Solved: converting ipsec configuration from ios to iosxr

claudiols · ‎07-24-2013

we have a working ipsec configuration on ios

!

crypto keyring KRING

pre-shared-key hostname BA2211RA1.ba.caixa key SeCretBA2211RA1

pre-shared-key hostname BA3618RA1.ba.caixa key SeCretBA3618RA1

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp profile ISAPROF

keyring KRING

self-identity fqdn

match identity host domain ba.caixa

match identity host domain se.caixa

local-address 10.144.0.15

!

crypto ipsec transform-set VPN esp-3des esp-sha-hmac

!

crypto dynamic-map DYNMAP 10

set transform-set VPN

set isakmp-profile ISAPROF

!

crypto map VPN_AG_EBT local-address Loopback21

crypto map VPN_AG_EBT 10 ipsec-isakmp dynamic DYNMAP

!

interface Port-channel1.521

crypto map VPN_AG_EBT

!

Will the IOSXR configuration be like this?

!

crypto keyring KRING

pre-shared-key hostname <Nome unidade Remota> key <Senha>

!

crypto isakmp policy 1

encryption 3des

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp profile ISAPROF

keyring KRING

self-identity fqdn

match identity host domain <domino CAIXA>

!

crypto ipsec transform-set VPN transform esp-3des esp-sha-hmac

!

crypto ipsec profile VPN_AG_EBT

set type dynamic

set pfs group2

set transform-set VPN

!

interface X/Y

crypto ipsec VPN_AG_EBT

!

xthuijs · ‎07-24-2013

the thing is, part of the crypto config like keychains are supported as they are used in some auth methods for routing protocols.

true ipsec is not on the 9k, the current ucode has no room for that. next gen might have it and we're also working on a blade or adapter that can assist with this.

I am trying to find an official statement that ipsec on the 9k is not supported, but the more I google it, the more embarassed I get as many things "suggest" that this should work. I am working on rectifying that to remove the ambiguity.

I am also checking in with the CRS and XR12K guys what their support is for ipsec in hw.

Will report back when I have news.

regards

xander

View solution in original post

Michel Bou Sleiman · ‎07-24-2013

Hi Claudiols,

you would need to check the tunnel-ipsec configuration guidelines

crypto ipsec transform-set test1

transform esp-sha-hmac

!

crypto ipsec profile ipsec_profile1

match transform-set test1

set pfs group2

set type static

!

interface tunnel-ipsec 1

profile ipsec_profile1

tunnel source

tunnel destination

!

crypto isakmp

crypto isakmp policy 1

authentication pre-share

encryption 3des

lifetime 86400

!

crypto keyring key1 vrf default

pre-shared-key address IP1 255.255.255.255 key

crypto isakmp profile isakmp_prof

keyring key1

match identity address IP1/32 vrf default

set interface tunnel-interface1

!

Foe Further info, you may refer to

http://www.cisco.com/en/US/docs/routers/xr12000/software/xr12k_r4.2/security/configuration/guide/b_syssec_cg42xr12k.html

HTH,

Michel.

xthuijs · ‎07-24-2013

I wanted to ask for which XR platform are you asking this about?

Because for instance the ASR9000 doesnt support ipsec encryption yet.

xander

claudiols · ‎07-24-2013

Alexander, thanks, but there is a lot of documentation about ipsec on XR (like http://www.cisco.com/en/US/docs/routers/asr9000/software/security/command/reference/srasr9kipsc.html)

hank · ‎11-06-2016

Xander,

Been 3 years and maybe something has improved?

I am using ASR9010, v5.3.3 and can't implement IPsec to work which might be because you state there is no ipsec support. I get this far:

crypto isakmp keyring VPN-IPsec-GRE
pre-shared-key address 21.152.56.92 255.255.255.255 key encrypted 04341E1414245252
! Not to worry - encrypted pw has been modified
!
crypto isakmp policy 10
group 2
encryption 3des
authentication pre-share
!
crypto ipsec transform-set Via-GRE esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile teRemote
set pfs group2
set transform-set Via-GRE

Even the "show" commands seem to work:

RP/0/RSP0/CPU0:petach-tikva-gp# show crypto isakmp keyring
Sun Nov 6 08:45:08.139 IST

IKEv1 KeyRing VPN-IPsec-GRE
Vrf : default(VRF-ID: 1610612736)
Local Address :
    21.152.56.92 Vrf: default(VRF-ID: 1610612736)
    Pre Shared Keys are:
     ip-address 21.152.56.92/32
       key :    xxxxxxx
RP/0/RSP0/CPU0:petach-tikva-gp#show crypto isakmp policy
Sun Nov 6 08:45:49.890 IST

Global IKE policy
Protection suite of priority 10
         encryption algorithm:                                                  3DES - 192 bit keys
         hash algorithm:           Secure Hash Standard
         authentication method:    Pre-Shared Key
         Diffie-Hellman group:     #2
         lifetime:                 86400 seconds, no volume limit

Protection suite of priority 65508
         encryption algorithm:                                                  AES(CBC) - 128 bit keys
         hash algorithm:           Secure Hash Standard
         authentication method:    Pre-Shared Key
         Diffie-Hellman group:     #1
         lifetime:                 86400 seconds, no volume limit

Protection suite of priority 65510
         encryption algorithm:                                                  AES(CBC) - 128 bit keys
         hash algorithm:           Message Digest 5
         authentication method:    Pre-Shared Key
         Diffie-Hellman group:     #1
         lifetime:                 86400 seconds, no volume limit

But when I try to add "match" to the profile:

RP/0/RSP0/CPU0:petach-tikva-gp(config)#crypto ipsec profile teRemote
RP/0/RSP0/CPU0:petach-tikva-gp(config-teRemote)#set pfs group2
RP/0/RSP0/CPU0:petach-tikva-gp(config-teRemote)#match ?
WORD ACL name
RP/0/RSP0/CPU0:petach-tikva-gp(config-teRemote)#match 100 ?
transform-set Specify list of transform sets in priority order
RP/0/RSP0/CPU0:petach-tikva-gp(config-teRemote)#match 100 transform-set Via-GRE
RP/0/RSP0/CPU0:petach-tikva-gp(config-teRemote)#
Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]:yes

% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed [inheritance]' from this session to view the errors

and "show config failed" shows no commands failed.

Also I tried defining an "ipsec" tunnel and only got this far:

interface tunnel-ipsec10

There appear to be no sub-interface commands for "tunnel-ipsec10".

It is as if ipsec has only been partially ported to IOS-XR and gives one an impression as if it should work, but it really doesn't.

Is it still true that ipsec still doesn't work on ASR9000s w/ IOS-XR?

Thanks,

Hank

xthuijs · ‎11-06-2016

hi hank,

correct there is no ipsec support, the only thing that has "changed" is the documentation has been updated and the parser/commit throws you an error now.

we do have some ipsec support via the VSM, but that is not officially publized, the best alternate approach for ipsec is using MACSEC that is accellerated in hardware for the tomahawk linecard.

cheers!

xander

claudiols · ‎07-24-2013

Michel, thanks, do you have any documentation about differences between IPSEC on IOS and IOSXR? Do you have any documentation about GETVPN on IOSXR, for example?

xthuijs · ‎07-24-2013

Claudio, indeed very misleading. I have asked the documentation team to remove that over and over, I just asked again for that.

It gives the incorrect impression that a9k does ipsec, the only crypto it does today is for ssh.

Note that at some point we will get a service card/mpa that will assist in the crypto but for now this is not

applicable.

apologies for the confusion.

regards

xander

claudiols · ‎07-24-2013

Thanks Alexander, the customer is trying to configure ipsec on ASR9010 running IOSXR (it is for a service provider, with vrf, BGP,etc); it is already working with IOS on another equipment; What is strange is that the IOSXR have the commands (we did not typed the commit).

Is there any Cisco document with this information that IOSXR do not support ipsec, because in the release notes from 4.2.1 there is a reference about the support for ipsec, is the ASR9K one exception (Does it run on CRS and 12K)?

xthuijs · ‎07-24-2013

the thing is, part of the crypto config like keychains are supported as they are used in some auth methods for routing protocols.

true ipsec is not on the 9k, the current ucode has no room for that. next gen might have it and we're also working on a blade or adapter that can assist with this.

I am trying to find an official statement that ipsec on the 9k is not supported, but the more I google it, the more embarassed I get as many things "suggest" that this should work. I am working on rectifying that to remove the ambiguity.

I am also checking in with the CRS and XR12K guys what their support is for ipsec in hw.

Will report back when I have news.

regards

xander

claudiols · ‎07-24-2013

Alexander, thanks a lot for your help, but in the link http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.2/general/release/notes/reln_a9k_421.html we can read that there is support for ipsec on ASR9K-px and do not have on ASR9K-p; is that correct or both ASR9K p and px do not have ipsec support?

xthuijs · ‎07-24-2013

the P vs PX defines the RSP type (merged in XR43 btw). the RSP doesnt do the forwarding, it is determined by the LC type. So regardless of P/PX, IPSEC wont work on the existing linecards today.

Havent heard back yet from my gsr and crs guy...

xander