02-16-2024 07:27 AM
Hi everyone,
this will be a long post so thank you in advance to who will read it.
I'm trying to set up a CISCO C9800 Controller deployed on Microsoft Azure in site-to-site configuration.
To this end, I'm following this guide: https://www.youtube.com/watch?v=o7Er92DR24I
Here's the configuration I have created:
! Microsoft Corporation
! ------------------------------------------------------------------------------
! Sample VPN tunnel configuration template for Cisco IOS-based devices
!
! ##############################################################################
! !!! Search for "REPLACE" to find the values that require special
! !!! considerations
! !!!
! !!! (1) ACL/access-list rule numbers
! !!! (2) Tunnel interface number
! !!! (3) Tunnel interface IP address
! !!! (4) BGP routes to advertise (if BGP is enabled)
! !!! (5) BGP peer IP address on the device - loopback interface number
! ##############################################################################
!
! [0] Device information
!
! > Device vendor: Cisco
! > Device family: IOS-based (ASR, ISR)
! > Firmware version: IOS 15.1 or beyond
! > Test platform: Cisco ISR 2911, version 15.2
!
! [1] Network parameters
!
! > Connection name: C9800_CL_Connection
! > VPN Gateway name: 9993004c-1197-4de0-80f9-d7b0214656f0
! > Public IP addresses:
! + Public IP 1: ################
! > Virtual network address space:
! + CIDR:10.100.0.0/16, prefix:10.100.0.0, netmask:255.255.0.0, wildcard:0.0.255.255
! > Local network gateway: CISCO_Local_Gateway
! > On-premises VPN IP: ################
! > On-premises address prefixes:
! + CIDR:192.168.1.0/24, prefix:192.168.1.0, netmask:255.255.255.0, wildcard:0.0.0.255
!
! [2] IPsec/IKE parameters
!
! > IKE version: IKEv2
! + Encryption algorithm: aes-cbc-256
! + Integrityalgorithm: sha1
! + Diffie-Hellman group: 2
! + SA lifetime (seconds): 3600
! + Pre-shared key: ################
! + UsePolicyBasedTS: False
!
! > IPsec
! + Encryption algorithm: esp-gcm 256
! + Integrity algorithm:
! + PFS Group: none
! + SA lifetime (seconds): 3600
! + SA lifetime (KB): 102400000
!
! [3] BGP parameters - Azure VPN gateway
!
! > Azure virtual network
! + Enable BGP: False
! + Azure BGP ASN: VNG_ASN
! > On-premises network / LNG
! + On premises BGP ASN: LNG_ASN
! + On premises BGP IP: LNG_BGPIP
!
! ==============================================================================
! Cisco IOS 15.x+ IKEv2, route-based (any-to-any)
! ==============================================================================
!
! ACL rules
!
! Some VPN devices require explicit ACL rules to allow cross-premises traffic:
!
! 1. Allow traffic between on premises address ranges and VNet address ranges
! 2. Allow IKE traffic (UDP:500) between on premises VPN devices and Azure VPN gateway
! 3. Allow IPsec traffic (Proto:ESP) between on premises VPN devices and Azure VPN gateway
! [REPLACE] access-list number: access-list 101
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.100.0.0 0.0.255.255
access-list 101 permit esp host ################ host ################
access-list 101 permit udp host ################ eq isakmp host ################
access-list 101 permit udp host ################ eq non500-isakmp host ################
! ==============================================================================
! Internet Key Exchange (IKE) configuration
! - IKE Phase 1 / Main mode configuration
! - Encryption/integrity algorithms, Diffie-Hellman group, pre-shared key
crypto ikev2 proposal C9800_CL_Connection-proposal
encryption aes-cbc-256
integrity sha1
group 2
exit
crypto ikev2 policy C9800_CL_Connection-policy
proposal C9800_CL_Connection-proposal
match address local ################
exit
crypto ikev2 keyring C9800_CL_Connection-keyring
peer ################
address ################
pre-shared-key ################
exit
exit
crypto ikev2 profile C9800_CL_Connection-profile
match address local ################
match identity remote address ################ 255.255.255.255
authentication remote pre-share
authentication local pre-share
lifetime 3600
dpd 10 5 on-demand
keyring local C9800_CL_Connection-keyring
exit
! ------------------------------------------------------------------------------
! IPsec configuration
! - IPsec (or IKE Phase 2 / Quick Mode) configuration
! - Transform Set: IPsec encryption/integrity algorithms, IPsec ESP mode
crypto ipsec transform-set C9800_CL_Connection-TransformSet esp-gcm 256
mode tunnel
exit
crypto ipsec profile C9800_CL_Connection-IPsecProfile
set transform-set C9800_CL_Connection-TransformSet
set ikev2-profile C9800_CL_Connection-profile
set security-association lifetime seconds 3600
exit
! ------------------------------------------------------------------------------
! Tunnel interface (VTI) configuration
! - Create/configure a tunnel interface
! - Configure an APIPA (169.254.x.x) address that does NOT overlap with any
! other address on this device. This is not visible from the Azure gateway.
! * REPLACE: Tunnel interface numbers and APIPA IP addresses below
! * Default tunnel interface 11 (169.254.0.1) and 12 (169.254.0.2)
int tunnel 11
ip address 169.254.0.1 255.255.255.255
tunnel mode ipsec ipv4
ip tcp adjust-mss 1350
tunnel source ################
tunnel destination ################
tunnel protection ipsec profile C9800_CL_Connection-IPsecProfile
exit
! ------------------------------------------------------------------------------
! Static routes
! - Adding the static routes to point the VNet prefixes to the IPsec tunnels
! * REPLACE: Tunnel interface number(s), default tunnel 11 and tunnel 12
ip route 10.100.0.0 255.255.0.0 Tunnel 11
! ==============================================================================
! Cleanup script
! ==============================================================================
!
! [WARNING] This section of the script will cleanup the resources: IPsec/IKE,
! [WARNING] interfaces, routes, access-list. Validate the objects in your
! [WARNING] configuration before applying the script below.
! [REPLACE] Interfaces: Loopback 11, Tunnel 11, Tunnel 12; access-list 101
!
!!
!! no ip route 10.100.0.0 255.255.0.0 Tunnel 11
!!
!!
!! no int tunnel 11
!!
!! no crypto ipsec profile C9800_CL_Connection-IPsecProfile
!! no crypto ipsec transform-set C9800_CL_Connection-TransformSet
!!
!! no crypto ikev2 profile C9800_CL_Connection-profile
!! no crypto ikev2 keyring C9800_CL_Connection-keyring
!! no crypto ikev2 policy C9800_CL_Connection-policy
!! no crypto ikev2 proposal C9800_CL_Connection-proposal
!!
!! no access-list 101 permit ip 192.168.1.0 0.0.0.255 10.100.0.0 0.0.255.255
!! no access-list 101 permit esp host ################ host ################
!! no access-list 101 permit udp host ################ eq isakmp host ################
!! no access-list 101 permit udp host ################ eq non500-isakmp host ################
The Controller must communicate with 3 CISCO 9115 APs deployed in an office.
The APs are connected to a CISCO 2811 ISR. Here's the configuration of the Router:
Building configuration…
Current configuration : 1621 bytes
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CISCO-Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 ################
enable password ################
!
no aaa new-model
!
ip source-route
!
!
ip cef
ip dhcp excluded-address 192.168.2.1
no ip dhcp ping packets
!
ip dhcp pool LAN
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 8.8.8.8
!
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO2811 sn FCZ1431704E
!
!
!
!
!
!
interface FastEthernet0/0
description *** INTERNET ***
ip address 192.168.1.3 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
description *** LAN ***
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
no cdp enable
!
interface Serial0/3/0
no ip address
shutdown
clock rate 2000000
no cdp enable
!
ip forward-protocol nd
!
!
no ip http server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
access-list 1 permit 192.168.2.0 0.0.0.255
!
snmp-server community test RO
!
control-plane
!
end
My question is:
- In the first configuration, how am I supposed to "REPLACE" those fields?
- Does the access-list 101 of the proposed configuration coincide with the access-list 1 of the configuration of my local router or not?
- Do I need to add the VTI configuration to my local router, don't I?
- in the ip route option, which tunnel interface am I supposed to use? Should I always use the same number, i.e., 11?
Thank you very much for your time.
Best regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide