Tunnel0 (mGRE)
              NHRP NHS     |
                           |
         +-----------------+-----------------+
         |                 |                 |
   +-----+-----+     +-----+-----+     +-----+-----+
   | DMVPN     |     | DMVPN     |     | DMVPN     |
   | Spoke 1   |     | Spoke 2   |     | Spoke 3   |
   | (Legacy)  |     | (Legacy)  |     | (Legacy)  |
   +-----------+     +-----------+     +-----------+

Transition Strategy:
1. SD-WAN WAN Edge becomes DMVPN hub
2. Existing spokes connect without changes
3. Migrate spokes to SD-WAN over time
4. Decommission DMVPN when migration complete
!------------------------------------------------------------
! SD-WAN WAN Edge as DMVPN Hub
!------------------------------------------------------------

! DMVPN Hub Configuration
interface Tunnel0
  description DMVPN-Hub-Integration
  ip address 172.29.0.1 255.255.0.0
  ip mtu 1400
  ip tcp adjust-mss 1360
  ip nhrp network-id 100
  ip nhrp map multicast dynamic
  ip nhrp authentication DMVPNKEY
  ip nhrp redirect
  tunnel source GigabitEthernet0/0/0
  tunnel mode gre multipoint
  tunnel key 100
  tunnel protection ipsec profile DMVPN-IPSEC shared

! Crypto for DMVPN
crypto ikev2 keyring DMVPN-KEYRING
  peer DMVPN-SPOKES
    address 0.0.0.0 0.0.0.0
    pre-shared-key <dmvpn_key>

crypto ikev2 profile DMVPN-IKEv2
  match identity remote address 0.0.0.0 0.0.0.0
  authentication remote pre-share
  authentication local pre-share
  keyring local DMVPN-KEYRING

crypto ipsec transform-set DMVPN-TS esp-aes 256 esp-sha256-hmac
  mode transport

crypto ipsec profile DMVPN-IPSEC
  set transform-set DMVPN-TS
  set ikev2-profile DMVPN-IKEv2

! EIGRP for DMVPN (existing protocol)
router eigrp DMVPN-LEGACY
  address-family ipv4 autonomous-system 100
    network 172.29.0.0 0.0.255.255
    af-interface Tunnel0
      no split-horizon
      summary-address 10.0.0.0 255.0.0.0
    exit-af-interface
    topology base
      redistribute omp route-map OMP-TO-DMVPN
    exit-af-topology
  exit-address-family

route-map OMP-TO-DMVPN permit 10
  set metric 10000 100 255 1 1500

Cloud Service Integration

AWS Transit Gateway Integration

AWS TGW INTEGRATION
===================

            +------------------------+
            |    AWS Transit Gateway |
            |    (TGW-xxx)          |
            +----------+-------------+
                       |
          VPN Connection (2 tunnels)
          BGP over IPsec
                       |
            +----------+-------------+
            |    SD-WAN WAN Edge    |
            |    Mumbai DC          |
            +------------------------+

AWS Side:
- Transit Gateway with SD-WAN attachment
- Customer Gateway (CGW) pointing to WAN Edge
- VPN Connection with BGP

SD-WAN Side:
- IPsec tunnels to AWS TGW endpoints
- BGP peering over tunnels
- Route advertisement to SD-WAN overlay
!------------------------------------------------------------
! AWS Transit Gateway IPsec Configuration
!------------------------------------------------------------

! AWS Tunnel 1
crypto ikev2 keyring AWS-TGW-KEYRING
  peer AWS-TGW-TUNNEL1
    address 52.xx.xx.xx
    pre-shared-key <aws_psk_tunnel1>
  peer AWS-TGW-TUNNEL2
    address 52.yy.yy.yy
    pre-shared-key <aws_psk_tunnel2>

crypto ikev2 proposal AWS-IKEv2-PROPOSAL
  encryption aes-cbc-256
  integrity sha256
  group 14

crypto ikev2 policy AWS-IKEv2-POLICY
  proposal AWS-IKEv2-PROPOSAL

crypto ikev2 profile AWS-TGW-PROFILE-1
  match identity remote address 52.xx.xx.xx 255.255.255.255
  authentication remote pre-share
  authentication local pre-share
  keyring local AWS-TGW-KEYRING
  dpd 10 3 periodic

crypto ikev2 profile AWS-TGW-PROFILE-2
  match identity remote address 52.yy.yy.yy 255.255.255.255
  authentication remote pre-share
  authentication local pre-share
  keyring local AWS-TGW-KEYRING
  dpd 10 3 periodic

crypto ipsec transform-set AWS-TS esp-aes 256 esp-sha256-hmac
  mode tunnel

crypto ipsec profile AWS-IPSEC-1
  set transform-set AWS-TS
  set ikev2-profile AWS-TGW-PROFILE-1
  set pfs group14

crypto ipsec profile AWS-IPSEC-2
  set transform-set AWS-TS
  set ikev2-profile AWS-TGW-PROFILE-2
  set pfs group14

! Tunnel Interfaces
interface Tunnel301
  description AWS-TGW-Tunnel-1
  ip address 169.254.10.2 255.255.255.252
  tunnel source GigabitEthernet0/0/0
  tunnel mode ipsec ipv4
  tunnel destination 52.xx.xx.xx
  tunnel protection ipsec profile AWS-IPSEC-1
  ip tcp adjust-mss 1379

interface Tunnel302
  description AWS-TGW-Tunnel-2
  ip address 169.254.20.2 255.255.255.252
  tunnel source GigabitEthernet0/0/0
  tunnel mode ipsec ipv4
  tunnel destination 52.yy.yy.yy
  tunnel protection ipsec profile AWS-IPSEC-2
  ip tcp adjust-mss 1379

! BGP Configuration
router bgp 65100
  neighbor 169.254.10.1 remote-as 64512
  neighbor 169.254.10.1 description AWS-TGW-BGP-1
  neighbor 169.254.10.1 timers 10 30
  neighbor 169.254.20.1 remote-as 64512
  neighbor 169.254.20.1 description AWS-TGW-BGP-2
  neighbor 169.254.20.1 timers 10 30

  address-family ipv4 unicast
    neighbor 169.254.10.1 activate
    neighbor 169.254.10.1 soft-reconfiguration inbound
    neighbor 169.254.20.1 activate
    neighbor 169.254.20.1 soft-reconfiguration inbound
    network 10.10.0.0 mask 255.255.0.0
    network 10.20.0.0 mask 255.255.0.0
    maximum-paths 2

Azure vWAN Integration

!------------------------------------------------------------
! Azure Virtual WAN IPsec Configuration
!------------------------------------------------------------

! Azure vWAN typically uses IKEv2 with certificate or PSK

crypto ikev2 keyring AZURE-VWAN-KEYRING
  peer AZURE-VWAN-GATEWAY
    address 20.xx.xx.xx
    pre-shared-key <azure_psk>

crypto ikev2 profile AZURE-VWAN-PROFILE
  match identity remote address 20.xx.xx.xx 255.255.255.255
  authentication remote pre-share
  authentication local pre-share
  keyring local AZURE-VWAN-KEYRING
  dpd 10 3 periodic

crypto ipsec transform-set AZURE-TS esp-gcm 256
  mode tunnel

crypto ipsec profile AZURE-IPSEC
  set transform-set AZURE-TS
  set ikev2-profile AZURE-VWAN-PROFILE
  set pfs group14

interface Tunnel400
  description Azure-vWAN-Connection
  ip address 172.31.0.2 255.255.255.252
  tunnel source GigabitEthernet0/0/0
  tunnel mode ipsec ipv4
  tunnel destination 20.xx.xx.xx
  tunnel protection ipsec profile AZURE-IPSEC

! BGP for Azure
router bgp 65100
  neighbor 172.31.0.1 remote-as 65515
  neighbor 172.31.0.1 description Azure-vWAN-BGP
  neighbor 172.31.0.1 ebgp-multihop 5

  address-family ipv4 unicast
    neighbor 172.31.0.1 activate
    neighbor 172.31.0.1 route-map AZURE-OUT out
    neighbor 172.31.0.1 route-map AZURE-IN in

route-map AZURE-OUT permit 10
  match ip address prefix-list ON-PREM-ROUTES
  set as-path prepend 65100 65100

route-map AZURE-IN permit 10
  set local-preference 100

Service Provider Integration

MPLS CE-PE Coexistence

Scenario: Running SD-WAN parallel with existing MPLS during migration.

MPLS COEXISTENCE ARCHITECTURE
=============================

                    MPLS Provider Cloud
                    +------------------+
                    |   P Routers      |
                    |   (Provider)     |
                    +--------+---------+
                             |
          +-----------------+-----------------+
          |                                   |
    +-----+-----+                       +-----+-----+
    |   PE      |                       |    PE     |
    | Provider  |                       |  Provider |
    +-----+-----+                       +-----+-----+
          |                                   |
    CE Interface                        CE Interface
          |                                   |
    +-----+-----+                       +-----+-----+
    | SD-Access |                       | SD-Access |
    |  Border   |                       |  Border   |
    |  Node     |                       |  Node     |
    +-----+-----+                       +-----+-----+
          |                                   |
    Handoff Link                        Handoff Link
          |                                   |
    +-----+-----+                       +-----+-----+
    |  SD-WAN   |                       |  SD-WAN   |
    | WAN Edge  |=======SD-WAN=========>| WAN Edge  |
    | Mumbai    |       Overlay         | Chennai   |
    +-----------+                       +-----------+

Traffic Flow Options:
1. SD-WAN Primary, MPLS Backup (recommended)
2. Load balance between SD-WAN and MPLS
3. Application-based steering (SaaS via SD-WAN, legacy via MPLS)
!------------------------------------------------------------
! SD-Access Border - MPLS and SD-WAN Coexistence
!------------------------------------------------------------

! MPLS CE Interface (existing)
interface TenGigabitEthernet1/0/2
  description MPLS-PE-Connection
  no switchport
  vrf forwarding Corporate-Data
  ip address 10.1.1.2 255.255.255.252

! BGP to MPLS PE (lower preference during migration)
router bgp 65200
  address-family ipv4 vrf Corporate-Data
    ! MPLS PE Neighbor
    neighbor 10.1.1.1 remote-as 65000
    neighbor 10.1.1.1 description MPLS-PE-eBGP
    neighbor 10.1.1.1 activate
    neighbor 10.1.1.1 route-map MPLS-BACKUP in

    ! SD-WAN WAN Edge Neighbor (higher preference)
    neighbor 10.100.100.1 remote-as 65100
    neighbor 10.100.100.1 description SD-WAN-Edge-eBGP
    neighbor 10.100.100.1 activate
    neighbor 10.100.100.1 route-map SDWAN-PREFER in

! Route Maps for Path Selection
route-map MPLS-BACKUP permit 10
  set local-preference 50
  set community 65200:50

route-map SDWAN-PREFER permit 10
  set local-preference 200
  set community 65200:200

! During cutover - swap preferences
! MPLS becomes preferred
route-map MPLS-PREFER permit 10
  set local-preference 200

route-map SDWAN-BACKUP permit 10
  set local-preference 50

Security Vendor Integration

Service Insertion for Firewalls

Scenario: Inserting Palo Alto or Fortinet firewalls into SD-WAN traffic path.

FIREWALL SERVICE INSERTION
==========================

+-----------+    +-----------+    +-----------+
| SD-WAN    |--->| Firewall  |--->| SD-WAN    |
| Ingress   |    | (Service  |    | Egress    |
| Interface |    |  Chain)   |    | Interface |
+-----------+    +-----------+    +-----------+

Service Chain Flow:
Internet -> WAN Edge VPN 0 -> Service VPN -> Firewall -> Internal
!------------------------------------------------------------
! SD-WAN Service Insertion - Firewall
!------------------------------------------------------------

! Service VPN Configuration with Service Insertion
! VPN 5 - Service Insertion VPN

! Configure Service Interface to Firewall
interface GigabitEthernet0/0/3
  description Firewall-Service-Interface
  no shutdown
  service-insertion

! Service Insertion Policy
policy
  service-insertion
    service-route SERVICE-FW
      vpn 10
        service-type FW
        address 10.5.5.10
        interface GigabitEthernet0/0/3

! Data Policy for Traffic Steering to Firewall
policy
  data-policy STEER-TO-FIREWALL
    vpn-list VPN-10-LIST
      sequence 10
        match
          destination-data-prefix-list INTERNET-BOUND
        action accept
          set
            service FW vpn 5
      sequence 20
        match
          source-data-prefix-list SENSITIVE-DATA
          destination-data-prefix-list BRANCH-NETWORKS
        action accept
          set
            service FW vpn 5

! Apply Policy
apply-policy
  site-list HUB-SITES
    data-policy STEER-TO-FIREWALL all

Zscaler Integration (Cloud Security)

