Solved: Re: Cisco Catalyst SD-WAN connecting to AWS via IPSEC to VPN0 - Page 4

brian.jones · ‎01-03-2024

I have a small SD-WAN setup for a company with two "DC" locations using SDCI/Cloud On-Ramp to my main AWS subscription and two remote sites that connects via the SD-WAN to the SDCI to access the workload. I have two test AWS subscription that are not part of my main AWS subscription that I want to connect to my SD-WAN but I don't want deploy edges to those subscriptions as it is for short term projects, but I need to access those workloads from my two remote sites. I have a Site-to-Site VPN currently between the test AWS subscriptions and my main remote site to facilitate the connectivity. I want to move as much as I can to SD-WAN however, I cannot deploy a "service" side VPN for this.

I want to connect the test AWS subscription to the "DC" locations" via IPSec and have the "DC" edges route the traffic to the remote site or the main AWS subscription as required. I found little documentation on how to use IPSec on the transport side, but I haven't seen anything that says I cannot.

Can someone direct me on if this is possible and if so, the docs on how to do it?

brian.jones · ‎01-17-2024

I am not for sure if I should post a new topic or continue on, but this is related to my original post.

So now that I got the IPSec tunnel working on vpn 20, I need to "leak" the route on the same router on a different service vpn (vpn100) as that is what I have in production. I need to keep the IPSec traffic separated to meet the security standard the customer wants me to achieve.

I know that there is an option to configure a new Route Leak between Service VPNs, but in production I am just using OMP as the routing between sites (i.e. I am only using OMP to route between routers in the fabric)

I am concerned about these two restrictions in the link: https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/routing/vEdge-20-x/routing-book/m-routing-leaking-for-service-sharing.html#Cisco_Concept.dita_f27b40fe-6e32-4933-9bc3-b9717411d9ad

Route leaking using centralized policy is not supported
Overlay Management Protocol (OMP) routes do not participate in VRF route leaking to prevent overlay looping
Inter-service VRF route leaking on Cisco IOS XE Catalyst SD-WAN devices with multitenancy is not supported.

I am using Topology based Centralized Policy to filter what goes between sites as each site has a different VPN ID today with no issues. What is the best path to take the IPSec route (which will be BGP, not static) from VPN 20 and leak it to VPN 100 on the same router?

Kanan Huseynli · ‎01-17-2024

Question: for production what the device to do such configuration? IOS XE based cEdge or Viptela based vEdge? Hardware or virtual?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

brian.jones · ‎01-17-2024

IOS XE Based C8000v Virtual Edges is where I am planning (95% likely) to put the IPSec tunnel, but we also have the C8500L-8S4X hardware routers as well at the remotes where I can terminate the IPSec tunnel.

Kanan Huseynli · ‎01-17-2024

Is multi-tenancy enabled? If not, you can use this guidelines (from IOS XE doc.)

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/routing/ios-xe-17/routing-book-xe/m-routing-leaking-for-service-sharing.html#Cisco_Concept.dita_eaa7a4dd-0d36-4cd0-9008-8f0c433cdf28

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

brian.jones · ‎01-17-2024

Is multi-tenancy enabled?

That is the problem. I believe it is enabled.

The deployment is within Cisco Cloud, so the environment is deployed in a multi-tenant environment. i.e in vManage, I cannot see the controllers and can only log in with tenantadmin.

Kanan Huseynli · ‎01-18-2024

I have this type of lab, but now I'm bit busy, can check later.

But let's assume, there is no support in this case. Do you have firewall or any other L3 device (non-sdwan) on site? You may "loop" that traffic through L3 device using two different interfaces in different VRF (like it is done in Cisco SDAccess using Fusion Device method) and archive "leaking".

Or even you can use router interfaces in different VRF and connect them physically - consumes router ports, but works as approach.

By the way, what is business/ technical requirements basically? Can you draw in picture for easy understanding? Do you need this type of S2S everywhere or only few sites? We always discussed about possibility of configuration, but based on design requirements maybe better approach exists.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

brian.jones · ‎01-18-2024

Do you need this type of S2S everywhere or only few sites? The customer wants to scale out to other subscriptions using only the native IPsec constructs (i.e. no 8000v within the subscription). Currently, it is only 3 subscriptions that requires this approach.

By the way, what is business/ technical requirements basically? Customer wants to keep everything segregated for security requirements, so each location/function has a VPN ID.

Can you draw in picture for easy understanding? Let me see what I can provide for you.

Do you have firewall or any other L3 device (non-sdwan) on site? We are planning to terminate the IPsec tunnel on the SDCI side of the SDWAN fabric where we are connecting to the other subscriptions, so there is no other firewall or L3 devices as the virtual router is deployed with the SDCI vendor. On the other side of the IPSec tunnel in AWS, no, as they are planning to use the native IPSec construct.

brian.jones · ‎02-02-2024

I am going to start a new thread for the route-leaking. Thanks for all your help,