Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4038
Views
0
Helpful
3
Replies

AWS CSR 1000v IPSec GRE tunnel

joycexie
Level 1
Level 1

‎10-24-2017 09:12 AM - edited ‎03-01-2019 08:38 AM

Hi guys,

 

I'm using "Cisco Cloud Services Router (CSR) 1000V - Security Pkg. Max Performance" in aws market place, and we need to build IPsec GRE tunnel with remote peer

 

My CSR instance has 2 network interface, 1 facing public, has private IP and associated with elastic IP, 1 facing private subnet.

 

My question is in the tunnel configuration, my local address should put the elastic public IP or internal IP?

 

When I put public elastic IP, even the phase 1 is not up.

 

When I put internal IP, phase 1 seems up, but phase 2 does not work, because the proxyId does not match, when remote peer is using our elastic public IP to configure the tunnel destination.

 

crypto keyring PASPE1
local-address [public elastic IP]
pre-shared-key address [remote GW public IP] key xxxx

 

 

crypto isakmp profile PASPE1
keyring PASPE1
match identity address [remote GW public IP] 255.255.255.255
keepalive 10 retry 3
local-address [public elastic IP]

 

interface Tunnel56
description TESTING PASPE1 @ 81.52.187.77
ip address 81.52.187.76 255.255.255.254
no ip redirects
no ip proxy-arp
ip mtu 1420
load-interval 30
carrier-delay msec 0
shutdown
tunnel source [elastic public IP]
tunnel destination [remote GW public IP]
tunnel protection ipsec profile PASPE1

 

 

Any advise is appreciated!

 

 

Labels:
0 Helpful
3 Replies 3

donald.stogsdill
Level 1
Level 1

‎11-17-2017 11:53 AM

You may have already found this answer but I'm posting here in case anyone else is looking.

 

Your local address should actually be your interface name instead of an IP.  

 

Assuming GigabitEthernet 1 -->> Public interface with EIP

 

Here is what the config should look like.  I've verified this works in my my environment

 

crypto keyring PASPE1
local-address gigabitethernet1
pre-shared-key address [remote GW public IP] key xxxx

 

 

crypto isakmp profile PASPE1
keyring PASPE1
match identity address [remote GW public IP] 255.255.255.255
keepalive 10 retry 3
local-address gigabitethernet1

 

interface Tunnel56
description TESTING PASPE1 @ 81.52.187.77
ip address 81.52.187.76 255.255.255.254
no ip redirects
no ip proxy-arp
ip mtu 1420
load-interval 30
carrier-delay msec 0
shutdown
tunnel source gigabitethernet1
tunnel destination [remote GW public IP]
tunnel protection ipsec profile PASPE1

 

0 Helpful

joycexie
Level 1
Level 1
In response to donald.stogsdill

‎11-17-2017 07:16 PM

Dear Donald,

 

I appreciate your reply. 

 

I have also done some testing, and found that Tunnel mode should be "transport" instead of "tunnel", 

refer to post https://supportforums.cisco.com/t5/vpn/site-to-site-vpn-through-a-nat-device/td-p/2341647

 

Can you please tell me your working config is using mode "transport" or not?

0 Helpful

johnnylingo
Level 5
Level 5
In response to joycexie

‎12-20-2018 04:06 PM - edited ‎12-20-2018 04:25 PM

This is correct. The IPSec profile for a GRE tunnel should be transport mode. For plain IPSec tunnels, the mode should be tunnel.  

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card