Configuring IPsec Tunnels on CloudEOS and vEOS Router Instances

Use this procedure to configure GRE-over-IPsec or VTI IPsec tunnels on peer CloudEOS and vEOS Router instances.

The procedure provides all of the steps required to set up either GRE-over-IPsec or VTI IPsec tunnels. Most of the steps are the same for both tunnel types (steps 1 through 6 are the same). Step 7 is the step to select the tunnel type.

Note:CloudEOS and vEOS Router by default uses IKE version 2 for all IPsec tunnels. To configure a tunnel that uses IKE version 1, explicitly configure the CloudEOS and vEOS Router to use IKE version 1.

Procedure

Complete the following steps to configure GRE-over-IPsec or VTI IPsec tunnels on CloudEOS and vEOS Router instances. This configuration will be the default IKE version 2 procedure.

  1. Use this command to enter IP security mode.
    switch(config)#ip security
  2. To use IKE version 1, complete the following before completing the default IKE version the steps below.
    switch(config)#ip security
    switch(config-ipsec)#ike policy ike-peerRtr
    switch(config-ipsec-ike)#version 1
  3. Create an IKE Policy to be used to communicate with the peer to establish IKE. You have the option of configuring multiple IKE policies.
    The default IKE Policy values are:
    • Encryption- AES256
    • Integrity - SHA256
    • DH group - Group 14
    • IKE lifetime - 8 hours
    Example:
    switch(config-ipsec)#ike policy ike-vrouter 
    switch(config-ipsec-ike)#encryption aes256 
    switch(config-ipsec-ike)#integrity sha256 
    switch(config-ipsec-ike)#dh-group 24
    switch(config-ipsec-ike)#version 2 
  4. If the router is behind a NAT, configure the local-id with the local public IP address. The public IP corresponds to the underlying interface over which the IKE communications are done with the peer.
    Example:
    switch(config-ipsec-ike)#local-id <public ip address>
  5. Create an IPsec Security Association policy to be used in the data path for encryption and integrity. Use the option of enabling Perfect Forward Secrecy by configuring a DH group to the SA.
    Example: In this example, AES256 is used for encryption, SHA 256 is used for integrity, and Perfect Forward Secrecy is enabled (the DH group is 14).
    switch(config-ipsec)#sa policy sa-vrouter 
    switch(config-ipsec-sa)#esp encryption aes256 
    switch(config-ipsec-sa)#esp integrity sha256 
    switch(config-ipsec-sa)#pfs dh-group 14 
    switch(config-ipsec-sa)#sa lifetime 2 
    switch(config-ipsec-sa)#exit
  6. Bind or associate the IKE and SA policies together using an IPsec profile. Provide a shared-key, which must be common on both peers. The default profile assigns default values for all parameters that are not explicitly configured in the other profiles.
    Example: In this example, tunnel mode is set to transport. The IKE Policy ike-peerRtr and SA Policy sa-peerRtr are applied to profile peer-Rtr. Dead Peer Detection is enabled and configured to delete the connection when the peer is down for more than 50 seconds. The peer peer-Rtr is set to be the responder.
    switch(config-ipsec)#profile default
    switch(config-ipsec-profile)#ike-policy ikedefault
    switch(config-ipsec-profile)#sa-policy sadefault
    switch(config-ipsec-profile)#shared-key arista
    switch(config-ipsec)#profile vrouter
    switch(config-ipsec-profile)#ike-policy ike-vrouter
    switch(config-ipsec-profile)#sa-policy sa-vrouter
    switch(config-ipsec-profile)#dpd 10 50 clear
    switch(config-ipsec-profile)#connection add
    switch(config-ipsec-profile)#mode transport
  7. Configure the WAN interface to be the underlying interface for the tunnel. You must specify an L3 address for the tunnel. If you do not, the vEOS Router cannot route packets using the tunnel.
    Example:
    switch(config)#interface Et1 
    switch(config-if-Et1)#no switchport
    switch(config-if-Et1)#ip address 1.0.0.1/24 
    switch(config-if-Et1)#mtu 1500
  8. Apply the IPsec profile to a new tunnel interface. You create the new tunnel interface as part of this step. You can choose to configure the tunnel as a GRE-over-IPsec tunnel, or a VTI IPsec tunnel.
    Example (GRE-over-IPsec): In this example, the new tunnel interface is Tunnel0. The new tunnel interface is configured to use IPsec, and the tunnel mode is set to GRE. The other end of the tunnel also needs to be configured as a GRE-over-IPsec tunnel.
    switch(config)#interface tunnel0
    switch(config-if-Tu0)#ip address 1.0.3.1/24 
    switch(config-if-Tu0)#tunnel mode gre 
    switch(config-if-Tu0)#mtu 1394
    switch(config-if-Tu0)#tunnel source 1.0.0.1
    switch(config-if-Tu0)#tunnel destination 1.0.0.2 
    switch(config-if-Tu0)#tunnel ipsec profilevrouter
    
