ipsec Support

The veos router provides robust support for the use of ipsec to establish and maintain ipsec tunnels for secure or encrypted communications between virtual router peer instances as well as virtual peer instances to non-virtual routers.

The veos router supports the use of ipsec to:
  • Secure the communications between veos router instances.
  • Secure the communications between veos router instances and third party virtual router instances.
Note: For the latest information on the types of virtual routers that can share ipsec tunnels with veos router, see the veos router Release Notes.

Supported Tunnel Types

 

The cloudeos and veos router supports the use of two basic types of ipsec tunnels. The tunnel types are determined based on the encapsulation mode.

The supported tunnel types are:

GRE-over-ipsec

  • In GRE-over-ipsec encapsulation mode, the application payload is first encapsulated within a GRE packet. ipsec then encrypts the GRE packet, which results in the packet being encapsulated and encrypted by the ipsec header.
  • Select this encapsulation type by specifying tunnel mode gre for the tunnel interface to which the ipsec profile is applied. This ensures that the packets forwarded on the interface are encrypted.
  • When using GRE-over-ipsec encapsulation mode, both ipsec mode options are supported (select either transport or tunnel).

VTI ipsec

  • In VTI encapsulation mode, the application payload is directly encapsulated and encrypted by the ipsec header.
  • Select this encapsulation type by specifying tunnel mode ipsec for the tunnel interface to which the ipsec profile is applied. This ensures that the packets forwarded on the interface are encrypted.
  • When using VTI encapsulation mode, set the ipsec mode to tunnel. The transport option under the ipsec mode has no effect.

Requirements when Behind a NAT

 

The cloudeos and veos router supports the use of NAT-Traversal to communicate with the remote peer behind a NAT. Configure the tunnel source with the outgoing interface IP address on the router.

Flow Parallelization
To achieve high throughput over an ipsec connection, enable the ipsec flow parallelization feature. When the feature is enabled, multiple cores are used to parallelize the ipsec encryption and decryption processing. To enable this feature, include the flow parallelization encapsulation udp command in the ipsec profile configuration.
Note: The feature must be enabled on both sides of the tunnel. Other vendors do not support Flow Parallelization.
Note: This feature should be used with GRE over ipsec.

If the ipsec session is established without the feature enabled, complete the following tasks:

  • Under the ipsec profile for the tunnel use the flow parallelization encapsulation udp command to enable the feature.
  • Shutdown the tunnel on the tunnel interface.
  • Bring the tunnel back up on the tunnel interface. After it is up, this enables the feature.

Using ipsec on cloudeos and veos router Instances

The cloudeos and veos router establishes and maintains GRE-over-ipsec and VTI ipsec tunnels for the secure or encrypted communications between peer cloudeos and veos router instances.

Topology

Use the veos router to establish and maintain ipsec tunnels between peer veos router instances in different topologies of varying complexity.

The diagram below represents a basic ipsec tunnel configuration in which veos router instances are using an ipsec tunnel.

Figure 1. veos router Instance Using a Basic ipsec Tunnel

The veos router establishes and maintains ipsec tunnels for secure or encrypted communications between veos router instances and third party devices peer router instances.

The basic process for establishing secure communications using ipsec involves the following tasks:
  • Creating IKE Policy for establishing IKE with the peer.
  • Specifying the encryption, integrity protocols for the Security Association (SA) Policy.
  • Apply IKE and SA policies to a given profile.
  • Apply the profile to a tunnel interface.

Configuring ipsec Tunnels on cloudeos and veos router Instances

Use this procedure to configure GRE-over-ipsec or VTI ipsec tunnels on peer cloudeos and veos router instances.

The procedure provides all of the steps required to set up either GRE-over-ipsec or VTI ipsec tunnels. Most of the steps are the same for both tunnel types (steps 1 through 6 are the same). Step 7 is the step to select the tunnel type.

Note:cloudeos and veos router by default uses IKE version 2 for all ipsec tunnels. To configure a tunnel that uses IKE version 1, explicitly configure the cloudeos and veos router to use IKE version 1.

Procedure

Complete the following steps to configure GRE-over-ipsec or VTI ipsec tunnels on cloudeos and veos router instances. This configuration will be the default IKE version 2 procedure.

  1. Use this command to enter IP security mode.
    switch(config)#ip security
  2. To use IKE version 1, complete the following before completing the default IKE version the steps below.
    switch(config)#ip security
    switch(config-ipsec)#ike policy ike-peerRtr
    switch(config-ipsec-ike)#version 1
  3. Create an IKE Policy to be used to communicate with the peer to establish IKE. You have the option of configuring multiple IKE policies.
    The default IKE Policy values are:
    • Encryption- AES256
    • Integrity - SHA256
    • DH group - Group 14
    • IKE lifetime - 8 hours
    switch(config-ipsec)#ike policy ike-vrouter 
    switch(config-ipsec-ike)#encryption aes256 
    switch(config-ipsec-ike)#integrity sha256 
    switch(config-ipsec-ike)#dh-group 24
    switch(config-ipsec-ike)#version 2 
  4. If the router is behind a NAT, configure the local-id with the local public IP address. The public IP corresponds to the underlying interface over which the IKE communications are done with the peer.
    switch(config-ipsec-ike)#local-id <public ip address>
  5. Create an ipsec Security Association policy to be used in the data path for encryption and integrity. Use the option of enabling Perfect Forward Secrecy by configuring a DH group to the SA.
    In this example, AES256 is used for encryption, SHA 256 is used for integrity, and Perfect Forward Secrecy is enabled (the DH group is 14).
    switch(config-ipsec)#sa policy sa-vrouter 
    switch(config-ipsec-sa)#esp encryption aes256 
    switch(config-ipsec-sa)#esp integrity sha256 
    switch(config-ipsec-sa)#pfs dh-group 14 
    switch(config-ipsec-sa)#sa lifetime 2 
    switch(config-ipsec-sa)#exit
  6. Bind or associate the IKE and SA policies together using an ipsec profile. Provide a shared-key, which must be common on both peers. The default profile assigns default values for all parameters that are not explicitly configured in the other profiles.
    In this example, tunnel mode is set to transport. The IKE Policy ike-peerRtr and SA Policy sa-peerRtr are applied to profile peer-Rtr. Dead Peer Detection is enabled and configured to delete the connection when the peer is down for more than 50 seconds. The peer peer-Rtr is set to be the responder.
    switch(config-ipsec)#profile default
    switch(config-ipsec-profile)#ike-policy ikedefault
    switch(config-ipsec-profile)#sa-policy sadefault
    switch(config-ipsec-profile)#shared-key arista
    switch(config-ipsec)#profile vrouter
    switch(config-ipsec-profile)#ike-policy ike-vrouter
    switch(config-ipsec-profile)#sa-policy sa-vrouter
    switch(config-ipsec-profile)#dpd 10 50 clear
    switch(config-ipsec-profile)#connection add
    switch(config-ipsec-profile)#mode transport
  7. Configure the WAN interface to be the underlying interface for the tunnel. You must specify an L3 address for the tunnel. If you do not, the veos router cannot route packets using the tunnel.
    switch(config)#interface Et1 
    switch(config-if-Et1)#no switchport
    switch(config-if-Et1)#ip address 1.0.0.1/24 
    switch(config-if-Et1)#mtu 1500
  8. Apply the ipsec profile to a new tunnel interface. You create the new tunnel interface as part of this step. You can choose to configure the tunnel as a GRE-over-ipsec tunnel, or a VTI ipsec tunnel.
    (GRE-over-ipsec):In this example, the new tunnel interface is Tunnel0. The new tunnel interface is configured to use ipsec, and the tunnel mode is set to GRE. The other end of the tunnel also needs to be configured as a GRE-over-ipsec tunnel.
    switch(config)#interface tunnel0
    switch(config-if-Tu0)#ip address 1.0.3.1/24 
    switch(config-if-Tu0)#tunnel mode gre 
    switch(config-if-Tu0)#mtu 1394
    switch(config-if-Tu0)#tunnel source 1.0.0.1
    switch(config-if-Tu0)#tunnel destination 1.0.0.2 
    switch(config-if-Tu0)#tunnel ipsec profilevrouter
    
    (VTI ipsec): To configure a VTI ipsec tunnel, you need to set the tunnel mode to tunnel mode ipsec. The other tunnel element settings are the same as the settings for GRE-over-ipsec.
    switch(config)#interface tunnel0
    switch(config-if-Tu0)#ip address 1.0.3.1/24 
    switch(config-if-Tu0)#tunnel mode ipsec 
    switch(config-if-Tu0)#mtu 1394
    switch(config-if-Tu0)#tunnel source 1.0.0.1
    switch(config-if-Tu0)#tunnel destination 1.0.0.2 
    switch(config-if-Tu0)#tunnel ipsec profile vrouter
    Optional Steps
    To move the tunnel interface to a different VRF, complete step 9. To achieve high throughput, complete step 10.
  9. Create the GRE-over-ipsec tunnel interface in a VRF using the vrf forwarding command. If a VRF is needed, create one then create and configure the GRE tunnel interface. If tunnels in different VRFs need to share the ipsec connection, configure the same tunnel source, destination, ipsec profile, and a unique tunnel key for each tunnel.
    Note: If tunnels in different VRFs need to share the ipsec connection, specify the same source, destination, and ipsec profile.
    switch(config)#vrf definition red
    switch(config-vrf-red)#rd 1:3 
    switch(config-vrf-red)#interface tunnel0
    switch(config-if-Tu0)#tunnel key 100
    switch(config-if-Tu0)#vrf forwarding red 
    switch(config-if-Tu0)#ip address 1.0.3.1/24
    switch(config-if-Tu0)#mtu 1394
    switch(config-if-Tu0)#tunnel source 1.0.0.1
    switch(config-if-Tu0)#tunnel destination 1.0.0.2
    switch(config-if-Tu0)#tunnel key 100 
    switch(config-if-Tu0)#tunnel ipsec profile vrouter
    switch(config)#vrf definition blue 
    switch(config-vrf-blue)#rd 1:4 
    switch(config-vrf-blue)#interface tunnel1
    switch(config-if-Tu1)#tunnel key 200
    switch(config-if-Tu1)#vrf forwarding blue 
    switch(config-if-Tu1)#ip address 1.0.4.1/24
    switch(config-if-Tu1)#tunnel mode gre 
    switch(config-if-Tu1)#mtu 1394
    switch(config-if-Tu1)#tunnel source 1.0.0.1
    switch(config-if-Tu1)#tunnel destination 1.0.0.2
    switch(config-if-Tu1)#tunnel ipsec profile vrouter 
  10. Enable the ipsec flow parallelization feature to achieve high throughput over the ipsec tunnel. To enable the feature, include the flow parallelization encapsulation udp command in the ipsec profile configuration. Then, apply the ipsec profile configuration to the tunnel interface.
    (ipsec profile configuration)
    switch(config-ipsec)#profile vrouter
    switch(config-ipsec-profile)#ike-policy ike-vrouter
    switch(config-ipsec-profile)#sa-policy sa-vrouter
    switch(config-ipsec-profile)#dpd 10 50 clear
    switch(config-ipsec-profile)#connection start
    switch(config-ipsec-profile)#mode transport
    switch(config-ipsec-profile)#flow parallelization encapsulation udp
    Example: (Applying ipsec profile to tunnel interface)
    switch(config)#interface tunnel0
    switch(config-if-Tu0)#tunnel ipsec profile vrouter
    Note: Repeat step 9 on the other end of the tunnel. The ipsec flow parallelization feature must be enabled on both end of the tunnel.

Examples of Running-configurations for GRE-over-ipsec Tunnels

 

The following examples show the running configurations for two cloudeos and veos router instances (cloudeos and veos1 and cloudeos and veos2). The instances are the tunnel endpoints of a GRE-over-ipsec tunnel.

Running Configuration for cloudeos and veos1

ip security
ike policy ikebranch1
integrity sha256
dh-group 15
!
sa policy sabranch1 
sa lifetime 2
pfs dh-group 14
!
profile hq
mode tunnel
ike-policy ikebranch1
sa-policy sabranch1
connection add
shared-key keyAristaHq 
dpd 10 50 clear
!
interface Tunnel1 
mtu 1404
ip address 1.0.3.1/24
tunnel mode gre
tunnel source 1.0.0.1
tunnel destination 1.0.0.2
tunnel ipsec profile hq
!
interface Ethernet1 
no switchport
ip address 1.0.0.1/24
!

Running Configuration for cloudeos and veos2

ip security
ike policy ikebranch1
integrity sha256
dh-group 15
!
ike policy ikebranch2
dh-group 15
version 1
local-id 200.0.0.1
!
ike policy ikedefault
!
sa policy sabranch1 
sa lifetime 2
pfs dh-group 14
!
profile hq
mode tunnel
ike-policy ikebranch1
sa-policy sabranch1 
connection start
shared-key keyAristaHq
dpd 10 50 clear
!
interface Tunnel1 
mtu 1404
ip address 1.0.3.2/24 
tunnel mode gre 
tunnel source 1.0.0.2
tunnel destination 1.0.0.1
tunnel ipsec profile hq
!
interface Ethernet2 
no switchport
ip address 1.0.0.2/24
!

Examples of Running-configurations for VTI ipsec Tunnels

The following examples show the running configurations for two cloudeos and veos router instances (cloudeos and veos1 and cloudeos and veos2). The instances are the tunnel endpoints of a VTI ipsec tunnel.

Running Configuration for cloudeos and veos1

ip security
ike policy ikebranch1
integrity sha256
dh-group 15
!
sa policy sabranch1 
sa lifetime 2
pfs dh-group 14
!
profile hq
mode tunnel
ike-policy ikebranch1
sa-policy sabranch1
connection add
shared-key keyAristaHq
dpd 10 50 clear
!
interface Ethernet1
no switchport
ip address 1.0.0.1/24
!
interface Management1
ip address dhcp
!
interface Tunnel1 
mtu 1404
ip address 1.0.3.1/24
tunnel mode ipsec
tunnel source 1.0.0.1
tunnel destination 1.0.0.2
tunnel ipsec profile hq
!

Running Configuration for cloudeos and veos2

ip security
ike policy ikebranch1
integrity sha256
dh-group 15
!
ike policy ikebranch2
dh-group 15
version 1
local-id 200.0.0.1
!
ike policy ikedefault
!
sa policy sabranch1
sa lifetime 2
pfs dh-group 14
!
profile hq
mode tunnel
ike-policy ikebranch1
sa-policy sabranch1
connection start
shared-key keyAristaHq
dpd 10 50 clear
!
interface Ethernet2 
no switchport
ip address 1.0.0.2/24
!
interface Management1 ip address dhcp
!
interface Tunnel1 
mtu 1404
ip address 1.0.3.2/24 
tunnel mode ipsec 
tunnel source 1.0.0.2
tunnel destination 1.0.0.1
tunnel ipsec profile hq
!

Using ipsec on cloudeos and veos and Third Party Devices

The cloudeos and veos router establishes and maintains ipsec tunnels for secure or encrypted communications between cloudeos and veos router instances and third party devices peer router instances.

The basic process for establishing secure communications using ipsec involves these tasks:
  • Creating IKE Policy for establishing IKE with the peer.
  • Specifying the encryption, integrity protocols for the Security Association (SA) Policy.
  • Apply IKE and SA policies to a given profile.
  • Apply the profile to a tunnel interface.

Topology

Use the veos router to establish and maintain ipsec tunnels between veos router instances and third party router instances in different topologies of varying complexity.

The following diagram represents a basic ipsec tunnel configuration in where a veos router instance and a third party router instance is connected using an ipsec tunnel.

Figure 2. ipsec Interoperability

Interoperability Support

The cloudeos and veos router establishes and maintains ipsec tunnels for the secure or encrypted communications between cloudeos and veos router instances and third party device peer router instances.

Below lists the types of ipsec tunnels to set up between cloudeos and veos router instances and third party virtual router instances.
  • Palo Alto Firewall VM
    • Set up these types of ipsec tunnels between cloudeos and veos router instances and Palo Alto firewall VM router instances.
      • VTI ipsec
  • CSR
    • Set up these types of ipsec tunnels between cloudeos and veos router instances and CSR router instances.
      • GRE-over-ipsec
      • VTI ipsec
  • AWS VPN Specific Cloud
    • Set up these types of ipsec tunnels between cloudeos and veos router instances and AWS VPN Specific Cloud router instances.
      • VTI ipsec
  • vSRX
    • Set up these types of ipsec tunnels between cloudeos and veos router instances and vSRX router instances.
      • VTI ipsec
Note: See Supported Tunnel Types for descriptions of the GRE-over-ipsec and VTI ipsec tunnel types.

cloudeos and veos router and Palo Alto Firewall VM

 

The cloudeos and veos router establishes and maintains ipsec tunnels for secure or encrypted communications between cloudeos and veos router instances and third party device peer router instances.

cloudeos and veos router Configuration

 

Use this procedure to configure GRE-over-ipsec tunnels on a cloudeos and veos router instance. Once the procedure is complete, configure the other tunnel end-point on the third party peer router.

Note:The cloudeos and veos router by default uses IKE version 2 for all ipsec tunnels. If you want to configure a GRE-over-ipsec tunnel that uses IKE version 1, explicitly configure the cloudeos and veos router to use IKE version 1.

Procedure

Complete the following steps to configure the cloudeos and veos router instance to share a GRE-over ipsec tunnel.

To use IKE version 1, complete the section below, then continue with the following steps. To use the default version IKE version 2, begin with Step 1 below.
switch(config)#ip security
switch(config-ipsec)#ike policy ike-peerRtr
switch(config-ipsec-ike)#version 1
  1. Use this command to enter IP security mode.
    switch(config)#ip security
  2. Create an IKE Policy used to communicate with the peer to establish IKE Phase 1. There is an option of configuring multiple IKE policies.
    The default IKE Policy values are:
    • Encryption - AES256
    • Integrity - SHA256
    • DH group - Group 14
    • IKE lifetime - 8 hours
    switch(config-ipsec)#ike policy ike-vrouter 
    switch(config-ipsec-ike)#encryption aes256 
    switch(config-ipsec-ike)#integrity sha256 
    switch(config-ipsec-ike)#dh-group 24
    switch(config-ipsec-ike)#version 2 
    switch(config-ipsec-ike)#exit
    switch(config-ipsec)#ike policy ike-default 
    switch(config-ipsec-ike)#version 2 
    switch(config-ipsec-ike)#exit
  3. If the router is behind a NAT, configure the local-id with the local public IP address.
    switch(config-ipsec-ike)#local-id <public ip address>
  4. Create an ipsec Security Association policy used in the data path for encryption and integrity. The is an option of enabling Perfect Forward Secrecy by configuring a DH group to the SA.
    In this example, AES256 is used for encryption, SHA 256 is used for integrity, and Perfect Forward Secrecy is enabled (the DH group is 14).
    switch(config-ipsec)#sa policy sa-vrouter 
    switch(config-ipsec-sa)#esp encryption aes256 
    switch(config-ipsec-sa)#esp integrity sha256 
    switch(config-ipsec-sa)#pfs dh-group 14 
    switch(config-ipsec-sa)#sa lifetime 2 
    switch(config-ipsec-sa)#exit
    switch(config-ipsec)#sa policy sa-default 
    switch(config-ipsec-sa)#exit
  5. Bind or associate the IKE and SA policies together using a ipsec profile. Provide a shared-key, which must be common on both peers. The default profile assigns default values for all parameters that are not explicitly configured in the other profiles.
    In this example, tunnel mode is set to transport. The IKE Policy ike-peerRtr and SA Policy sa-peerRtr are applied to profile peer-Rtr. Dead Peer Detection is enabled and configured to delete the connection when the peer is down for more than 50 seconds. The peer (peer-Rtr) is set to be the responder.
    switch(config-ipsec)#profile default
    switch(config-ipsec-profile)#ike-policy ikedefault
    switch(config-ipsec-profile)#sa-policy sadefault
    switch(config-ipsec-profile)#shared-key arista
    
    switch(config-ipsec)#profile peer-Rtr
    switch(config-ipsec-profile)#ike-policy ike-peerRtr
    switch(config-ipsec-profile)#sa-policy sa-peerRtr
    switch(config-ipsec-profile)#dpd 10 50 clear
    switch(config-ipsec-profile)#connection add
    switch(config-ipsec-profile)#mode transport
  6. Configure the WAN interface to be the underlying interface for the tunnel. Specify an L3 address for the tunnel. If the L3 address is not specified, the veos router cannot route packets using the tunnel.
    switch(config)#interface Et1 
    switch(config-if-Et1)#no switchport
    switch(config-if-Et1)#ip address 1.0.0.1/24 
    switch(config-if-Et1)#mtu 1500
  7. Apply the ipsec profile to a new tunnel interface. Create the new tunnel interface as part of this step.
    In this example, the new tunnel interface is Tunnel0. The new tunnel interface is configured to use ipsec, and the tunnel mode is set to GRE. Configure the other end of the tunnel also as a GRE-over-ipsec tunnel.
    switch(config)#interface tunnel0
    switch(config-if-Tu0)#ip address 1.0.3.1/24 
    switch(config-if-Tu0)#tunnel mode gre 
    switch(config-if-Tu0)#mtu 1400
    switch(config-if-Tu0)#tunnel source 1.0.0.1
    switch(config-if-Tu0)#tunnel destination 1.0.0.2 
    switch(config-if-Tu0)#tunnel ipsec profile vrouter
  8. Create the GRE-over-ipsec tunnel interface in a VRF using the vrf forwarding command. Create the VRF, if needed, then create and configure the GRE tunnel interface. Make sure to specify the tunnel key that is unique across all tunnels.
    Note: If tunnels in different VRFs need to share the ipsec connection, specify the same source, destination, and ipsec profile.
    switch(config)#vrf definition red
    switch(config-vrf-red)#rd 1:3 
    switch(config-vrf-red)#interface tunnel0 
    switch(config-if-Tu0)#ip address 1.0.3.1/24 
    switch(config-if-Tu0)#vrf forwarding red 
    switch(config-if-Tu0)#tunnel mode gre 
    switch(config-if-Tu0)#mtu 1400
    switch(config-if-Tu0)#tunnel source 1.0.0.1
    switch(config-if-Tu0)#tunnel destination 1.0.0.2
    switch(config-if-Tu0)#tunnel key 100 
    switch(config-if-Tu0)#tunnel ipsec profile vrouter
    
    switch(config)#vrf definition blue 
    switch(config-vrf-blue)#rd 1:4 
    switch(config-vrf-blue)#interface tunnel1 
    switch(config-if-Tu1)#ip address 1.0.4.1/24 
    switch(config-if-Tu1)#vrf forwarding blue 
    switch(config-if-Tu1)#tunnel mode gre 
    switch(config-if-Tu1)#mtu 1400
    switch(config-if-Tu1)#tunnel source 1.0.0.1
    switch(config-if-Tu1)#tunnel destination 1.0.0.2
    switch(config-if-Tu1)#tunnel key 200 
    switch(config-if-Tu1)#tunnel ipsec profile vrouter
    
  9. Configure the GRE-over-ipsec tunnel on the peer router.

Configuring VTI ipsec Tunnels

The cloudeos and veos router gives the ability to configure VTI ipsec tunnels between a cloudeos and veos router instance and a third party peer router instance (such as a Palo Alto firewall VM). First, complete the set up of the tunnel on the cloudeos and veos router instance, then set up the other end of the tunnel on the third party peer router instance.

Palo Alto Firewall VM Configuration

Use this configuration when pairing a Palo Alto firewall VM instance and cloudeos and veos router instance as tunnel endpoints of an ipsec VTI ipsec tunnel.

Note: Refer to the Palo Alto firewall VM documentation for configuration details, including the different interfaces to use to complete the configuration and all the parameters and options.

Supported Tunnel Types

Set up ipsec VTI tunnels when using the Palo Alto firewall VM as a peer router instance with a cloudeos and veos router instance. ipsec GRE-over-ipsec tunnels using this combination of router instances as peers is not permitted.

Configuration Guidelines

The following are guidelines to follow when configuring the Palo Alto firewall VM.

  • IP address settings.

    Configure the first interface to be configured (typically named eth0), as the management interface. Use the public IP address on this interface to open the GUI of the Palo Alto firewall VM.

  • Management interface.

    Use this interface only for control plane traffic.

  • Management profile.

    When configuring the profile, select all of the protocols allowed on the management interface.

Procedure

  1. Create a new management profile. Select all of the protocols allowed on the management interface.
  2. Create a new tunnel interface and specify the following parameters.
    • Name: (for example, tunnel 1.)
    • virtual router: (Select the existing virtual router.)
    • Security Zone: (Select the layer 3 internal zone, which is the zone from which the traffic originates.)
    • IP address: (Tunnel IP address.)
  3. Add a new IKE Crypto profile and specify the IKE options.
    Note: Make sure the settings match the IKE settings on the other end of the tunnel (the cloudeos and veos router instance). This setting ensures that the IKE negotiation is successful.
    • Name: (can be any name.)
    • virtual router: (Select the existing virtual router.)
    • Security Zone: (Select the layer 3 internal zone, which is the zone from which the traffic originates.)
    • IP address: (Tunnel IP address.)
  4. Configure the IKE gateway.
    Note: Make sure the pre-shared key matches the key defined on the other end of the tunnel (the cloudeos and veos router instance).
  5. Add a new IKE Crypto profile for the IKE options.
    Note: Make sure the settings match the IKE settings on the other end of the tunnel (the cloudeos and veos router instance). This setting ensures that the IKE negotiation of ipsec SAs is successful.
  6. Create a new ipsec tunnel, and select the tunnel interface, IKE gateway, IKE crypto profile, and IKE crypto profile defined earlier in the procedure. Selecting these elements binds them to the new tunnel interface.
    Note: Enter the destination IP address of the tunnel interface of the cloudeos and veos router in the Destination IP option (one of the Tunnel Monitor settings on the Palo Alto firewall VM).
  7. Create a new static route for the network that is behind the remote tunnel endpoint. This new static route ensures that the traffic flows through the tunnel to the other tunnel endpoint.
  8. Commit (save) the configuration.
cloudeos and veos and Palo Alto Firewall VM Pairing (VTI ipsec Tunnel)

 

The following example shows a VTI ipsec tunnel between a cloudeos and veos router instance and a third party Palo Alto firewall VM router instance.

Running Configuration for cloudeos and veos1
ip security
ike policy ikebranch1
integrity sha256 
dh-group 15
!
sa policy sabranch1 
sa lifetime 2
pfs dh-group 14
!
profile hq
ike-policy ikebranch1 
sa-policy sabranch1 
connection add
shared-key keyAristaHq 
dpd 10 50 clear
!
interface Ethernet1 
no switchport
ip address 1.0.0.1/24
!
interface Management1 
ip address dhcp
!

interface Tunnel1 
mtu 1404
ip address 1.0.3.1/24
tunnel mode ipsec 
tunnel source 1.0.0.1
tunnel destination 1.0.0.2
tunnel ipsec profile hq
!
Running Configuration on Palo Alto Firewall VM
"ike": {
 "crypto-profiles": {
"ike-crypto-profiles": [
 {
"@name": "veos12-IKE-Phase1",
"hash": {
 "member": "sha512"
},
"dh-group": {
 "member": "group20"
},
"encryption": {
 "member": "aes-256-cbc"
},
"lifetime": {
 "hours": "8"
}
 }
]

 "ipsec-crypto-profiles": [
 {
"@name": "veos12-ipsec-Phase2",
"esp": {
 "authentication": {
"member": "sha256"
 },
 "encryption": {
"member": "aes-256-cbc"
 }
},
"lifetime": {
 "hours": "2"
},
"dh-group": "group20"
 }

"gateway": {
"entry": {
 "@name": "veos12-IKE-gateway",
 "authentication": {
"pre-shared-key": {
 "key": "-AQ==ocHnGzxJ4JVLomPyHuZNlg84S7I=BCiu0HIvFeFOSQOx/gmhNQ=="
}
 },
 "protocol": {
"ikev1": {
 "dpd": {
"enable": "yes",
"interval": "100",
"retry": "100"
 },
 "ike-crypto-profile": "veos12-IKE-Phase1"
},
"ikev2": {
 "dpd": {
"enable": "yes"
 },
 "ike-crypto-profile": "veos12-IKE-Phase1"
},
"version": "ikev2-preferred"
 }

 "tunnel": {
 "ipsec": {
"entry": {
 "@name": "veos12-ipsec-Tunnel",
 "auto-key": {
"ike-gateway": {
 "entry": {
"@name": "veos12-IKE-gateway"
 }
},
"ipsec-crypto-profile": "veos12-ipsec-Phase2"
 },
 "tunnel-monitor": {
"enable": "yes",
"destination-ip": "1.0.3.1",
"tunnel-monitor-profile": "Test"
 },
 "tunnel-interface": "tunnel.1",
 "disabled": "no"
}
 }
}
 }
cloudeos and veos router Configuration

Use this procedure to configure VTI ipsec tunnels on an Arista router instance. Complete the procedure, then configure the other tunnel endpoint on the third party peer router.

Note: The cloudeos and veos router by default uses IKE version 2 for all ipsec tunnels. To configure a VTI ipsec tunnel that uses IKE version 1, explicitly configure the cloudeos and veos router instance to use IKE version 1.

Procedure

Complete the following steps to configure a cloudeos and veos router instance to share a VTI ipsec tunnel.

To use IKE version 1, complete the section below, then continue with the steps below. To use IKE version 2, which is the default version, start with Step 1 below.

switch(config)#ip security
switch(config-ipsec)#ike policy ike-peerRtr
switch(config-ipsec-ike)#version 1
  1. Use this command to enter IP security mode.
    switch(config)#ip security
  2. Create an IKE Policy to communicate with the peer to establish IKE Phase 1 options. There is the option of configuring multiple IKE policies.
    The default IKE Policy values are:
    • Encryption - AES256
    • Integrity - SHA256
    • DH group - Group 14
    • IKE lifetime - 8 hours
    switch(config)#ip security
    switch(config-ipsec)#ike policy ike-vrouter-PA
    switch(config-ipsec)#integrity sha512 
    switch(config-ipsec)#encryption aes256
    switch(config-ipsec)#dh-group 20
  3. If the router is behind a NAT, configure the local-id with the local public IP address.
    switch(config-ipsec-ike)#local-id <public ipaddress>
  4. Create an ipsec Security Association policy in the data path for encryption and integrity. There is the option of enabling Perfect Forward Secrecy by configuring a DH group to the SA.
    In this example, AES256 is used for encryption, SHA 256 is used for integrity, and Perfect Forward Secrecy is enabled (the DH group is 20).
    switch(config-ipsec)#sa policy sa-vrouter-PA
    switch(config-ipsec)#esp encryption aes256
    switch(config-ipsec)#esp integrity sha256
    switch(config-ipsec)#sa lifetime 2
    switch(config-ipsec)#pfs dh-group 20
  5. Bind or associate the IKE and SA policies together using an ipsec profile. Provide a shared-key, which must be common on both peers. The default profile assigns default values for all parameters that are not explicitly configured in the other profiles.
    In this example, the IKE Policy ike-vrouter-PA and SA Policy sa-vrouter-PA are applied to profile vrouter-PA. Dead Peer Detection is enabled and configured to delete the connection when the peer is down for more than 30 seconds.
    switch(config-ipsec)#profile vrouter-PA
    switch(config-ipsec-profile)#ike-policy ike-vrouter-PA
    switch(config-ipsec-profile)#sa-policy sa-vrouter-PA
    switch(config-ipsec-profile)#connection start
    switch(config-ipsec-profile)#shared-key Arista1234
    switch(config-ipsec-profile)#dpd 10 30 clear
  6. Create a tunnel interface for the VTI tunnel. When tunnel mode is set to ipsec, configure a tunnel key on the veos router instance to ensure that traffic can be forwarded through the tunnel.
    switch(config)#interface Tunnel1
    switch(config-if-Tu1)#mtu 1400
    switch(config-if-Tu1)#ip address 1.0.3.1/24
    switch(config-if-Tu1)#tunnel mode ipsec
    switch(config-if-Tu1)#tunnel source 10.2.201.149
    switch(config-if-Tu1)#tunnel destination 10.3.31.30
    switch(config-if-Tu1)#tunnel ipsec profile vrouter-PA

Configure the VTI ipsec tunnel on the peer router (see Palo Alto Firewall VM Configuration).

CSR router Show Commands

Describes the available CSR router show commands and their example outputs.

Use the different show commands for CSR router instances to do the following:
  • View all Existing ISAKMP SAs
  • View all Existing ipsec SAs
  • View Crypto (Encryption) Session Details
  • View IKEv2 SAs
  • View IKEv2 SA Details

View all Existing ISAKMP SAs

Use the show crypto isakmp sa command to view the ISAKMP SAs for all existing or current ipsec connections.

Example


switch#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dstsrc state conn-id status
1.0.0.11.0.0.2 QM_IDLE 1331 ACTIVE
vrouter-ikev1-isakmp-profile

IPv6 Crypto ISAKMP SA

View all Existing ipsec SAs

Use the show crypto ipsec sa command to view the ipsec SAs for all existing or current ipsec connections.

Example


switch#show crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr1.0.0.2

 protected vrf: (none)


 local ident (addr/mask/prot/port): 
(1.0.0.2/255.255.255.255/47/0)
 remote ident (addr/mask/prot/port): 
(1.0.0.1/255.255.255.255/47/0)
 current_peer 1.0.0.1 port 500 
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest:1f
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify:1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed:0
#pkts not decompressed: 0, #pkts decompress failed:0
#send errors 0, #recv errors 0

local crypto endpt.: 1.0.0.2, remote crypto endpt.: 
1.0.0.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb
GigabitEthernet2
current outbound spi: 0xCB8FB740(3415193408) 
PFS (Y/N): N, DH group: none
Dummy packet: Initializing

inbound esp sas:
spi: 0x36383677(909653623)
transform: esp-aes esp-sha-hmac , 
in use settings ={Tunnel, }
conn id: 5287, flow_id: CSR:3287, sibling_flags 
FFFFFFFF80004048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec):(4607999/3598)
IV size: 16 bytes
replay detection support: Y 
Status: ACTIVE(ACTIVE)

inbound ah sas: 

inbound pcp sas: 

outbound esp sas:
spi: 0xCB8FB740(3415193408)
transform: esp-aes esp-sha-hmac , 
in use settings ={Tunnel, }
conn id: 5288, flow_id: CSR:3288, sibling_flags 
FFFFFFFF80004048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec):(4607999/3598)
IV size: 16 bytes
replay detection support : Y 
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

View Crypto (Encryption) Session Details

Use the show crypto session detail command to view details about the crypto session for all current ipsec connections.

Example


switch#show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect

Interface: Tunnel0
Profile: vrouter-ikev1-isakmp-profile
Uptime: 00:20:23
Session status: UP-ACTIVE
Peer: 1.0.0.1 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 1.0.0.1
Desc: (none)
 Session ID: 0
 IKEv1 SA: local 1.0.0.2/500 remote 1.0.0.1/500 Active
Capabilities:(none) connid:1332 lifetime:07:39:35
 ipsec FLOW: permit 47 host 1.0.0.2 host 1.0.0.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 42 drop 0 life (KB/Sec)
4607997/2375
Outbound: #pkts enc'ed 44 drop 0 life (KB/Sec)
4607995/2375

View IKEv2 SAs

Use the show crypto ikev2 sa command to view summary information about all IKE version 2 SAs in use by existing ipsec connections.

Example


switch#show crypto ikev2 sa
IPv4 Crypto IKEv2SA

Tunnel-id Local Remotefvrf/ivrfStatus
1 3.3.3.3/500 3.3.3.1/500 none/noneREADY

Encr: AES-CBC, keysize: 128, PRF: sha256, Hash: SHA96, 
DH Grp:14, Auth sign: PSK, Auth verify: PSK
 Life/Active Time: 86400/5349 sec

IPv6 Crypto IKEv2SA

View IKEv2 SA Details

Use the show crypto ikev2 sa detailed command to view details about all IKE version 2 SAs in use by existing ipsec connections.

Example


switch#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remotefvrf/ivrfStatus
1 3.3.3.3/500 3.3.3.1/500 none/noneREADY

Encr: AES-CBC, keysize: 128, PRF: sha256, Hash: SHA96, 
DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/5358 sec
CE id: 1351, Session-id: 6
Status Description: Negotiation done
Local spi: 9FA0B7B1F7746E69 Remote spi:
4B1652D32691E8AF
Local id: 3.3.3.3
Remote id: 3.3.3.1
Local req msg id: 4Remote req msg id: 8
Local next msg id:4Remote next msg id:8
Local req queued: 4Remote req queued: 8
Local window: 5Remote window: 1
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes

IPv6 Crypto IKEv2 SA

ipsec Show Commands

The cloudeos and veos router provides commands to view all current or established ipsec tunnels and to view all profiles currently in use by established tunnels.

The show commands are:
  • show ip security connection
  • show ip security connection detail

Examples

The example below shows the use of the show ip security connection command to view a summary of all current (established) ipsec tunnels.
switch#show ip security connection
Tunnel SourceDest Status Uptime 
Tunnel01.0.0.1 1.0.0.2Established14 minutes 

Input OutputReauth Time
589 bytes 608 bytes		 8 hours 
7 pkts36 pkts
The example below shows the use of the show ip security connection detail command to view the details for a specified ipsec tunnel.
switch#show ip security connection detail
source address 1.0.0.1, dest address 1.0.0.2
 Inbound SPI 0x672F6CC3:
request id 1, mode transport replay-window 32, seq 0x0
stats errors:
 replay-window 0, replay 0, integrity_failed 0
lifetime config:
 softlimit 18446744073709551615 bytes, hardlimit 18446744073709551615 bytes
 softlimit 18446744073709551615 pkts, hardlimit 18446744073709551615 pkts
 expire add 0 secs, hard 0 secs
lifetime current:
 589 bytes, 7 pkts
 add time Wed Aug 17 17:50:28 2016, use time Wed Aug 17 17:50:31 2016
 Outbound SPI 0xc5f3c373:
request id 1, mode transport replay-window 32, seq 0x0
stats errors:
 replay-window 0, replay 0, integrity_failed 0
lifetime config:
 softlimit 18446744073709551615 bytes, hardlimit 18446744073709551615 bytes
 softlimit 18446744073709551615 pkts, hardlimit 18446744073709551615 pkts
 expire add 0 secs, hard 0 secs
lifetime current:
 608 bytes, 7 pkts
 add time Wed Aug 17 17:50:28 2016, use time Wed Aug 17 17:50:31 2016
The example below shows the use of the show ip sec applied-profile command to view all profiles currently in use by established tunnels.
switch#show ip sec applied-profile 
Profile Name Interface
Arista Tunnel0

cloudeos and veos routers and CSR

 

Use this configuration process to set up GRE-over-ipsec tunnels on CSR peer routers. Procedures are provided for configuration using IKE version 1, or IKE version 2. Make sure to use the correct procedure based on the selected version of IKE.

CSR Configuration

The configuration of VTI ipsec tunnels on CSR peer router instances is almost identical to the configuration of GRE-over-ipsec tunnels on CSR peer router instances. The only difference in the configurations is tunnel mode.

For VTI ipsec tunnels, tunnel mode must be set to ipsec instead of gre (for GRE-over-ipsec tunnels, tunnel mode must be set to gre.)

This example shows a basic VTI ipsec tunnel configuration for a CSR peer router instance.

Example

switch(config)#interface Tunnel0
switch(config-if)#ip address 1.0.3.1 255.255.255.0 
switch(config-if)#tunnel source 10.3.31.30 
switch(config-if)#tunnel destination 10.2.201.149 
switch(config-if)#tunnel mode ipsec ipv4 
switch(config-if)#tunnel protection ipsec profile vrouter-ikev1-ipsec-profile
Note: Make sure you use the correct procedure based on the version of IKE you need to use.

Sharing ipsec Connections

On CSR, the user can configure multiple GRE tunnels to use the same ipsec connection.

The user needs to add an extra shared keyword after the profile name on every tunnel interface that is to be shared.
switch(config)#interface Tunnel0
switch(config-if)#tunnel protection ipsec profile vrouter-ikev2-ipsec-profile shared
switch(config-if)#exit

IKEv1 Configuration

The CSR configuration to create a GRE over ipsec tunnel is similar the cloudeos and veos router setup using ikev1 version.

To ensure that the v EOS router can establish a tunnel with CSR, it needs to set the ikev1 version as follows:

switch(config)#ip security
switch(config-ipsec)#ike policy ike-peerRtr
switch(config-ipsec-ike)#version 1
  1. Enter the configuration terminal mode to configure ipsec.
    switch#config terminal
  2. Configure a pre-shared key for the veos router and CSR to authenticate each other. Create a keyring to hold the keys.
    switch(config)#crypto keyring vrouter-keyring
    switch(conf-keyring)#pre-shared-key address 1.0.0.2 key arista
  3. Create an ISAKMP policy. The policy's function is to communicate with the peer to establish IKE Phase 1. In the example below, a policy with AES256 is created with the following parameters: SHA1, DH group 15, authentication pre-share, and a lifetime of 28800 seconds.
    switch(config)#crypto isakmp policy 1
    switch(config-isakmp)#encr aes 256
    switch(config-isakmp)#hash sha
    switch(config-isakmp)#authentication pre-share
    switch(config-isakmp)#group 15
    switch(config-isakmp)#lifetime 28800
  4. Create an ISAKMP profile associated with the veos router to match its outside IP Address and the keyring that was created earlier to identify the pre-shared secret.
    switch(config)#crypto isakmp profile vrouter-ikev1-isakmp-profile
    switch(conf-isa-prof)#keyring vrouter-keyring
    switch(conf-isa-prof)#match identity address 1.0.0.2 255.2-55.255.255
    switch(conf-isa-prof)#local-address GigabitEthernet2
  5. Create the ipsec transform-set configuration settings. The transform-set defines the encryption and hash algorithm for the child/ipsec SA. This example creates a transform-set with AES cipher for the ESP encryption and SHA1 for the authentication. The mode for the ipsec is set to transport mode.
    switch(config)#crypto ipsec transform-set vrouter-tset esp-aes 256 esp-sha-hmac
    switch(cfg-crypto-trans)#mode transport
  6. Create the ipsec profile which includes the transform-set, SA idle time, lifetime, and replay windows used to create the child SA.
    switch(config)#crypto ipsec profile vrouter-ikev1-ipsec-profile
    switch(ipsec-profile)#set security-association idle-time 3600
    switch(ipsec-profile)#set security-association dummy seconds 3600
    switch(ipsec-profile)#set transform-set vrouter-tset
    switch(ipsec-profile)#set isakmp-profile vroute-ikev1-isakmp-profile
  7. Configure the WAN interface as the underlying interface for the tunnel. To be able to route packets, the tunnel is given an L3 IP address.
    switch(config)#interface GigabitEthernet2
    switch(config-if)#ip address 1.0.0.2 255.255.255.0
    switch(config-if)#mtu 9001
    switch(config-if)#negotiation auto
  8. Apply the ipsec profile to a tunnel interface. The example creates a tunnel interface (Tunnel0) and configures the tunnel interface to use ipsec.
    switch(config-if)#exit
    switch(config)#interface Tunnel0
    switch(config-if)#ip address 1.0.3.1 255.255.255.0
    switch(config-if)#tunnel source 1.0.0.2
    switch(config-if)#tunnel destination 1.0.0.1
    switch(config-if)#tunnel protection ipsec profile vrouter-ikev1-ipsec-profile
    switch(config-if)#exit

IKEv2 Configuration

The CSR configuration to create a GRE over ipsec tunnel is similar to the cloudeos and veos router setup using ikev2 version.

By default, the cloudeos and veos router is configured to run in IKEv2 version. Make sure the version is not set to 1 under the ike policy. The configuration steps for CSR IKEv2 are a bit different to that of IKEv1.

Complete the following steps to configure the CSR.

  1. Enter the configuration terminal mode to configure ipsec.
    switch#configure terminal
  2. Create a pre-shared key for CSR and the cloudeos and veos router to authenticate each other. Create a keyring to hold the keys. Specify the peer cloudeos and veos router under which the keys and matching IP address of peer are configured.
    switch(config)#crypto keyring vrouter-ikev2-keyring
    switch(conf-keyring)#pre-shared-key address 1.0.0.2 key arista
  3. Create an IKEv2 proposal to specify the encryption, integrity, and group. In the example, it specifies AES256, SHA1, and DH group 14.
    switch(config)#crypto ikev2 proposal vrouter-ikev2-proposal
    switch(config-ikev2-proposal)#encryption aes-cbc-256
    switch(config-ikev2-proposal)#integrity sha1
    switch(config-ikev2-proposal)#group 14
    switch(config-ikev2-proposal)#exit
  4. Create an IKEv2 policy and attach the proposal created in the previous step.
    switch(config)#crypto ikev2 policy vrouter-ikev2-policy 
    switch(config-ikev2-policy)#match fvrf any
    switch(config-ikev2-policy)#proposal vrouter-ikev2-proposal
    switch(config-ikev2-policy)#exit
  5. Create an IKEv2 profile and specify the match identity for the remote peer's address, authentication pre-share, and the keyring that was previously created.
    switch(config)#crypto ikev2 profile vrouter-ikev2-profile
    switch(config-ikev2-profile)#match fvrf any
    switch(config-ikev2-profile)#match identity remote address 1.0.0.1 255.255.255.255
    switch(config-ikev2-profile)#authentication remote pre-share key arista
    switch(config-ikev2-profile)#authentication local pre-share key arista
    switch(config-ikev2-policy)#exit 
  6. Create the ipsec transform-set configuration settings. This step is similar to the step in IKEv1 configuration. The transform-set defines the encryption and hash algorithm for the child/ipsec SA. The example creates a transform-set with AES cipher for the ESP encryption and SHA1 for the authentication. The mode for the ipsec is set to the transport mode.
    switch(config)#crypto ipsec transform-set vrouter-tset esp-aes 256 esp-sha-hmac
    switch(cfg-crypto-trans)#mode transport
  7. Create the ipsec profile similar to IKEv1. This profile includes the transform-set, SA idle time, lifetime, and replay windows that are used to create the child SA and specifies the IKEv2 profile to use.
    switch(config)#crypto ipsec profile vrouter-ikev2-ipsec-profile
    switch(ipsec-profile)#set security-association idle-time 3600
    switch(ipsec-profile)#set security-association dummy seconds 3600
    switch(ipsec-profile)#set transform-set vrouter-tset
    switch(ipsec-profile)#set ikev2-profile vrouter-ikev2-profile
    switch(ipsec-profile)#exit
  8. Configure the interface to use as the underlying interface for the tunnel. To be able to route packets, the tunnel is given an L3 IP address.
    switch(config)#interface GigabitEthernet2
    switch(config-if)#ip address 1.0.0.1 255.255.255.0
    switch(config-if)#negotiation auto
  9. Apply the ipsec profile to a tunnel interface. The example creates a tunnel interface (Tunnel0) and configures the tunnel interface to use ipsec.
    switch(config-if)#exit
    switch(config)#interface Tunnel0
    switch(config-if)#ip address 1.0.3.1 255.255.255.0
    switch(config-if)#tunnel path-mtu-discovery
    switch(config-if)#tunnel source 1.0.0.1
    switch(config-if)#tunnel destination 1.0.0.2
    switch(config-if)#tunnel protection ipsec profile vrouter-ikev2-ipsec-profile
    switch(config-if)#exit

cloudeos and veos router (GRE-over-ipsec Tunnel)

The ipsec tunnels represented in these examples include GRE-over-ipsec tunnels on cloudeos and veos router instances.

