Introduction
This document describes IPSec IKEv1 site-to-site VPN with pre-shared keys configuration in transport-vpn on vEdge between Cisco IOS® device with Virtual Routing and Forwarding (VRF) configured. It can also be used as a reference in order to configure IPSec between vEdge router and Amazon Virtual Port Channel (vPC) (customer gateway).
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
Components Used
The information in this document is based on these software and hardware versions:
- vEdge Router with 18.2 Software or newer
- Cisco IOS®-XE Router
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Configure
vEdge Router
vpn 0
!
interface ge0/1
ip address 192.168.103.7/24
!
no shutdown
!
interface ipsec1
ip address 10.0.0.2/30
tunnel-source-interface ge0/1
tunnel-destination 192.168.103.130
ike
version 1
mode main
rekey 14400
cipher-suite aes128-cbc-sha1
group 2
authentication-type
pre-shared-key
pre-shared-secret $8$qzBthmnUSTMs54lxyHYZXVcnyCwENxJGcxRQT09X6SI=
local-id 192.168.103.7
remote-id 192.168.103.130
!
!
!
ipsec
rekey 3600
replay-window 512
cipher-suite aes256-cbc-sha1
perfect-forward-secrecy group-2
!
no shutdown
!
vpn 1
ip ipsec-route 0.0.0.0/0 vpn 0 interface ipsec1
Cisco IOS®-XE
crypto keyring KR vrf vedge2_vrf
pre-shared-key address 0.0.0.0 0.0.0.0 key test
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp profile IKE_PROFILE
keyring KR
self-identity address
match identity address 0.0.0.0 vedge2_vrf
crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile IPSEC_PROFILE
set transform-set TSET
set pfs group2
set isakmp-profile IKE_PROFILE
!
interface Tunnel1
ip address 10.0.0.1 255.255.255.252
description "*** IPSec tunnel ***"
tunnel source 192.168.103.130
tunnel mode ipsec ipv4
tunnel destination 192.168.103.7
tunnel vrf vedge2_vrf
tunnel protection ipsec profile IPSEC_PROFILE isakmp-profile IKE_PROFILE
!
interface GigabitEthernet4
description "*** vEdge2 ***"
ip vrf forwarding vedge2_vrf
ip address 192.168.103.130 255.255.255.0 secondary
Verify
Use this section in order to confirm that your configuration works properly.
1. Ensure that the remote address of peer is reachable:
csr1000v2#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
2. Check if IPSec phase1 Internet Key Exchange (IKE) is established on Cisco IOS®-XE router. The state should be "QM_IDLE":
csr1000v2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.103.130 192.168.103.7 QM_IDLE 1004 ACTIVE
IPv6 Crypto ISAKMP SA
3. Check if IPSec phase 2 is established on Cisco IOS®-XE router and ensure that "pkts encaps" and "kts decaps" counters increase on both sites:
csr1000v2#show crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 192.168.103.130
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 192.168.103.7 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.103.130, remote crypto endpt.: 192.168.103.7
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet4
current outbound spi: 0xFFB55(1047381)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x2658A80C(643344396)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2023, flow_id: CSR:23, sibling_flags FFFFFFFF80004048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/1811)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xFFB55(1047381)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2024, flow_id: CSR:24, sibling_flags FFFFFFFF80004048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/1811)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
4. Check if IPSec phase 1 and 2 sessions are established on vEdge as well. The State should be "IKE_UP_IPSEC_UP".
vedge4# show ipsec ike sessions
ipsec ike sessions 0 ipsec1
version 1
source-ip 192.168.103.7
source-port 4500
dest-ip 192.168.103.130
dest-port 4500
initiator-spi 8012038bc7cf1e09
responder-spi 29db204a8784ff02
cipher-suite aes128-cbc-sha1
dh-group "2 (MODP-1024)"
state IKE_UP_IPSEC_UP
uptime 0:01:55:30
vedge4# show ipsec ike outbound-connections
SOURCE SOURCE DEST DEST CIPHER EXT
IP PORT IP PORT SPI SUITE KEY HASH TUNNEL MTU SEQ
--------------------------------------------------------------------------------------------------------------------------------------------------------
192.168.103.7 4500 192.168.103.130 4500 643344396 aes256-cbc-sha1 ****ba9b 1418 no
5. Check if tx- and rx- counters increase in both directions along with the matching counters that were seen on Cisco IOS®-XE router.
vedge4# show tunnel statistics dest-ip 192.168.103.130
TCP
TUNNEL SOURCE DEST SYSTEM LOCAL REMOTE TUNNEL MSS
PROTOCOL SOURCE IP DEST IP PORT PORT IP COLOR COLOR MTU tx-pkts tx-octets rx-pkts rx-octets ADJUST
---------------------------------------------------------------------------------------------------------------------------------------
ipsec 192.168.103.7 192.168.103.130 4500 4500 - - - 1418 10 1900 11 2038 1334
Troubleshoot
This section provides information you can use in order to troubleshoot your configuration.
For IPSec troubleshooting guide on Cisco IOS®/IOS®-XE, refer to this:
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html
Related Information