    Example (VTI IPsec): To configure a VTI IPsec tunnel, you need to set the tunnel mode to tunnel mode ipsec. The other tunnel element settings are the same as the settings for GRE-over-IPsec.
    switch(config)#interface tunnel0
    switch(config-if-Tu0)#ip address 1.0.3.1/24 
    switch(config-if-Tu0)#tunnel mode ipsec 
    switch(config-if-Tu0)#mtu 1394
    switch(config-if-Tu0)#tunnel source 1.0.0.1
    switch(config-if-Tu0)#tunnel destination 1.0.0.2 
    switch(config-if-Tu0)#tunnel ipsec profile vrouter
    Optional Steps
    To move the tunnel interface to a different VRF, complete step 9. To achieve high throughput, complete step 10.
  9. Create the GRE-over-IPsec tunnel interface in a VRF using the vrf forwarding command. If a VRF is needed, create one then create and configure the GRE tunnel interface. If tunnels in different VRFs need to share the IPsec connection, configure the same tunnel source, destination, IPsec profile, and a unique tunnel key for each tunnel.
    Note: If tunnels in different VRFs need to share the IPsec connection, specify the same source, destination, and IPsec profile.
    Example:
    switch(config)#vrf definition red
    switch(config-vrf-red)#rd 1:3 
    switch(config-vrf-red)#interface tunnel0
    switch(config-if-Tu0)#tunnel key 100
    switch(config-if-Tu0)#vrf forwarding red 
    switch(config-if-Tu0)#ip address 1.0.3.1/24
    switch(config-if-Tu0)#mtu 1394
    switch(config-if-Tu0)#tunnel source 1.0.0.1
    switch(config-if-Tu0)#tunnel destination 1.0.0.2
    switch(config-if-Tu0)#tunnel key 100 
    switch(config-if-Tu0)#tunnel ipsec profile vrouter
    switch(config)#vrf definition blue 
    switch(config-vrf-blue)#rd 1:4 
    switch(config-vrf-blue)#interface tunnel1
    switch(config-if-Tu1)#tunnel key 200
    switch(config-if-Tu1)#vrf forwarding blue 
    switch(config-if-Tu1)#ip address 1.0.4.1/24
    switch(config-if-Tu1)#tunnel mode gre 
    switch(config-if-Tu1)#mtu 1394
    switch(config-if-Tu1)#tunnel source 1.0.0.1
    switch(config-if-Tu1)#tunnel destination 1.0.0.2
    switch(config-if-Tu1)#tunnel ipsec profile vrouter 
  10. Enable the IPsec flow parallelization feature to achieve high throughput over the IPsec tunnel. To enable the feature, include the flow parallelization encapsulation udp command in the IPsec profile configuration. Then, apply the IPsec profile configuration to the tunnel interface.
    Example: (IPsec profile configuration)
    switch(config-ipsec)#profile vrouter
    switch(config-ipsec-profile)#ike-policy ike-vrouter
    switch(config-ipsec-profile)#sa-policy sa-vrouter
    switch(config-ipsec-profile)#dpd 10 50 clear
    switch(config-ipsec-profile)#connection start
    switch(config-ipsec-profile)#mode transport
    switch(config-ipsec-profile)#flow parallelization encapsulation udp
    Example: (Applying IPsec profile to tunnel interface)
    switch(config)#interface tunnel0
    switch(config-if-Tu0)#tunnel ipsec profile vrouter
    Note: Repeat step 9 on the other end of the tunnel. The IPsec flow parallelization feature must be enabled on both end of the tunnel.