Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
Bookmark
|
Subscribe
|
4343
Views
5
Helpful
2
Comments

SD-WAN Configuration Example: Site-to-site (LAN to LAN) IPSec between vEdge and Cisco IOS

ekhabaro
Cisco Employee
Cisco Employee

on ‎02-22-2019 11:02 AM

Introduction

This article describes IPSec IKEv1 site-to-site VPN with pre-shared keys configuration in transport-vpn on vEdge between IOS device with VRF configured. 

Components Used

vEdge router with 18.2 software or newer and Cisco IOS-XE router.

Configure

vEdge router configuration

vpn 0
 !
 interface ge0/1
  ip address 192.168.103.7/24
  !
  no shutdown
 !
 interface ipsec1
  ip address 10.0.0.2/30
  tunnel-source-interface ge0/1
  tunnel-destination      192.168.103.130
  ike
   version      1
   mode         main
   rekey        14400
   cipher-suite aes128-cbc-sha1
   group        2
   authentication-type
    pre-shared-key
     pre-shared-secret $8$qzBthmnUSTMs54lxyHYZXVcnyCwENxJGcxRQT09X6SI=
     local-id          192.168.103.77
     remote-id         192.168.103.130
    !
   !
  !
  ipsec
   rekey                   3600
   replay-window           512
   cipher-suite            aes256-cbc-sha1
   perfect-forward-secrecy group-2
  !
  no shutdown
 !
vpn 1
 ip ipsec-route 0.0.0.0/0 vpn 0 interface ipsec1

 Cisco IOS-XE configuration

crypto keyring KR vrf vedge2_vrf
  pre-shared-key address 0.0.0.0 0.0.0.0 key test
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp profile IKE_PROFILE
   keyring KR
   self-identity address
   match identity address 0.0.0.0 vedge2_vrf
crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac 
 mode tunnel
crypto ipsec profile IPSEC_PROFILE
 set transform-set TSET 
 set pfs group2
 set isakmp-profile IKE_PROFILE
!
interface Tunnel1
 ip address 10.0.0.1 255.255.255.252
 description "*** IPSec tunnel ***"
 tunnel source 192.168.103.130
 tunnel mode ipsec ipv4
 tunnel destination 192.168.103.7
 tunnel vrf vedge2_vrf
 tunnel protection ipsec profile IPSEC_PROFILE isakmp-profile IKE_PROFILE
!
interface GigabitEthernet4
 description "*** vEdge2 ***"
 ip vrf forwarding vedge2_vrf
 ip address 192.168.103.130 255.255.255.0 secondary

Verify 

1. Make sure remote address of peer is reachable:

csr1000v2#ping 10.0.0.2       
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

2. Check if IPSec phase1 (IKE) is established on Cisco IOS-XE router, state should be "QM_IDLE":

csr1000v2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.103.130 192.168.103.7   QM_IDLE           1004 ACTIVE

IPv6 Crypto ISAKMP SA

 3. Check if IPSec phase 2 is established on Cisco IOS-XE router and make sure that "pkts encaps" and "kts decaps" counters are increasing in both sites

csr1000v2#show crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 192.168.103.130

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 192.168.103.7 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.103.130, remote crypto endpt.: 192.168.103.7
     plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet4
     current outbound spi: 0xFFB55(1047381)
     PFS (Y/N): Y, DH group: group2

     inbound esp sas:
      spi: 0x2658A80C(643344396)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2023, flow_id: CSR:23, sibling_flags FFFFFFFF80004048, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/1811)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xFFB55(1047381)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2024, flow_id: CSR:24, sibling_flags FFFFFFFF80004048, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/1811)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

4. Check if IPSec phase 1 and 2 session are established on vEdge as well. State should be "IKE_UP_IPSEC_UP".

vedge4# show ipsec ike sessions            
ipsec ike sessions 0 ipsec1
 version       1
 source-ip     192.168.103.7
 source-port   4500
 dest-ip       192.168.103.130
 dest-port     4500
 initiator-spi 8012038bc7cf1e09
 responder-spi 29db204a8784ff02
 cipher-suite  aes128-cbc-sha1
 dh-group      "2 (MODP-1024)"
 state         IKE_UP_IPSEC_UP
 uptime        0:01:55:30

vedge4# show ipsec ike outbound-connections
SOURCE                                  SOURCE  DEST                                    DEST                CIPHER                                 EXT  
IP                                      PORT    IP                                      PORT    SPI         SUITE            KEY HASH  TUNNEL MTU  SEQ  
--------------------------------------------------------------------------------------------------------------------------------------------------------
192.168.103.7                           4500    192.168.103.130                         4500    643344396   aes256-cbc-sha1  ****ba9b  1418        no

5. Check if tx- and rx- counters are increasing as well in both directions and matching counters that were seen on Cisco IOS XE router.

vedge4# show tunnel statistics dest-ip 192.168.103.130

                                                                                                                               TCP     
TUNNEL                                    SOURCE  DEST  SYSTEM  LOCAL  REMOTE  TUNNEL                                          MSS     
PROTOCOL  SOURCE IP      DEST IP          PORT    PORT  IP      COLOR  COLOR   MTU     tx-pkts  tx-octets  rx-pkts  rx-octets  ADJUST  
---------------------------------------------------------------------------------------------------------------------------------------
ipsec     192.168.103.7  192.168.103.130  4500    4500  -       -      -       1418    10       1900       11       2038       1334
Comments
jcockburn
Level 1
Level 1
‎07-11-2022 03:43 AM

Hey All/ @ekhabaro ,

I am having issues with the above...

It looks very easy and seems straightforward but I just cannot get my lab up.

I keep getting the below:

*Jul 11 10:37:04.128: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 10.100.4.4 was not encrypted and it should've been.
101-0005-WR01#
*Jul 11 10:37:11.760: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.100.4.4

That IP is the vEdge's VPN0 ip addr....

I obviously changed the IP addresses to match my lab, but other than that I use vEdge Cloud and some IOS router.

Will perhaps try another version....any help appreciated

 

Ciao

JC

 

 

brian.jones
Level 1
Level 1
‎01-05-2024 09:25 AM

I have the same issue.  Did you get any further in your issue?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Top