Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
514
Views
0
Helpful
5
Replies

Cisco 800 Series - IPsec bundling supported?

ryan07512
Level 1
Level 1

‎12-06-2014 04:45 AM - edited ‎02-21-2020 07:58 PM

I have a very specific application need where we are terminating an IKE+IPsec tunnel at one edge router, but then need to establish another IKE+IPsec tunnel to a remote branch router, behind that ingress edge router.

In essence, this is IPsec within IPsec (SA bundling?).  

I cannot seem to find if the 800 series ISR's support this configuration.   There are limitations on the number of tunnels, but I don't see anything about IPsec within IPsec.

Thank you.

Labels:
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎12-06-2014 02:54 PM

I'm not sure if it would work with crypto maps, but when you test it with any platform and it works, it should also work with the 800 series.

For VTIs I assume that it has to work. You have to make sure that the second crypto endpoint is routed through the first tunnel. The second tunnel should be sourced from an internal interface (Loopback). If for that tunnel also the public interface would be used, then you have to NAT on the edge-router from public to public to avoid that the second router directly answers the packet. And things like that could get confusing after some time.

But what's the reason that you want to do it this way? Can't you build the second tunnel from the edge-router to the second branch? Or directly from branch to branch?

0 Helpful

ryan07512
Level 1
Level 1
In response to Karsten Iwen

‎12-07-2014 03:29 AM

Ok, thanks.  I will give it a try using a CSR VM instance.

 

I was particularly concerned if their was any sort of HW issues with this configuration.  I the past when I have worked on IPsec platforms some of the crypto accelerators didn't support SA bundling at the packet layer.

 

It would certainly make sense to just run one tunnel direct to the endpoint router, however the endpoint routers won't be on the public Internet.   It's a bit of a wonky application driven by a customer need.

 

0 Helpful

ryan07512
Level 1
Level 1
In response to ryan07512

‎12-10-2014 06:39 PM

I am really struggling to get this to work.  Please refer to the attached base CSR config.

I have a Linux machine running Strongswan, and I can establish an IKEv2 to that machine using the attached config.

I can then ping 192.168.4.2 over the IPsec tunnel from the CSR's interface (192.168.2.2).  192.168.4.2 represents a second CSR instance running behind the Linux box (on another private subnet).

What I now need to do is establish an IKE tunnel to 192.168.4.2, OVER the existing IPsec tunnel, and then route 192.168.5.0/24 through the 192.168.4.2 router (via the tunnel).

I've tried creating an additional VTI style interface with 192.168.4.2 as the destination, but I can't seem to get the CSR to initiate any IKE to 192.168.4.2.

Do both tunnel interfaces need to be VTI's?  Any pointers would be greatly appreciated!

Preview file
3 KB
0 Helpful

Karsten Iwen
VIP
VIP
In response to ryan07512

‎12-11-2014 02:18 AM

I just configured it in a lab and it works like a charm with tunnel-interfaces. Give me some time to write it down.

0 Helpful

ryan07512
Level 1
Level 1
In response to Karsten Iwen

‎12-11-2014 03:57 AM

Awesome!  Thanks.

I did find something in the Cisco documentation that says this configuration IS supported (they refer to it as "nested" IPsec tunnels), but I could't find an example.

0 Helpful
Customers Also Viewed These Support Documents