ZSCALER INTEGRATION
===================

Branch Sites                           Zscaler Cloud
+-----------+                         +-------------+
| WAN Edge  |===GRE/IPsec Tunnel====>| ZIA Node    |
| Branch    |                         | (Regional)  |
+-----------+                         +-------------+
     |
     | Internet Traffic
     | (SaaS, Web)
!------------------------------------------------------------
! Zscaler ZIA Integration - GRE Tunnel Method
!------------------------------------------------------------

! GRE Tunnel to Zscaler
interface Tunnel500
  description Zscaler-ZIA-GRE
  ip address negotiated
  tunnel source GigabitEthernet0/0/0
  tunnel destination 165.225.xx.xx
  tunnel mode gre ip
  ip mtu 1400

! Zscaler uses GRE with authentication header
! Authentication configured via Zscaler portal

! Policy-Based Routing to Zscaler
ip access-list extended INTERNET-TRAFFIC
  permit tcp any any eq 80
  permit tcp any any eq 443
  permit udp any any eq 53

route-map ZSCALER-PBR permit 10
  match ip address INTERNET-TRAFFIC
  set interface Tunnel500

interface GigabitEthernet0/0/2.10
  description Corporate-VLAN
  ip policy route-map ZSCALER-PBR

!------------------------------------------------------------
! Alternative: Zscaler IPsec Tunnel (Recommended)
!------------------------------------------------------------

crypto ikev2 keyring ZSCALER-KEYRING
  peer ZSCALER-PRIMARY
    address 165.225.xx.xx
    pre-shared-key <zscaler_psk>

crypto ikev2 profile ZSCALER-IKEv2
  match identity remote fqdn domain zscaler.net
  authentication remote pre-share
  authentication local pre-share
  keyring local ZSCALER-KEYRING

interface Tunnel501
  description Zscaler-ZIA-IPsec
  ip address negotiated
  tunnel source GigabitEthernet0/0/0
  tunnel mode ipsec ipv4
  tunnel destination 165.225.xx.xx
  tunnel protection ipsec profile ZSCALER-IPSEC

API Integration

Multi-Vendor Orchestration

#!/usr/bin/env python3
"""
Multi-Vendor Integration API Framework
Orchestrates configuration across multiple vendor platforms
"""

import requests
import json
from abc import ABC, abstractmethod
from typing import Dict, List, Optional

class VendorAPI(ABC):
    """Abstract base class for vendor API integration"""

    @abstractmethod
    def authenticate(self) -> bool:
        pass

    @abstractmethod
    def get_devices(self) -> List[Dict]:
        pass

    @abstractmethod
    def get_tunnels(self) -> List[Dict]:
        pass

    @abstractmethod
    def create_tunnel(self, config: Dict) -> bool:
        pass

class CiscoSDWANAPI(VendorAPI):
    """Cisco SD-WAN Manager API"""

    def __init__(self, host: str, username: str, password: str):
        self.base_url = f"https://{host}:443"
        self.session = requests.Session()
        self.session.verify = False
        self.username = username
        self.password = password

    def authenticate(self) -> bool:
        auth_url = f"{self.base_url}/j_security_check"
        response = self.session.post(
            auth_url,
            data={"j_username": self.username, "j_password": self.password}
        )

        token_url = f"{self.base_url}/dataservice/client/token"
        token_response = self.session.get(token_url)
        if token_response.status_code == 200:
            self.session.headers['X-XSRF-TOKEN'] = token_response.text
            return True
        return False

    def get_devices(self) -> List[Dict]:
        url = f"{self.base_url}/dataservice/device"
        response = self.session.get(url)
        return response.json().get('data', [])

    def get_tunnels(self) -> List[Dict]:
        url = f"{self.base_url}/dataservice/device/tunnel/statistics"
        response = self.session.get(url)
        return response.json().get('data', [])

    def create_tunnel(self, config: Dict) -> bool:
        # Create IPsec tunnel via template attachment
        url = f"{self.base_url}/dataservice/template/device/config/attachfeature"
        response = self.session.post(url, json=config)
        return response.status_code == 200

class AWSTransitGatewayAPI(VendorAPI):
    """AWS Transit Gateway API via boto3"""

    def __init__(self, region: str, access_key: str, secret_key: str):
        import boto3
        self.ec2 = boto3.client(
            'ec2',
            region_name=region,
            aws_access_key_id=access_key,
            aws_secret_access_key=secret_key
        )

    def authenticate(self) -> bool:
        try:
            self.ec2.describe_transit_gateways()
            return True
        except Exception:
            return False

    def get_devices(self) -> List[Dict]:
        response = self.ec2.describe_transit_gateways()
        return response.get('TransitGateways', [])

    def get_tunnels(self) -> List[Dict]:
        response = self.ec2.describe_vpn_connections()
        return response.get('VpnConnections', [])

    def create_tunnel(self, config: Dict) -> bool:
        try:
            # Create Customer Gateway
            cgw = self.ec2.create_customer_gateway(
                Type='ipsec.1',
                PublicIp=config['customer_gateway_ip'],
                BgpAsn=config['bgp_asn']
            )

            # Create VPN Connection
            vpn = self.ec2.create_vpn_connection(
                Type='ipsec.1',
                CustomerGatewayId=cgw['CustomerGateway']['CustomerGatewayId'],
                TransitGatewayId=config['transit_gateway_id'],
                Options={
                    'EnableAcceleration': True,
                    'TunnelInsideIpVersion': 'ipv4'
                }
            )
            return True
        except Exception as e:
            print(f"Error creating AWS tunnel: {e}")
            return False

class MultiVendorOrchestrator:
    """Orchestrates operations across multiple vendor APIs"""

    def __init__(self):
        self.vendors: Dict[str, VendorAPI] = {}

    def register_vendor(self, name: str, api: VendorAPI):
        """Register a vendor API"""
        if api.authenticate():
            self.vendors[name] = api
            print(f"✓ Registered vendor: {name}")
        else:
            print(f"✗ Failed to authenticate: {name}")

    def get_all_tunnels(self) -> Dict[str, List[Dict]]:
        """Get tunnels from all registered vendors"""
        all_tunnels = {}
        for name, api in self.vendors.items():
            all_tunnels[name] = api.get_tunnels()
        return all_tunnels

    def verify_connectivity(self) -> Dict[str, bool]:
        """Verify connectivity to all vendors"""
        status = {}
        for name, api in self.vendors.items():
            try:
                devices = api.get_devices()
                status[name] = len(devices) > 0
            except Exception:
                status[name] = False
        return status

    def create_cross_vendor_tunnel(self, 
                                   source_vendor: str, 
                                   dest_vendor: str,
                                   config: Dict) -> bool:
        """Create tunnel between two different vendor platforms"""

        # This would contain logic to:
        # 1. Get public IPs from both sides
        # 2. Generate PSK
        # 3. Configure both ends
        # 4. Verify tunnel establishment

        print(f"Creating tunnel: {source_vendor} <-> {dest_vendor}")

        source_api = self.vendors.get(source_vendor)
        dest_api = self.vendors.get(dest_vendor)

        if not source_api or not dest_api:
            return False

        # Configure source side
        source_config = {
            'tunnel_destination': config['dest_public_ip'],
            'psk': config['psk'],
            'bgp_peer': config['dest_bgp_ip']
        }
        source_result = source_api.create_tunnel(source_config)

        # Configure destination side
        dest_config = {
            'customer_gateway_ip': config['source_public_ip'],
            'bgp_asn': config['source_bgp_asn'],
            'transit_gateway_id': config.get('tgw_id')
        }
        dest_result = dest_api.create_tunnel(dest_config)

        return source_result and dest_result

def main():
    """Example multi-vendor integration"""

    orchestrator = MultiVendorOrchestrator()

    # Register Cisco SD-WAN
    cisco_api = CiscoSDWANAPI(
        host="10.255.0.10",
        username="admin",
        password="<password>"
    )
    orchestrator.register_vendor("cisco_sdwan", cisco_api)

    # Register AWS
    aws_api = AWSTransitGatewayAPI(
        region="ap-south-1",
        access_key="<access_key>",
        secret_key="<secret_key>"
    )
    orchestrator.register_vendor("aws", aws_api)

    # Verify connectivity
    print("\nConnectivity Status:")
    status = orchestrator.verify_connectivity()
    for vendor, connected in status.items():
        print(f"  {vendor}: {'✓' if connected else '✗'}")

    # Get all tunnels
    print("\nTunnel Summary:")
    tunnels = orchestrator.get_all_tunnels()
    for vendor, tunnel_list in tunnels.items():
        print(f"  {vendor}: {len(tunnel_list)} tunnels")

if __name__ == "__main__":
    main()

Verification and Monitoring

Multi-Vendor Tunnel Monitoring

MULTI-VENDOR TUNNEL VERIFICATION
=================================

! Verify Third-Party IPsec Tunnel
show crypto ikev2 sa detail
show crypto ipsec sa peer 203.0.113.50
show interface Tunnel100
show ip route | include 172.30.100

