CloudEOS and vEOS Router Configuration

Use this procedure to configure GRE-over-IPsec tunnels on a CloudEOS and vEOS Router instance. Once the procedure is complete, configure the other tunnel end-point on the third party peer router.

Note:The CloudEOS and vEOS Router by default uses IKE version 2 for all IPsec tunnels. If you want to configure a GRE-over-IPsec tunnel that uses IKE version 1, explicitly configure the CloudEOS and vEOS Router to use IKE version 1.

Procedure

Complete the following steps to configure the CloudEOS and vEOS Router instance to share a GRE-over IPsec tunnel.

To use IKE version 1, complete the section below, then continue with the following steps. To use the default version IKE version 2, begin with Step 1 below. 
switch(config)#ip security
switch(config-ipsec)#ike policy ike-peerRtr
switch(config-ipsec-ike)#version 1
  1. Use this command to enter IP security mode. 
    switch(config)#ip security
  2. Create an IKE Policy used to communicate with the peer to establish IKE Phase 1. There is an option of configuring multiple IKE policies.
    The default IKE Policy values are:
    • Encryption - AES256
    • Integrity - SHA256
    • DH group - Group 14
    • IKE lifetime - 8 hours
    Example: 
    switch(config-ipsec)#ike policy ike-vrouter 
switch(config-ipsec-ike)#encryption aes256 
switch(config-ipsec-ike)#integrity sha256 
switch(config-ipsec-ike)#dh-group 24
switch(config-ipsec-ike)#version 2 
switch(config-ipsec-ike)#exit
switch(config-ipsec)#ike policy ike-default 
switch(config-ipsec-ike)#version 2 
switch(config-ipsec-ike)#exit
  3. If the router is behind a NAT, configure the local-id with the local public IP address.
    Example: 
    switch(config-ipsec-ike)#local-id <public ip address>
  4. Create an IPsec Security Association policy used in the data path for encryption and integrity. The is an option of enabling Perfect Forward Secrecy by configuring a DH group to the SA.
    Example: In this example, AES256 is used for encryption, SHA 256 is used for integrity, and Perfect Forward Secrecy is enabled (the DH group is 14). 
    switch(config-ipsec)#sa policy sa-vrouter 
switch(config-ipsec-sa)#esp encryption aes256 
switch(config-ipsec-sa)#esp integrity sha256 
switch(config-ipsec-sa)#pfs dh-group 14 
switch(config-ipsec-sa)#sa lifetime 2 
switch(config-ipsec-sa)#exit

switch(config-ipsec)#sa policy sa-default 
switch(config-ipsec-sa)#exit
  5. Bind or associate the IKE and SA policies together using a IPsec profile. Provide a shared-key, which must be common on both peers. The default profile assigns default values for all parameters that are not explicitly configured in the other profiles.
    Example: In this example, tunnel mode is set to transport. The IKE Policy ike-peerRtr and SA Policy sa-peerRtr are applied to profile peer-Rtr. Dead Peer Detection is enabled and configured to delete the connection when the peer is down for more than 50 seconds. The peer (peer-Rtr) is set to be the responder. 
    switch(config-ipsec)#profile default
switch(config-ipsec-profile)#ike-policy ikedefault
switch(config-ipsec-profile)#sa-policy sadefault
switch(config-ipsec-profile)#shared-key arista

switch(config-ipsec)#profile peer-Rtr
switch(config-ipsec-profile)#ike-policy ike-peerRtr
switch(config-ipsec-profile)#sa-policy sa-peerRtr
switch(config-ipsec-profile)#dpd 10 50 clear
switch(config-ipsec-profile)#connection add
switch(config-ipsec-profile)#mode transport
  6. Configure the WAN interface to be the underlying interface for the tunnel. Specify an L3 address for the tunnel. If the L3 address is not specified, the vEOS Router cannot route packets using the tunnel.
    Example: 
    switch(config)#interface Et1 
switch(config-if-Et1)#no switchport
switch(config-if-Et1)#ip address 1.0.0.1/24 
switch(config-if-Et1)#mtu 1500
  7. Apply the IPsec profile to a new tunnel interface. Create the new tunnel interface as part of this step.
    Example: In this example, the new tunnel interface is Tunnel0. The new tunnel interface is configured to use IPsec, and the tunnel mode is set to GRE. Configure the other end of the tunnel also as a GRE-over-IPsec tunnel. 
    switch(config)#interface tunnel0
switch(config-if-Tu0)#ip address 1.0.3.1/24 
switch(config-if-Tu0)#tunnel mode gre 
switch(config-if-Tu0)#mtu 1400
switch(config-if-Tu0)#tunnel source 1.0.0.1
switch(config-if-Tu0)#tunnel destination 1.0.0.2 
switch(config-if-Tu0)#tunnel ipsec profile vrouter
  8. Create the GRE-over-IPsec tunnel interface in a VRF using the vrf forwarding command. Create the VRF, if needed, then create and configure the GRE tunnel interface. Make sure to specify the tunnel key that is unique across all tunnels.
    Note: If tunnels in different VRFs need to share the IPsec connection, specify the same source, destination, and ipsec profile.
    Example: 
    switch(config)#vrf definition red
switch(config-vrf-red)#rd 1:3 
switch(config-vrf-red)#interface tunnel0 
switch(config-if-Tu0)#ip address 1.0.3.1/24 
switch(config-if-Tu0)#vrf forwarding red 
switch(config-if-Tu0)#tunnel mode gre 
switch(config-if-Tu0)#mtu 1400
switch(config-if-Tu0)#tunnel source 1.0.0.1
switch(config-if-Tu0)#tunnel destination 1.0.0.2
switch(config-if-Tu0)#tunnel key 100 
switch(config-if-Tu0)#tunnel ipsec profile vrouter

switch(config)#vrf definition blue 
switch(config-vrf-blue)#rd 1:4 
switch(config-vrf-blue)#interface tunnel1 
switch(config-if-Tu1)#ip address 1.0.4.1/24 
switch(config-if-Tu1)#vrf forwarding blue 
switch(config-if-Tu1)#tunnel mode gre 
switch(config-if-Tu1)#mtu 1400
switch(config-if-Tu1)#tunnel source 1.0.0.1
switch(config-if-Tu1)#tunnel destination 1.0.0.2
switch(config-if-Tu1)#tunnel key 200 
switch(config-if-Tu1)#tunnel ipsec profile vrouter
  9. Configure the GRE-over-IPsec tunnel on the peer router.