cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Choose one of the topics below for SD-WAN Resources to help you on your journey with SD-WAN

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

255
Views
15
Helpful
10
Replies
Beginner

IPSEC interface not available from VPN0

Hi there,

 

My environment has the following:

 

  • Branch router, ISR4451-X, version 16.12.1b
  • vManage, version 19.2.0

I'd like to configure a IPSEC tunnel to Zscaler, the interface should be sourced from VPN0 so that i can use the public IP address attached to my DIA circuit.

 

The problem is that a 'VPN Interface IPSEC' is not available:

VPN interface IPSEC.JPG

 

Zscaler guide below (page44):

https://www.zscaler.com/resources/solution-briefs/partner-viptela-cisco-sd-wan-deployment.pdf

 

I notice the guide was written for the vEdge.

 

Has anyone been able to do this on a ISR4k?

 

Thanks!

2 ACCEPTED SOLUTIONS

Accepted Solutions
Beginner

Re: IPSEC interface not available from VPN0

Hi JW_UK, 

 

As far as I'm aware that feature is not supported on cEdge platforms, you can only use IPsec tunnels on the Service Side VPN.

 

VPN Interface IPsec (for XE Routers)

Use the VPN Interface IPsec feature template to configure IPsec tunnels on Cisco IOS XE service VPNs that are being used for Internet Key Exchange (IKE) sessions. You can configure IPsec on tunnels for VPN 1 through 65530, except for 512.

 

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/System-Interface/systems-interfaces-book/configure-interfaces.html

 

Thank you, 
Please rate helpful posts

Best Regards,
Please rate helpful posts,

Ruben Carvalho CCIE#57952
Beginner

Re: IPSEC interface not available from VPN0

Resolved.

 

IOS XE routers must source IPSEC interfaces from the Service side VPN (not VPN0), but also, it is necessary to add a inbound IPv4 ACL to the Interface in VPN0 to permit UDP 500 (IPSEC) and if using NAT UDP 4500 as well.

After the tunnel is established you can add a IPv4 static route on the Service side with a next hop of the Tunnel interface to route traffic via the tunnel. Be aware the static route will only be withdrawn from the routing table if the Tunnel goes down.

 

Zscaler support IP-SLA HTTP probes to check the cloud proxy health, on traditional routers you are able to use 'track' features to, for example, change the admin distance of a static route based on the results of the IP-SLA test. I'm unsure if Viptela using IOS XE has this same capability. This does present a bit of a problem for inteligent traffic steering.

 

Hope this helps.

10 REPLIES 10
Beginner

Re: IPSEC interface not available from VPN0

Hi JW_UK, 

 

As far as I'm aware that feature is not supported on cEdge platforms, you can only use IPsec tunnels on the Service Side VPN.

 

VPN Interface IPsec (for XE Routers)

Use the VPN Interface IPsec feature template to configure IPsec tunnels on Cisco IOS XE service VPNs that are being used for Internet Key Exchange (IKE) sessions. You can configure IPsec on tunnels for VPN 1 through 65530, except for 512.

 

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/System-Interface/systems-interfaces-book/configure-interfaces.html

 

Thank you, 
Please rate helpful posts

Best Regards,
Please rate helpful posts,

Ruben Carvalho CCIE#57952
Cisco Employee

Re: IPSEC interface not available from VPN0

cEdge supports standard IKE tunnels in 19.x.

 

"You can create the IPsec tunnel in the transport VPN (VPN 0) and in any service VPN (VPN 1 through 65530, except for 512)."

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/Security/Security-Book/security-book_chapter_01.html?bookSearch=true#c_Configuring_IKE_Enabled_IPsec_Tunnels_12216.xml

Beginner

Re: IPSEC interface not available from VPN0

Hi HashamM, 

 

Can you point specifically on the vManage how we can do that?


The link you shared is for a vEdge setup, the one I've found is for cEdge 16.12.x.

 

Could you please clarify, as I'm waiting for this feature being available for some months now.

 

Thank you, 

Best Regards, 

 

 

Best Regards,
Please rate helpful posts,

Ruben Carvalho CCIE#57952
Cisco Employee

Re: IPSEC interface not available from VPN0

Transport side Ike based IPsec is not available in cedge. It's in roadmap. We may get it in march release if everything will be on track.

At the moment,you can use service side ipsec in cedge. Thanks 

 

Beginner

Re: IPSEC interface not available from VPN0

Thanks rbncarvalhoHashamM 

 

I followed the guide and created the IPSEC interface on the service side instead of VPN0, unfortunately I'm getting a IKEv2 failure:

 

IKEv2:% Getting preshared key from profile keyring if-ipsec1-ikev2-keyring
IKEv2:% Matched peer block 'if-ipsec1-ikev2-keyring-peer'
IKEv2:(SESSION ID = 0,SA ID = 0):Searching Policy with fvrf 0, local address X.X.X.X
IKEv2:(SESSION ID = 0,SA ID = 0):Found Policy 'policy1-global'
IKEv2-ERROR:Address type 1622425149 not supported

 

My assumption is that although the IPSEC is created on the service side, by sourcing the tunnel from the interface with a public IP address in VPN0, the cEdge would VRF jump to VPN0.

 

I'll log a TAC case next.

Beginner

Re: IPSEC interface not available from VPN0

Resolved.

 

IOS XE routers must source IPSEC interfaces from the Service side VPN (not VPN0), but also, it is necessary to add a inbound IPv4 ACL to the Interface in VPN0 to permit UDP 500 (IPSEC) and if using NAT UDP 4500 as well.

After the tunnel is established you can add a IPv4 static route on the Service side with a next hop of the Tunnel interface to route traffic via the tunnel. Be aware the static route will only be withdrawn from the routing table if the Tunnel goes down.

 

Zscaler support IP-SLA HTTP probes to check the cloud proxy health, on traditional routers you are able to use 'track' features to, for example, change the admin distance of a static route based on the results of the IP-SLA test. I'm unsure if Viptela using IOS XE has this same capability. This does present a bit of a problem for inteligent traffic steering.

 

Hope this helps.

Beginner

Re: IPSEC interface not available from VPN0

Hi, can you please post the config that solved your problem. I have a similar problem with an IPSec Tunnel to an external Firewall. Template applied to Service VPN 1, Source interface from VPN 0 (Internet Interface with public IP to reach external Firewall via Internet). Thank You

Beginner

Re: IPSEC interface not available from VPN0

Hi piniman,

 

Create an ACL in Policies > Local Policy > Access Control Lists
Permit port 500
I also have the Default Action as ‘Accept’ in my POC.
Copy the ACL name (CTRL C) you’ll need it for the next step.

ACL.JPG

Edit your ‘Feature Template’ for the ‘VPN Interface Ethernet’ that is applied to your physical interface in VPN0.
Under ‘ACL/QOS’ add a ‘IPv4 Ingress Access List’ using the name of the ACL you created in the first step.

ACL on interface.JPG

Beginner

Re: IPSEC interface not available from VPN0

Thank You.

Can you also post the config for the VPN template. I think i have the problem with the Source Interface (i receive  "IKEv2-ERROR:Address type not supported" in log).

You wrote " had to change source interface to Service VPN"

Which Interface did you use? Do you had to apply some NAT config?

 

Source Interface in my setup is the WAN Interface connected to the Internet. Communication over the IPSec Tunnel should be done via VPN1.

 

Beginner

Re: IPSEC interface not available from VPN0

My template for 'VPN Interface IPsec' looks like this:

 

template 10.JPG

template 11.JPG

 

template 12.JPG

Then, this template is added under the Service VPN :

template 1.JPG

I thought it was all working fine, however I now have a new problem.

IKEv2 is working for Phase 1, but IPSEC is failing.

For some reason the ISR4K is creating 16 SA's whilst Zscaler only support a maximum of 8 SA's, therefore the tunnel is currently unusable.

 

I'd be interested to hear if you have the same issue?

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards