CloudEOS and vEOS Router Configuration

Use this procedure to configure GRE-over-IPsec tunnels on a CloudEOS and vEOS Router instance. Once the procedure is complete, configure the other tunnel end-point on the third party peer router.

Note:The CloudEOS and vEOS Router by default uses IKE version 2 for all IPsec tunnels. If you want to configure a GRE-over-IPsec tunnel that uses IKE version 1, explicitly configure the CloudEOS and vEOS Router to use IKE version 1.

Procedure

Complete the following steps to configure the CloudEOS and vEOS Router instance to share a GRE-over IPsec tunnel.

To use IKE version 1, complete the section below, then continue with the following steps. To use the default version IKE version 2, begin with Step 1 below.
switch(config)#ip security
switch(config-ipsec)#ike policy ike-peerRtr
switch(config-ipsec-ike)#version 1
  1. Use this command to enter IP security mode.
    switch(config)#ip security
  2. Create an IKE Policy used to communicate with the peer to establish IKE Phase 1. There is an option of configuring multiple IKE policies.
    The default IKE Policy values are:
    • Encryption - AES256
    • Integrity - SHA256
    • DH group - Group 14
    • IKE lifetime - 8 hours
    Example:
    switch(config-ipsec)#ike policy ike-vrouter 
    switch(config-ipsec-ike)#encryption aes256 
    switch(config-ipsec-ike)#integrity sha256 
    switch(config-ipsec-ike)#dh-group 24
    switch(config-ipsec-ike)#version 2 
    switch(config-ipsec-ike)#exit
    switch(config-ipsec)#ike policy ike-default 
    switch(config-ipsec-ike)#version 2 
    switch(config-ipsec-ike)#exit
  3. If the router is behind a NAT, configure the local-id with the local public IP address.
    Example:
    switch(config-ipsec-ike)#local-id <public ip address>
  4. Create an IPsec Security Association policy used in the data path for encryption and integrity. The is an option of enabling Perfect Forward Secrecy by configuring a DH group to the SA.
    Example: In this example, AES256 is used for encryption, SHA 256 is used for integrity, and Perfect Forward Secrecy is enabled (the DH group is 14).
    switch(config-ipsec)#sa policy sa-vrouter 
    switch(config-ipsec-sa)#esp encryption aes256 
    switch(config-ipsec-sa)#esp integrity sha256 
    switch(config-ipsec-sa)#pfs dh-group 14 
    switch(config-ipsec-sa)#sa lifetime 2 
    switch(config-ipsec-sa)#exit
    
    switch(config-ipsec)#sa policy sa-default 
    switch(config-ipsec-sa)#exit
  5. Bind or associate the IKE and SA policies together using a IPsec profile. Provide a shared-key, which must be common on both peers. The default profile assigns default values for all parameters that are not explicitly configured in the other profiles.
    Example: In this example, tunnel mode is set to transport. The IKE Policy ike-peerRtr and SA Policy sa-peerRtr are applied to profile peer-Rtr. Dead Peer Detection is enabled and configured to delete the connection when the peer is down for more than 50 seconds. The peer (peer-Rtr) is set to be the responder.
    switch(config-ipsec)#profile default
    switch(config-ipsec-profile)#ike-policy ikedefault
    switch(config-ipsec-profile)#sa-policy sadefault
    switch(config-ipsec-profile)#shared-key arista
    
    switch(config-ipsec)#profile peer-Rtr
    switch(config-ipsec-profile)#ike-policy ike-peerRtr
    switch(config-ipsec-profile)#sa-policy sa-peerRtr
    switch(config-ipsec-profile)#dpd 10 50 clear
    switch(config-ipsec-profile)#connection add
    switch(config-ipsec-profile)#mode transport
  6. Configure the WAN interface to be the underlying interface for the tunnel. Specify an L3 address for the tunnel. If the L3 address is not specified, the vEOS Router cannot route packets using the tunnel.
    Example:
    switch(config)#interface Et1 
    switch(config-if-Et1)#no switchport
    switch(config-if-Et1)#ip address 1.0.0.1/24 
    switch(config-if-Et1)#mtu 1500
  7. Apply the IPsec profile to a new tunnel interface. Create the new tunnel interface as part of this step.
    Example: In this example, the new tunnel interface is Tunnel0. The new tunnel interface is configured to use IPsec, and the tunnel mode is set to GRE. Configure the other end of the tunnel also as a GRE-over-IPsec tunnel.
    switch(config)#interface tunnel0
    switch(config-if-Tu0)#ip address 1.0.3.1/24 
    switch(config-if-Tu0)#tunnel mode gre 
    switch(config-if-Tu0)#mtu 1400
    switch(config-if-Tu0)#tunnel source 1.0.0.1
    switch(config-if-Tu0)#tunnel destination 1.0.0.2 
    switch(config-if-Tu0)#tunnel ipsec profile vrouter
  8. Create the GRE-over-IPsec tunnel interface in a VRF using the vrf forwarding command. Create the VRF, if needed, then create and configure the GRE tunnel interface. Make sure to specify the tunnel key that is unique across all tunnels.
    Note: If tunnels in different VRFs need to share the IPsec connection, specify the same source, destination, and ipsec profile.
    Example:
    switch(config)#vrf definition red
    switch(config-vrf-red)#rd 1:3 
    switch(config-vrf-red)#interface tunnel0 
    switch(config-if-Tu0)#ip address 1.0.3.1/24 
    switch(config-if-Tu0)#vrf forwarding red 
    switch(config-if-Tu0)#tunnel mode gre 
    switch(config-if-Tu0)#mtu 1400
    switch(config-if-Tu0)#tunnel source 1.0.0.1
    switch(config-if-Tu0)#tunnel destination 1.0.0.2
    switch(config-if-Tu0)#tunnel key 100 
    switch(config-if-Tu0)#tunnel ipsec profile vrouter
    
    switch(config)#vrf definition blue 
    switch(config-vrf-blue)#rd 1:4 
    switch(config-vrf-blue)#interface tunnel1 
    switch(config-if-Tu1)#ip address 1.0.4.1/24 
    switch(config-if-Tu1)#vrf forwarding blue 
    switch(config-if-Tu1)#tunnel mode gre 
    switch(config-if-Tu1)#mtu 1400
    switch(config-if-Tu1)#tunnel source 1.0.0.1
    switch(config-if-Tu1)#tunnel destination 1.0.0.2
    switch(config-if-Tu1)#tunnel key 200 
    switch(config-if-Tu1)#tunnel ipsec profile vrouter
    
  9. Configure the GRE-over-IPsec tunnel on the peer router.