01-03-2024 11:27 AM
I have a small SD-WAN setup for a company with two "DC" locations using SDCI/Cloud On-Ramp to my main AWS subscription and two remote sites that connects via the SD-WAN to the SDCI to access the workload. I have two test AWS subscription that are not part of my main AWS subscription that I want to connect to my SD-WAN but I don't want deploy edges to those subscriptions as it is for short term projects, but I need to access those workloads from my two remote sites. I have a Site-to-Site VPN currently between the test AWS subscriptions and my main remote site to facilitate the connectivity. I want to move as much as I can to SD-WAN however, I cannot deploy a "service" side VPN for this.
I want to connect the test AWS subscription to the "DC" locations" via IPSec and have the "DC" edges route the traffic to the remote site or the main AWS subscription as required. I found little documentation on how to use IPSec on the transport side, but I haven't seen anything that says I cannot.
Can someone direct me on if this is possible and if so, the docs on how to do it?
Solved! Go to Solution.
01-06-2024 04:07 AM
First point using tunnel next-hop is OK
Second point'
We have vpn20 have prefix 172.16.4.0
We need to push traffic via VPN0 ipsec tunnel
So we need static route under vpn20 not under vpn0
Vpn0 have only defualt route toward ISP.
MHM
01-05-2024 09:55 AM
I tried IKEv1 and it is not working either, but I want to focus on fixing this on IKEv if possible. On IKEv1, the remote router says it is receiving a packet that is not encrypted and expecting it to be encrypted.
01-05-2024 03:22 PM
Hi,
do you have NAT in transit? Also, under tunnel of remote route set ip mtu to 1400, but ip tcp-adjust mss to 1360 (=1400-20-20).
Just quick check, you want IPSec S2S between remote router and vEdge over IKEv2 over VPN0, right?
01-05-2024 04:35 PM
do you have NAT in transit? No, I don't believe so. The lab has a simple router that is serving as the Internet for the routers. I am using a simple 100.x.x.x for the public side in the lab.
Just quick check, you want IPSec S2S between remote router and vEdge over IKEv2 over VPN0, right? Yes, I want to do a Site-to-Site IPSEC tunnel from a remote router which is not on the SD-WAN to a vEdge that is particpating in an SD-WAN fabric which would be over VPN0.
I will adjust the tcp-adjust mss to 1360 to eliminate that from the equation.
01-06-2024 01:37 AM
Can you verify pre-shared key? Type simple one , like "Cisco123" since it is lab (without quotes).
01-08-2024 07:12 AM
The key is Testing, and i check that multiple times,
01-08-2024 01:50 PM
Let's do like this, share your latest config and debugs. In the previous page I see IKEv2 config but IKEv1 debug output, confused me to be honest.
01-08-2024 03:47 PM
I will upload the configurations as the remote side is setup for both IKEv1 and IKEv2, it is just a matter of applying the tunnel protection profile to the tunnel. I will set the lab for IKEv2 and upload the debugs.
01-08-2024 04:40 PM
01-09-2024 02:36 AM
can you check one more point
vpn 0
interface g0/0
no interface tunnel <<- since you use g0/0 as interface for IPsec tunnel
do this only for troubleshooting
MHM
01-09-2024 07:43 AM
I think you mean "no tunnel-interface". I was able to put the vedge in CLI mode and do a "no tunnel-interface". No change in the debugs nor does the tunnel come up. I manually retyped the PSK on both units to ensure they are the same.
01-09-2024 08:26 AM
interface ipsec1
ip address 169.254.1.1/30
tunnel-source-interface ge0/0
tunnel-destination 100.0.50.2
ike
version 2
rekey 14400
cipher-suite aes128-cbc-sha1 <<- this phaseI
group 2
authentication-type
pre-shared-key
pre-shared-secret $8$EWhg0Phf6OeE4qWWhhU8Sa5/SQO2io3gsaY7WB/a5FI=
!
!
!
ipsec
rekey 3600
replay-window 512
cipher-suite aes256-cbc-sha1 <<- this phaseII
perfect-forward-secrecy group-2
crypto ikev2 proposal IKE-PROPOSAL-1 <<- this phaseI
encryption aes-cbc-128
integrity sha1
group 2
crypto ipsec transform-set T1 esp-aes 256 esp-sha256-hmac <<- this phaseII
mode tunnel
the phaseII cipher is not match
MHM
01-09-2024 08:51 AM
I caught that, but i change it and still did not work.
01-09-2024 08:53 AM
shut the interface in no-SDWAN and no shut it again and check
MHM
01-09-2024 09:41 AM
did that. Still not working. Here is the current configuration of the vedge:
interface ipsec1
ip address 169.254.1.1/30
tunnel-source-interface ge0/0
tunnel-destination 100.0.50.2
ike
version 2
rekey 14400
cipher-suite aes128-cbc-sha1
group 2
authentication-type
pre-shared-key
pre-shared-secret $8$EWhg0Phf6OeE4qWWhhU8Sa5/SQO2io3gsaY7WB/a5FI=
!
!
!
ipsec
rekey 3600
replay-window 512
cipher-suite aes256-cbc-sha256
perfect-forward-secrecy group-2
!
mtu 1400
no shutdown
I believe you are right in that the phase 2 is not matching but I don't see a parameter that matches 100%.
Here is the cipher options on the vedge:
aes256-cbc-sha1 Use 256 bit AES-CBC with HMAC-SHA1-96 integrity
aes256-cbc-sha256 Use 256 bit AES-CBC with HMAC-SHA-256 integrity
aes256-cbc-sha384 Use 256 bit AES-CBC with HMAC-SHA-384 integrity
aes256-cbc-sha512 Use 256 bit AES-CBC with HMAC-SHA-512 integrity
aes256-gcm Use 256 bit AES-GCM
null-sha1 Use null encryption with HMAC-SHA1-96 integrity
null-sha256 Use null encryption with HMAC-SHA-256 integrity
null-sha384 Use null encryption with HMAC-SHA-384 integrity
null-sha512 Use null encryption with HMAC-SHA-512 integrity
Here is what is available on the lab router:
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
ah-sha256-hmac AH-HMAC-SHA256 transform
ah-sha384-hmac AH-HMAC-SHA384 transform
ah-sha512-hmac AH-HMAC-SHA512 transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
esp-des ESP transform using DES cipher (56 bits)
esp-gcm ESP transform using GCM cipher
esp-gmac ESP transform using GMAC cipher
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth
I don't see a CBC option for the router.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide