IKEv1 Configuration

The CSR configuration to create a GRE over IPsec tunnel is similar the CloudEOS and vEOS Router setup using ikev1 version.

To ensure that the v EOS Router can establish a tunnel with CSR, it needs to set the ikev1 version as follows:

switch(config)#ip security
switch(config-ipsec)#ike policy ike-peerRtr
switch(config-ipsec-ike)#version 1
  1. Enter the configuration terminal mode to configure IPsec.
    switch#config terminal
  2. Configure a pre-shared key for the vEOS Router and CSR to authenticate each other. Create a keyring to hold the keys.
    
    switch(config)#crypto keyring vrouter-keyring
    switch(conf-keyring)#pre-shared-key address 1.0.0.2 key arista
  3. Create an ISAKMP policy. The policy's function is to communicate with the peer to establish IKE Phase 1. In the example below, a policy with AES256 is created with the following parameters: SHA1, DH group 15, authentication pre-share, and a lifetime of 28800 seconds.
    
    switch(config)#crypto isakmp policy 1
    switch(config-isakmp)#encr aes 256
    switch(config-isakmp)#hash sha
    switch(config-isakmp)#authentication pre-share
    switch(config-isakmp)#group 15
    switch(config-isakmp)#lifetime 28800
  4. Create an ISAKMP profile associated with the vEOS Router to match its outside IP Address and the keyring that was created earlier to identify the pre-shared secret.
    
    switch(config)#crypto isakmp profile vrouter-ikev1-isakmp-profile
    switch(conf-isa-prof)#keyring vrouter-keyring
    switch(conf-isa-prof)#match identity address 1.0.0.2 255.2-55.255.255
    switch(conf-isa-prof)#local-address GigabitEthernet2
  5. Create the IPsec transform-set configuration settings. The transform-set defines the encryption and hash algorithm for the child/IPsec SA. This example creates a transform-set with AES cipher for the ESP encryption and SHA1 for the authentication. The mode for the IPsec is set to transport mode.
    
    switch(config)#crypto ipsec transform-set vrouter-tset esp-aes 256 esp-sha-hmac
    switch(cfg-crypto-trans)#mode transport
  6. Create the IPsec profile which includes the transform-set, SA idle time, lifetime, and replay windows used to create the child SA.
    
    switch(config)#crypto ipsec profile vrouter-ikev1-ipsec-profile
    switch(ipsec-profile)#set security-association idle-time 3600
    switch(ipsec-profile)#set security-association dummy seconds 3600
    switch(ipsec-profile)#set transform-set vrouter-tset
    switch(ipsec-profile)#set isakmp-profile vroute-ikev1-isakmp-profile
  7. Configure the WAN interface as the underlying interface for the tunnel. To be able to route packets, the tunnel is given an L3 IP address.
    
    switch(config)#interface GigabitEthernet2
    switch(config-if)#ip address 1.0.0.2 255.255.255.0
    switch(config-if)#mtu 9001
    switch(config-if)#negotiation auto
  8. Apply the IPsec profile to a tunnel interface. The example creates a tunnel interface (Tunnel0) and configures the tunnel interface to use IPsec.
    
    switch(config-if)#exit
    switch(config)#interface Tunnel0
    switch(config-if)#ip address 1.0.3.1 255.255.255.0
    switch(config-if)#tunnel source 1.0.0.2
    switch(config-if)#tunnel destination 1.0.0.1
    switch(config-if)#tunnel protection ipsec profile vrouter-ikev1-ipsec-profile
    switch(config-if)#exit