Solved: Cisco Catalyst SD-WAN connecting to AWS via IPSEC to VPN0 - Page 2

brian.jones · ‎01-03-2024

I have a small SD-WAN setup for a company with two "DC" locations using SDCI/Cloud On-Ramp to my main AWS subscription and two remote sites that connects via the SD-WAN to the SDCI to access the workload. I have two test AWS subscription that are not part of my main AWS subscription that I want to connect to my SD-WAN but I don't want deploy edges to those subscriptions as it is for short term projects, but I need to access those workloads from my two remote sites. I have a Site-to-Site VPN currently between the test AWS subscriptions and my main remote site to facilitate the connectivity. I want to move as much as I can to SD-WAN however, I cannot deploy a "service" side VPN for this.

I want to connect the test AWS subscription to the "DC" locations" via IPSec and have the "DC" edges route the traffic to the remote site or the main AWS subscription as required. I found little documentation on how to use IPSec on the transport side, but I haven't seen anything that says I cannot.

Can someone direct me on if this is possible and if so, the docs on how to do it?

MHM Cisco World · ‎01-06-2024

First point using tunnel next-hop is OK

Second point'

We have vpn20 have prefix 172.16.4.0

We need to push traffic via VPN0 ipsec tunnel

So we need static route under vpn20 not under vpn0

Vpn0 have only defualt route toward ISP.

MHM

brian.jones · ‎01-05-2024

I tried IKEv1 and it is not working either, but I want to focus on fixing this on IKEv if possible. On IKEv1, the remote router says it is receiving a packet that is not encrypted and expecting it to be encrypted.

Kanan Huseynli · ‎01-05-2024

Hi,

do you have NAT in transit? Also, under tunnel of remote route set ip mtu to 1400, but ip tcp-adjust mss to 1360 (=1400-20-20).

Just quick check, you want IPSec S2S between remote router and vEdge over IKEv2 over VPN0, right?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

brian.jones · ‎01-05-2024

do you have NAT in transit? No, I don't believe so. The lab has a simple router that is serving as the Internet for the routers. I am using a simple 100.x.x.x for the public side in the lab.

Just quick check, you want IPSec S2S between remote router and vEdge over IKEv2 over VPN0, right? Yes, I want to do a Site-to-Site IPSEC tunnel from a remote router which is not on the SD-WAN to a vEdge that is particpating in an SD-WAN fabric which would be over VPN0.

I will adjust the tcp-adjust mss to 1360 to eliminate that from the equation.

Kanan Huseynli · ‎01-06-2024

Can you verify pre-shared key? Type simple one , like "Cisco123" since it is lab (without quotes).

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

brian.jones · ‎01-08-2024

The key is Testing, and i check that multiple times,

Kanan Huseynli · ‎01-08-2024

Let's do like this, share your latest config and debugs. In the previous page I see IKEv2 config but IKEv1 debug output, confused me to be honest.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

brian.jones · ‎01-08-2024

I will upload the configurations as the remote side is setup for both IKEv1 and IKEv2, it is just a matter of applying the tunnel protection profile to the tunnel. I will set the lab for IKEv2 and upload the debugs.

brian.jones · ‎01-08-2024

Here are the current configs from the router representing AWS (just native IPSec only) and the vedge that is doing the IPSec tunnel along with the debug crypto ikev2 and debug crypto ipsec.

MHM Cisco World · ‎01-09-2024

can you check one more point
vpn 0
interface g0/0
no interface tunnel <<- since you use g0/0 as interface for IPsec tunnel
do this only for troubleshooting
MHM

brian.jones · ‎01-09-2024

I think you mean "no tunnel-interface". I was able to put the vedge in CLI mode and do a "no tunnel-interface". No change in the debugs nor does the tunnel come up. I manually retyped the PSK on both units to ensure they are the same.

MHM Cisco World · ‎01-09-2024

interface ipsec1                                                                                                                
  ip address 169.254.1.1/30                                                                                                      
  tunnel-source-interface ge0/0                                                                                                  
  tunnel-destination      100.0.50.2                                                                                             
  ike
   version      2                                                                                                                
   rekey        14400                                                                                                            
   cipher-suite aes128-cbc-sha1 <<- this phaseI                                                                                                 
   group        2                                                                                                                
   authentication-type                                                                                                           
    pre-shared-key                                                                                                               
     pre-shared-secret $8$EWhg0Phf6OeE4qWWhhU8Sa5/SQO2io3gsaY7WB/a5FI=                                                           
    !                                                                                                                            
   !                                                                                                                             
  !                                                                                                                              
  ipsec                                                                                                                          
   rekey                   3600                                                                                                  
   replay-window           512                                                                                                   
   cipher-suite            aes256-cbc-sha1 <<- this phaseII                                                                                      
   perfect-forward-secrecy group-2

crypto ikev2 proposal IKE-PROPOSAL-1 <<- this phaseI
 encryption aes-cbc-128
 integrity sha1
 group 2

crypto ipsec transform-set T1 esp-aes 256 esp-sha256-hmac <<- this phaseII
 mode tunnel

the phaseII cipher is not match

MHM

brian.jones · ‎01-09-2024

I caught that, but i change it and still did not work.

MHM Cisco World · ‎01-09-2024

shut the interface in no-SDWAN and no shut it again and check
MHM

brian.jones · ‎01-09-2024

did that. Still not working. Here is the current configuration of the vedge:

interface ipsec1
ip address 169.254.1.1/30
tunnel-source-interface ge0/0
tunnel-destination 100.0.50.2
ike
version 2
rekey 14400
cipher-suite aes128-cbc-sha1
group 2
authentication-type
pre-shared-key
pre-shared-secret $8$EWhg0Phf6OeE4qWWhhU8Sa5/SQO2io3gsaY7WB/a5FI=
!
!
!
ipsec
rekey 3600
replay-window 512
cipher-suite aes256-cbc-sha256
perfect-forward-secrecy group-2
!
mtu 1400
no shutdown

I believe you are right in that the phase 2 is not matching but I don't see a parameter that matches 100%.

Here is the cipher options on the vedge:

aes256-cbc-sha1 Use 256 bit AES-CBC with HMAC-SHA1-96 integrity
aes256-cbc-sha256 Use 256 bit AES-CBC with HMAC-SHA-256 integrity
aes256-cbc-sha384 Use 256 bit AES-CBC with HMAC-SHA-384 integrity
aes256-cbc-sha512 Use 256 bit AES-CBC with HMAC-SHA-512 integrity
aes256-gcm Use 256 bit AES-GCM
null-sha1 Use null encryption with HMAC-SHA1-96 integrity
null-sha256 Use null encryption with HMAC-SHA-256 integrity
null-sha384 Use null encryption with HMAC-SHA-384 integrity
null-sha512 Use null encryption with HMAC-SHA-512 integrity

Here is what is available on the lab router:

ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
ah-sha256-hmac AH-HMAC-SHA256 transform
ah-sha384-hmac AH-HMAC-SHA384 transform
ah-sha512-hmac AH-HMAC-SHA512 transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher

128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
esp-des ESP transform using DES cipher (56 bits)
esp-gcm ESP transform using GCM cipher
esp-gmac ESP transform using GMAC cipher
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth

I don't see a CBC option for the router.