cEdge supports standard IKE tunnels in 19.x.

"You can create the IPsec tunnel in the transport VPN (VPN 0) and in any service VPN (VPN 1 through 65530, except for 512)."

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/Security/Security-Book/security-book_chapter_01.html?bookSearch=true#c_Configuring_IKE_Enabled_IPsec_Tunnels_12216.xml

Hi HashamM, 

Can you point specifically on the vManage how we can do that?

The link you shared is for a vEdge setup, the one I've found is for cEdge 16.12.x.

Could you please clarify, as I'm waiting for this feature being available for some months now.

Thank you, 

Best Regards, 

Transport side Ike based IPsec is not available in cedge. It's in roadmap. We may get it in march release if everything will be on track.

At the moment,you can use service side ipsec in cedge. Thanks 

Thanks rbncarvalho & HashamM 

I followed the guide and created the IPSEC interface on the service side instead of VPN0, unfortunately I'm getting a IKEv2 failure:

IKEv2:% Getting preshared key from profile keyring if-ipsec1-ikev2-keyring
IKEv2:% Matched peer block 'if-ipsec1-ikev2-keyring-peer'
IKEv2:(SESSION ID = 0,SA ID = 0):Searching Policy with fvrf 0, local address X.X.X.X
IKEv2:(SESSION ID = 0,SA ID = 0):Found Policy 'policy1-global'
IKEv2-ERROR:Address type 1622425149 not supported

My assumption is that although the IPSEC is created on the service side, by sourcing the tunnel from the interface with a public IP address in VPN0, the cEdge would VRF jump to VPN0.

I'll log a TAC case next.

Hi, can you please post the config that solved your problem. I have a similar problem with an IPSec Tunnel to an external Firewall. Template applied to Service VPN 1, Source interface from VPN 0 (Internet Interface with public IP to reach external Firewall via Internet). Thank You

Hi piniman,

Create an ACL in Policies > Local Policy > Access Control Lists
Permit port 500
I also have the Default Action as ‘Accept’ in my POC.
Copy the ACL name (CTRL C) you’ll need it for the next step.

Edit your ‘Feature Template’ for the ‘VPN Interface Ethernet’ that is applied to your physical interface in VPN0.
Under ‘ACL/QOS’ add a ‘IPv4 Ingress Access List’ using the name of the ACL you created in the first step.

Thank You.

Can you also post the config for the VPN template. I think i have the problem with the Source Interface (i receive  "IKEv2-ERROR:Address type not supported" in log).

You wrote " had to change source interface to Service VPN"

Which Interface did you use? Do you had to apply some NAT config?

Source Interface in my setup is the WAN Interface connected to the Internet. Communication over the IPSec Tunnel should be done via VPN1.

My template for 'VPN Interface IPsec' looks like this:

Then, this template is added under the Service VPN :

I thought it was all working fine, however I now have a new problem.

IKEv2 is working for Phase 1, but IPSEC is failing.

For some reason the ISR4K is creating 16 SA's whilst Zscaler only support a maximum of 8 SA's, therefore the tunnel is currently unusable.

I'd be interested to hear if you have the same issue?

Any luck getting this to work?  I opened an SR with TAC for the exact same reason.

Hi, made some more tests and my problem is the following

IPSec tunnel can be established if remote end is configured without any specific encryption domains for the communication and with a transport network within the tunnel (for routing purpose - like in GRE Tunnel)

All traffic must be accepted and specific routing is needed to direct traffic into specific tunnels.

To a remote end configured with encryption domains i wasn´t sucessfull

Looks like its working after I added the ACL to the outside interface.  I also had to mention the same ACL in the local policy for this to work.   Has anyone ever created an exception list to bypass zscaler in certain situations and go out the DIA door instead?

Thanks again for this article.  I shared this with TAC too.  

Hi  dbogdan,

Are you seeing encrypts and decrypts over your IPSEC tunnel?

In my case even after adding the ACL entry there was another step which was needed to fix this tunnel. I believe it is specific to ISR4K's and being fixed in the November code release.

It’s a bug where the ZScaler dumps an IP address based on the “config_exchange” request sent by cEdge devices.

The CLI based workaround for it (on cEdge).

BR12-1X(config)# crypto ikev2 profile apple

BR12-1X(config-ikev2-profile)# config-exchange request

BR12-1X(config-ikev2-profile)# commit

Commit complete.

BR12-1X(config-ikev2-profile)# no config-exchange request

BR12-1X(config-ikev2-profile)# commit

Commit complete.

BR12-1X(config-ikev2-profile)# end