Running Configuration for cloudeos and veos
ip security
ike policy ikebranch1 encryption aes256 dh-group 15
!
sa policy sabranch1 sa lifetime 2
pfs dh-group 14
!
profile hq
ike-policy ikebranch1 sa-policy sabranch1 connection add
shared-key keyAristaHq dpd 10 50 clear
!
interface Tunnel1
ip address 1.0.3.1/24 tunnel mode gre tunnel source 1.0.0.1
tunnel destination 1.0.0.2 tunnel ipsec profile hq
interface Ethernet1 no switchport
ip address 1.0.0.1/24

cloudeos and veos router (VTI ipsec Tunnel)

The ipsec tunnels represented in these examples include VTI ipsec tunnels between cloudeos and veos router instances and third party CSR router instances.

Running Configuration for cloudeos and veos
ip security 
ike policy ikebranch1 
encryption aes256 
dh-group 15
!
sa policy sabranch1 
sa lifetime 2
pfs dh-group 14
!
profile hq
ike-policy ikebranch1
sa-policy sabranch1 
connection add
shared-key keyAristaHq 
dpd 10 50 clear
!
interface Tunnel1
ip address 1.0.3.1/24 
tunnel mode ipsec 
tunnel source 1.0.0.1
tunnel destination 1.0.0.2
tunnel key 100
tunnel ipsec profile hq
interface Ethernet1 
no switchport
ip address 1.0.0.1/24

CSR Commands

The CSR router has show commands for several ipsec tunnel elements on CSR router instances.

CSR router Show Commands

Describes the available CSR router show commands and their example outputs.

Use the different show commands for CSR router instances to do the following:
  • View all Existing ISAKMP SAs
  • View all Existing ipsec SAs
  • View Crypto (Encryption) Session Details
  • View IKEv2 SAs
  • View IKEv2 SA Details
View all Existing ISAKMP SAs

Use the show crypto isakmp sa command to view the ISAKMP SAs for all existing or current ipsec connections.

Example


switch#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dstsrc state conn-id status
1.0.0.11.0.0.2 QM_IDLE 1331 ACTIVE
vrouter-ikev1-isakmp-profile

IPv6 Crypto ISAKMP SA
View all Existing ipsec SAs

Use the show crypto ipsec sa command to view the ipsec SAs for all existing or current ipsec connections.

Example


switch#show crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr1.0.0.2

 protected vrf: (none)


 local ident (addr/mask/prot/port): 
(1.0.0.2/255.255.255.255/47/0)
 remote ident (addr/mask/prot/port): 
(1.0.0.1/255.255.255.255/47/0)
 current_peer 1.0.0.1 port 500 
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest:1f
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify:1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed:0
#pkts not decompressed: 0, #pkts decompress failed:0
#send errors 0, #recv errors 0

local crypto endpt.: 1.0.0.2, remote crypto endpt.: 
1.0.0.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb
GigabitEthernet2
current outbound spi: 0xCB8FB740(3415193408) 
PFS (Y/N): N, DH group: none
Dummy packet: Initializing

inbound esp sas:
spi: 0x36383677(909653623)
transform: esp-aes esp-sha-hmac , 
in use settings ={Tunnel, }
conn id: 5287, flow_id: CSR:3287, sibling_flags 
FFFFFFFF80004048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec):(4607999/3598)
IV size: 16 bytes
replay detection support: Y 
Status: ACTIVE(ACTIVE)

inbound ah sas: 

inbound pcp sas: 

outbound esp sas:
spi: 0xCB8FB740(3415193408)
transform: esp-aes esp-sha-hmac , 
in use settings ={Tunnel, }
conn id: 5288, flow_id: CSR:3288, sibling_flags 
FFFFFFFF80004048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec):(4607999/3598)
IV size: 16 bytes
replay detection support : Y 
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
View Crypto (Encryption) Session Details

Use the show crypto session detail command to view details about the crypto session for all current ipsec connections.

Example


switch#show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect

Interface: Tunnel0
Profile: vrouter-ikev1-isakmp-profile
Uptime: 00:20:23
Session status: UP-ACTIVE
Peer: 1.0.0.1 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 1.0.0.1
Desc: (none)
 Session ID: 0
 IKEv1 SA: local 1.0.0.2/500 remote 1.0.0.1/500 Active
Capabilities:(none) connid:1332 lifetime:07:39:35
 ipsec FLOW: permit 47 host 1.0.0.2 host 1.0.0.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 42 drop 0 life (KB/Sec)
4607997/2375
Outbound: #pkts enc'ed 44 drop 0 life (KB/Sec)
4607995/2375
View IKEv2 SAs

Use the show crypto ikev2 sa command to view summary information about all IKE version 2 SAs in use by existing ipsec connections.

Example


switch#show crypto ikev2 sa
IPv4 Crypto IKEv2SA

Tunnel-id Local Remotefvrf/ivrfStatus
1 3.3.3.3/500 3.3.3.1/500 none/noneREADY

Encr: AES-CBC, keysize: 128, PRF: sha256, Hash: SHA96, 
DH Grp:14, Auth sign: PSK, Auth verify: PSK
 Life/Active Time: 86400/5349 sec

IPv6 Crypto IKEv2SA
View IKEv2 SA Details

Use the show crypto ikev2 sa detailed command to view details about all IKE version 2 SAs in use by existing ipsec connections.

Example


switch#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remotefvrf/ivrfStatus
1 3.3.3.3/500 3.3.3.1/500 none/noneREADY

Encr: AES-CBC, keysize: 128, PRF: sha256, Hash: SHA96, 
DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/5358 sec
CE id: 1351, Session-id: 6
Status Description: Negotiation done
Local spi: 9FA0B7B1F7746E69 Remote spi:
4B1652D32691E8AF
Local id: 3.3.3.3
Remote id: 3.3.3.1
Local req msg id: 4Remote req msg id: 8
Local next msg id:4Remote next msg id:8
Local req queued: 4Remote req queued: 8
Local window: 5Remote window: 1
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes

IPv6 Crypto IKEv2 SA

cloudeos and veos routers and AWS Specific Cloud Configuration

Describes the configuration steps for an AWS specific cloud on a cloudeos and veos router instance.

ipsec Between the cloudeos and veos router and AWS Specific Cloud Configuration

Describes the steps and the running configuration for setting up an ipsec connection between the cloudeos and veos router and the AWS Specific Cloud. The AWS Specific Cloud only supports IKE1 and not IKE2.

The following configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. These can be modified to take advantage of AES256, SHA256, or other DH groups such as 5, 14-17, and 24.

Running-configuration of the cloudeos and veos router and AWS Specific Cloud

 

The sample configuration below sets up the running configuration of the cloudeos and veos router and AWS Specific Cloud. In the configuration, the local-id is the external IP of the router when it is behind a NAT device, and the tunnel destination is the external IP of the AWS Specific Cloud.

ip security
 ike policy AWS-IKE1
integrity sha1
version 1
local-id 52.165.228.195
 !
 ike policy ikedefault
encryption aes256
 !
 sa policy AWS-SA1
esp encryption aes128
esp integrity sha1
pfs dh-group 14
 !
 profile AWS-profile
ike-policy AWS-IKE1
sa-policy AWS-SA1
connection start
sharded-key LwYbARmDJmpFGAOrAbPGk2uQiWwvbmfU
 !
 profile default
ike-policy
sa-policy AWS-SA1
shared-key arista
 !
interface Tunnel1
 ip address 169.254.11.162/30
 tunnel mode ipsec
 tunnel source 10.2.0.4
 tunnel destination 52.53.75.160
 tunnel ipsec profile AWS-profile

AWS Specific Cloud Configuration

 

  1. Internet Key Exchange Configuration
The address of the external interface for a customer gateway must be a static address. the customer gateway can reside behind a device performing network Address Translation (NAT) To ensure that NAT Transversal (NAT-T) can function, add, and update the firewall rules, allow UDP port 4500. Disable NAT-T if the customer gateway is not behind a NAT gateway.
  • Authentication Method: Pre-Shared Key
  • Pre-Shared Key: LwYbARmDJmpFGOrAbPGk2uQiWwvbmfU
  • Authentication Algorithm: sha1
  • Encryption Algorithm: aes-128-cbc
  • Lifetime: 28800 seconds
  • Phase 1 Negotiation Method: main
  • Perfect Forward Secrecy: Diffie-Hellman Group 2

AWS Specific Cloud Configuration Modifications

 

  1. Internet Key Exchange SA Configuration

    The address of the external interface for the customer gateway must be a static address. The customer gateway can reside behind a device performing network Address Translation (NAT). To make sure that NAT traversal (NAT-T) functions correctly, add or update the firewall rule to allow UDP port 4500. Disable NAT-T if the customer gateway is not behind a NAT gateway.

