07-24-2013 02:25 AM
we have a working ipsec configuration on ios
!
crypto keyring KRING
pre-shared-key hostname BA2211RA1.ba.caixa key SeCretBA2211RA1
pre-shared-key hostname BA3618RA1.ba.caixa key SeCretBA3618RA1
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp profile ISAPROF
keyring KRING
self-identity fqdn
match identity host domain ba.caixa
match identity host domain se.caixa
local-address 10.144.0.15
!
!
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
!
crypto dynamic-map DYNMAP 10
set transform-set VPN
set isakmp-profile ISAPROF
!
crypto map VPN_AG_EBT local-address Loopback21
crypto map VPN_AG_EBT 10 ipsec-isakmp dynamic DYNMAP
!
!
interface Port-channel1.521
crypto map VPN_AG_EBT
!
Will the IOSXR configuration be like this?
!
crypto keyring KRING
pre-shared-key hostname <Nome unidade Remota> key <Senha>
!
crypto isakmp policy 1
encryption 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp profile ISAPROF
keyring KRING
self-identity fqdn
match identity host domain <domino CAIXA>
!
crypto ipsec transform-set VPN transform esp-3des esp-sha-hmac
!
crypto ipsec profile VPN_AG_EBT
set type dynamic
set pfs group2
set transform-set VPN
!
interface X/Y
crypto ipsec VPN_AG_EBT
!
Solved! Go to Solution.
07-24-2013 07:19 AM
the thing is, part of the crypto config like keychains are supported as they are used in some auth methods for routing protocols.
true ipsec is not on the 9k, the current ucode has no room for that. next gen might have it and we're also working on a blade or adapter that can assist with this.
I am trying to find an official statement that ipsec on the 9k is not supported, but the more I google it, the more embarassed I get as many things "suggest" that this should work. I am working on rectifying that to remove the ambiguity.
I am also checking in with the CRS and XR12K guys what their support is for ipsec in hw.
Will report back when I have news.
regards
xander
07-24-2013 04:01 AM
Hi Claudiols,
you would need to check the tunnel-ipsec configuration guidelines
crypto ipsec transform-set test1
transform esp-sha-hmac
!
crypto ipsec profile ipsec_profile1
match
set pfs group2
set type static
!
interface tunnel-ipsec 1
profile ipsec_profile1
tunnel source
tunnel destination
!
crypto isakmp
crypto isakmp policy 1
authentication pre-share
encryption 3des
lifetime 86400
!
crypto keyring key1 vrf default
pre-shared-key address IP1 255.255.255.255 key
crypto isakmp profile isakmp_prof
keyring key1
match identity address IP1/32 vrf default
set interface tunnel-interface1
!
Foe Further info, you may refer to
HTH,
Michel.
07-24-2013 05:57 AM
I wanted to ask for which XR platform are you asking this about?
Because for instance the ASR9000 doesnt support ipsec encryption yet.
xander
07-24-2013 06:38 AM
Alexander, thanks, but there is a lot of documentation about ipsec on XR (like http://www.cisco.com/en/US/docs/routers/asr9000/software/security/command/reference/srasr9kipsc.html)
11-06-2016 01:11 AM
Xander,
Been 3 years and maybe something has improved?
I am using ASR9010, v5.3.3 and can't implement IPsec to work which might be because you state there is no ipsec support. I get this far:
crypto isakmp keyring VPN-IPsec-GRE
pre-shared-key address 21.152.56.92 255.255.255.255 key encrypted 04341E1414245252
! Not to worry - encrypted pw has been modified
!
crypto isakmp policy 10
group 2
encryption 3des
authentication pre-share
!
crypto ipsec transform-set Via-GRE esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile teRemote
set pfs group2
set transform-set Via-GRE
Even the "show" commands seem to work:
RP/0/RSP0/CPU0:petach-tikva-gp# show crypto isakmp keyring
Sun Nov 6 08:45:08.139 IST
IKEv1 KeyRing VPN-IPsec-GRE
Vrf : default(VRF-ID: 1610612736)
Local Address :
21.152.56.92 Vrf: default(VRF-ID: 1610612736)
Pre Shared Keys are:
ip-address 21.152.56.92/32
key : xxxxxxx
RP/0/RSP0/CPU0:petach-tikva-gp#show crypto isakmp policy
Sun Nov 6 08:45:49.890 IST
Global IKE policy
Protection suite of priority 10
encryption algorithm: 3DES - 192 bit keys
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65508
encryption algorithm: AES(CBC) - 128 bit keys
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65510
encryption algorithm: AES(CBC) - 128 bit keys
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1
lifetime: 86400 seconds, no volume limit
But when I try to add "match" to the profile:
RP/0/RSP0/CPU0:petach-tikva-gp(config)#crypto ipsec profile teRemote
RP/0/RSP0/CPU0:petach-tikva-gp(config-teRemote)#set pfs group2
RP/0/RSP0/CPU0:petach-tikva-gp(config-teRemote)#match ?
WORD ACL name
RP/0/RSP0/CPU0:petach-tikva-gp(config-teRemote)#match 100 ?
transform-set Specify list of transform sets in priority order
RP/0/RSP0/CPU0:petach-tikva-gp(config-teRemote)#match 100 transform-set Via-GRE
RP/0/RSP0/CPU0:petach-tikva-gp(config-teRemote)#
Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]:yes
% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed [inheritance]' from this session to view the errors
and "show config failed" shows no commands failed.
Also I tried defining an "ipsec" tunnel and only got this far:
interface tunnel-ipsec10
There appear to be no sub-interface commands for "tunnel-ipsec10".
It is as if ipsec has only been partially ported to IOS-XR and gives one an impression as if it should work, but it really doesn't.
Is it still true that ipsec still doesn't work on ASR9000s w/ IOS-XR?
Thanks,
Hank
11-06-2016 04:27 AM
hi hank,
correct there is no ipsec support, the only thing that has "changed" is the documentation has been updated and the parser/commit throws you an error now.
we do have some ipsec support via the VSM, but that is not officially publized, the best alternate approach for ipsec is using MACSEC that is accellerated in hardware for the tomahawk linecard.
cheers!
xander
07-24-2013 06:46 AM
Michel, thanks, do you have any documentation about differences between IPSEC on IOS and IOSXR? Do you have any documentation about GETVPN on IOSXR, for example?
07-24-2013 06:50 AM
Claudio, indeed very misleading. I have asked the documentation team to remove that over and over, I just asked again for that.
It gives the incorrect impression that a9k does ipsec, the only crypto it does today is for ssh.
Note that at some point we will get a service card/mpa that will assist in the crypto but for now this is not
applicable.
apologies for the confusion.
regards
xander
07-24-2013 07:05 AM
Thanks Alexander, the customer is trying to configure ipsec on ASR9010 running IOSXR (it is for a service provider, with vrf, BGP,etc); it is already working with IOS on another equipment; What is strange is that the IOSXR have the commands (we did not typed the commit).
Is there any Cisco document with this information that IOSXR do not support ipsec, because in the release notes from 4.2.1 there is a reference about the support for ipsec, is the ASR9K one exception (Does it run on CRS and 12K)?
07-24-2013 07:19 AM
the thing is, part of the crypto config like keychains are supported as they are used in some auth methods for routing protocols.
true ipsec is not on the 9k, the current ucode has no room for that. next gen might have it and we're also working on a blade or adapter that can assist with this.
I am trying to find an official statement that ipsec on the 9k is not supported, but the more I google it, the more embarassed I get as many things "suggest" that this should work. I am working on rectifying that to remove the ambiguity.
I am also checking in with the CRS and XR12K guys what their support is for ipsec in hw.
Will report back when I have news.
regards
xander
07-24-2013 07:37 AM
Alexander, thanks a lot for your help, but in the link http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.2/general/release/notes/reln_a9k_421.html we can read that there is support for ipsec on ASR9K-px and do not have on ASR9K-p; is that correct or both ASR9K p and px do not have ipsec support?
07-24-2013 07:43 AM
the P vs PX defines the RSP type (merged in XR43 btw). the RSP doesnt do the forwarding, it is determined by the LC type. So regardless of P/PX, IPSEC wont work on the existing linecards today.
Havent heard back yet from my gsr and crs guy...
xander
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide