IKEv1 Configuration
The CSR configuration to create a GRE over IPsec tunnel is similar the CloudEOS and vEOS Router setup using ikev1 version.
To ensure that the v EOS Router can establish a tunnel with CSR, it
needs to set the ikev1 version as follows:
switch(config)#ip security
switch(config-ipsec)#ike policy ike-peerRtr
switch(config-ipsec-ike)#version 1
-
Enter the configuration terminal mode to configure IPsec.
switch#config terminal
-
Configure a pre-shared key for the vEOS Router and CSR to
authenticate each other. Create a keyring to hold the keys.
switch(config)#crypto keyring vrouter-keyring switch(conf-keyring)#pre-shared-key address 1.0.0.2 key arista
-
Create an ISAKMP policy. The policy's function is to communicate
with the peer to establish IKE Phase 1. In the example below, a policy with
AES256 is created with the following parameters:
SHA1,
DH group
15,
authentication
pre-share, and a
lifetime of
28800 seconds.
switch(config)#crypto isakmp policy 1 switch(config-isakmp)#encr aes 256 switch(config-isakmp)#hash sha switch(config-isakmp)#authentication pre-share switch(config-isakmp)#group 15 switch(config-isakmp)#lifetime 28800
-
Create an ISAKMP profile associated with the vEOS Router to match
its outside IP Address and the keyring that was created earlier to identify the
pre-shared secret.
switch(config)#crypto isakmp profile vrouter-ikev1-isakmp-profile switch(conf-isa-prof)#keyring vrouter-keyring switch(conf-isa-prof)#match identity address 1.0.0.2 255.2-55.255.255 switch(conf-isa-prof)#local-address GigabitEthernet2
-
Create the IPsec transform-set configuration settings. The
transform-set defines the encryption and hash algorithm for the child/IPsec SA.
This example creates a transform-set with AES cipher for the ESP encryption and
SHA1 for the authentication. The mode for the IPsec is set to
transport mode.
switch(config)#crypto ipsec transform-set vrouter-tset esp-aes 256 esp-sha-hmac switch(cfg-crypto-trans)#mode transport
-
Create the IPsec profile which includes the
transform-set,
SA idle time,
lifetime, and replay windows used to create
the child SA.
switch(config)#crypto ipsec profile vrouter-ikev1-ipsec-profile switch(ipsec-profile)#set security-association idle-time 3600 switch(ipsec-profile)#set security-association dummy seconds 3600 switch(ipsec-profile)#set transform-set vrouter-tset switch(ipsec-profile)#set isakmp-profile vroute-ikev1-isakmp-profile
-
Configure the WAN interface as the underlying interface for the
tunnel. To be able to route packets, the tunnel is given an L3 IP address.
switch(config)#interface GigabitEthernet2 switch(config-if)#ip address 1.0.0.2 255.255.255.0 switch(config-if)#mtu 9001 switch(config-if)#negotiation auto
-
Apply the IPsec profile to a tunnel interface. The example creates
a tunnel interface (Tunnel0) and configures the
tunnel interface to use IPsec.
switch(config-if)#exit switch(config)#interface Tunnel0 switch(config-if)#ip address 1.0.3.1 255.255.255.0 switch(config-if)#tunnel source 1.0.0.2 switch(config-if)#tunnel destination 1.0.0.1 switch(config-if)#tunnel protection ipsec profile vrouter-ikev1-ipsec-profile switch(config-if)#exit