! Verify BGP Peering
show bgp ipv4 unicast summary
show bgp ipv4 unicast neighbors 172.30.100.2
show bgp ipv4 unicast neighbors 172.30.100.2 routes
show bgp ipv4 unicast neighbors 172.30.100.2 advertised-routes

! Verify AWS TGW Tunnels
show crypto ikev2 sa | include 52.xx
show interface Tunnel301 | include packets
show interface Tunnel302 | include packets
show bgp ipv4 unicast summary | include 169.254

! Verify Legacy Site Connectivity
show interface Tunnel200 | include up|down
show crypto session peer 203.0.113.100
ping 192.168.10.1 source 10.10.0.1

! Comprehensive Check Script
show ip bgp vpnv4 all summary
show crypto session brief
show dmvpn | include Interface|Peer

Integration Health Dashboard

#!/usr/bin/env python3
"""
Multi-Vendor Integration Health Monitor
"""

import json
from datetime import datetime

def check_integration_health():
    """Check health of all multi-vendor integrations"""

    health_report = {
        'timestamp': datetime.now().isoformat(),
        'integrations': []
    }

    integrations = [
        {
            'name': 'Partner SD-WAN (Tunnel100)',
            'type': 'ipsec',
            'peer': '203.0.113.50',
            'status': check_tunnel_status('Tunnel100'),
            'bgp_state': check_bgp_neighbor('172.30.100.2')
        },
        {
            'name': 'AWS Transit Gateway',
            'type': 'aws_tgw',
            'tunnels': ['Tunnel301', 'Tunnel302'],
            'status': check_aws_tunnels(),
            'bgp_peers': ['169.254.10.1', '169.254.20.1']
        },
        {
            'name': 'Legacy DMVPN Sites',
            'type': 'dmvpn',
            'hub_interface': 'Tunnel0',
            'spoke_count': get_dmvpn_spoke_count(),
            'status': check_dmvpn_health()
        },
        {
            'name': 'Zscaler ZIA',
            'type': 'cloud_security',
            'tunnel': 'Tunnel501',
            'status': check_zscaler_tunnel()
        }
    ]

    health_report['integrations'] = integrations

    # Calculate overall health
    healthy_count = sum(1 for i in integrations if i['status'] == 'up')
    health_report['overall_health'] = f"{healthy_count}/{len(integrations)}"

    return health_report

def check_tunnel_status(tunnel_name):
    # Implementation would SSH to device and check tunnel
    return 'up'

def check_bgp_neighbor(peer_ip):
    # Implementation would check BGP state
    return 'established'

def check_aws_tunnels():
    # Implementation would check both AWS tunnels
    return 'up'

def get_dmvpn_spoke_count():
    # Implementation would count NHRP entries
    return 15

def check_dmvpn_health():
    return 'up'

def check_zscaler_tunnel():
    return 'up'

if __name__ == "__main__":
    report = check_integration_health()
    print(json.dumps(report, indent=2))

Troubleshooting Multi-Vendor Issues

Common Integration Issues

Issue Symptoms Resolution
IKEv2 Mismatch Phase 1 fails Verify encryption/integrity/DH group match
PSK Mismatch Authentication failure Confirm PSK identical on both ends
NAT-T Issues Tunnel flapping Enable NAT-T (UDP 4500)
MTU Problems Large packet drops Adjust MTU/MSS on tunnel interfaces
BGP Not Establishing No routes learned Check AS numbers, peer IPs, route-maps
Asymmetric Routing One-way traffic Verify return path routing

Debug Commands

! IKEv2 Debugging
debug crypto ikev2 packet
debug crypto ikev2 internal
debug crypto ikev2 error

! IPsec Debugging
debug crypto ipsec
debug crypto engine packet all

! BGP Debugging
debug bgp ipv4 unicast updates
debug bgp ipv4 unicast events

! GRE/DMVPN Debugging
debug tunnel
debug nhrp packet
debug dmvpn all

Document Description Location
Cloud OnRamp Design Cloud integration architecture Section 2.9
SD-Access Handoff Fabric integration details Section 5.12
Security Architecture Security integration Chapter 3
Troubleshooting Issue resolution Chapter 6.8

Document Control

Version Date Author Changes
1.0 December 2025 Abhavtech Initial release

This document is part of the SD-WAN Implementation & Deployment documentation series for Abhavtech.com