    Use the following sample configuration files to set up an Internet key exchange SA configuration.
    • Authentication Method: Pre-shared Key
    • Pre-shard Key: LwYbARmDJmpFGAOrAbPGk2uQiWwvbmfU
    • Authentication Algorithm: sha1
    • Encryption Algorithm: aes-128-cbc
    • Lifetime: 28800 seconds
    • Phase 1 Negotiation Mode: main
    • Perfect Forward Secrecy: Diffie-Hellman Group 2
  2. ipsec Configuration
    Use the following sample configuration files to configure the ipsec. Modification of the sample configuration files may be need to take advantage of additionally supported ipsec parameters for encryption, such as AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
    • Protocol: esp
    • Authentication Algorithm: hmac-sha-96
    • Encryption Algorithm: aes-128-cbc
    • Lifetime: 3600 seconds
    • Mode: tunnel
    • Perfect Forward Secrecy: Diffie-Hellman Group2
    The ipsec Dead Peer Detection (DPD) is enabled on the AWS Specific Cloud endpoint. Configure the DPD on your endpoint as follows:
    • DPD interval: 10
    • DPD Retries: 3

    The ipsec Encapsulating Security Payload (ESP) inserts additional headers to transmit the packets. These headers require additional space, which reduces the amount of space available to transmit application data. The following configuration is recommended on the customer gateway to limit the impact of this behavior:

    • TCP MSS Adjustment: 1379 bytes
    • Clear Don't fragment Bit: enabled
    • Fragmentation: Before encryption
  3. Tunnel Interface Configuration

    Configure the customer gateway with a tunnel interface that associates with the ipsec tunnel. All traffic transmitted to the tunnel interface is encrypted and transmitted to the virtual private gateway.

    The customer gate and the virtual private gateway each have two addresses that relate to this ipsec tunnel. Each one contains an outside address, where the encrypted traffic is exchanged. Both gateways also contain an inside address associated with the tunnel interface. The customer gateway outside IP address is provided upon creation of the customer gateway. To change the IP address of the customer gateway, create a new customer gateway. The customer gateway inside IP address must be configured on the interface tunnel.

    Outside IP Addresses:
    • Customer gateway: 52.165.228.195
    • virtual Private gateway: 52.53.75.160

      The customer gateway IP address is the IP address of the firewall that the cloudeos and veos instance in the DC with NAT behind.

      The virtual private gateway IP address is the external IP address of the AWS Specific Cloud.

    Inside IP Addresses
    • Customer gateway: 169.254.11.162/30
    • virtual Private gateway: 169.254.11.161/30

    The virtual private gateway IP address is the tunnel IP address of the AWS Specific Cloud.

  4. Static Routing Configuration

    The router traffic between the internal network and the VPC an AWS Specific Cloud, add a static router to the cloudeos and veos router.

    Next Hop: 169.254.11.162

    Any subnet that requires a route to DC must have a route pointing to the AWS Specific Cloud tunnel IP address.

    For traffic destined to the Internet network, add static routes on the VGW.

cloudeos ipsec connectivity to azure virtual network gateway

This document describes how to establish ipsec connection between cloudeos router and azure virtual network gateway. This document also documents how to establish a BGP connection over the ipsec tunnel.

Creating an ipsec azure virtual network gateway

The following topology is for ipsec azure virtual network gateway.

The following steps are to create an ipsec azure virtual network gateway.

  1. Create a Resource Group.
  2. Create the virtual network.
  3. Create virtual network gateway.
  4. Configure Local network gateway.
  5. Create Site-to-site Connections.

For more information on creating an ipsec azure virtual network gateway, refer to:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

Creating a Resource Group

Create a new resource group if not already created, under this group all other resources such as virtual network gateway, virtual networks and other resources are created. For example, here a resource group AnetVPN is created.

Creating a virtual network

  1. A virtual network is created in the azure Cloud, which is reached through the azure virtual network gateway. For example, a virtual network AnetNet1, with an IP address space 172.27.0.0/16 is created. A subnet AnetSubnet1(172.27.1.0/24) is also created, which is used as the subnet for virtual network gateway.

  2. Click on the Create button.

  3. Fill-in the mandatory fields in the Project Details section.

  4. Fill-in the IP address section with the IP address and Subnets.

  5. Click on the Review+create tab to validate the deployment.

  6. Finally if the deployment passes the validation, you see this screen.

Creating an virtual network gateway

  1. After creating the virtual network, a virtual network gateway(AnetVGW) is created. The virtual network gateway must have a public IP address. By default BGP is disabled on the virtual network gateway. In this example below the BGP enabled to demonstrate the BGP session over the ipsec connection.

  2. Provide the public IP address name.

  3. Click on the Review+create tab to proceed with the deployment.

  4. Finally you see this page on successful deployment.

  5. This page provides you information about the resources and other information related to the deployment.

Configuring the Local network gateway

  1. At a customer site an on-prem router (referred as Local network gateway) is connected to the azure virtual network gateway. The public IP address of the On-prem router along with the BGP peering address and ASN is configured in the Local network gateway.


Creating Site-to-site Connections

A site-to-site connection is configured to connect a virtual network gateway to the Local network gateway. In addition to this IKE version and shared-key used for IKE authentication is configured. The rest of the cryptographic parameters cannot be configured from the azure portal, but can be configured using Power shell. The complete list of azure crypto suites is found here:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell#params



Configuring cloudeos ipsec

This section describes the cloudeos configuration instance. The following are the default cryptographic parameters used in azure virtual network gateway configuration.
IKE - Ikev2/AES256/SHA256/DH-Group2
ipsec - ESP/AES256/SHA256

Configure the IKE Policy

cloudeos(config-ipsec-ike)#ip security 
cloudeos(config-ipsec)#ike policy ikeazure
cloudeos(config-ipsec-ike)#encryption aes256 
cloudeos(config-ipsec-ike)#integrity sha256 
cloudeos(config-ipsec-ike)#version 2
cloudeos(config-ipsec-ike)#dh-group 2
cloudeos(config-ipsec-ike)#ex
cloudeos(config-ipsec)#

Configure the SA Policy

cloudeos(config-ipsec)#sa policy saazure
cloudeos(config-ipsec-sa)#esp encryption aes256
cloudeos(config-ipsec-sa)#esp integrity sha256 
cloudeos(config-ipsec-sa)#ex
cloudeos(config-ipsec)#

Configure the Profile

cloudeos(config-ipsec)#profile profazure
cloudeos(config-ipsec-profile)#ike-policy ikeazure
cloudeos(config-ipsec-profile)#sa-policy saazure
cloudeos(config-ipsec-profile)#connection start
cloudeos(config-ipsec-profile)#shared-key arista
cloudeos(config-ipsec-profile)#ex
cloudeos(config-ipsec)#

Configuring the ipsec Tunnel (VTI) Interface

cloudeos(config)#interface Tunnel 1
cloudeos(config-if-Tu1)#ip address 10.100.1.1/24
cloudeos(config-if-Tu1)#tunnel mode ipsec
cloudeos(config-if-Tu1)#tunnel source 3.212.212.81
cloudeos(config-if-Tu1)#tunnel destination 13.77.139.173
cloudeos(config-if-Tu1)#tunnel ipsec profile profazure
! ipsec adds an overhead of up to 82 bytes. Example: A GRE tunnel with an MTU=1476 should be changed to 1394 when using ipsec.
cloudeos(config-if-Tu1)#ex
cloudeos(config)#show

Verifying the ipsec Connection


cloudeos(config)#show ip securityconnection
TunnelSourceDest Status UptimeInputOutput Rekey Time
Tunnel13.212.212.8113.77.139.173 Established1 second0 bytes0 bytes44 minutes
0 pkts 0 pkts 

On Prem cloudeos behind a NAT Device

If the on-prem cloudeos instance is behind a NAT device, configure the public IP address in local-ID under the IKE policy configuration as shown in the example below.
cloudeos#ip security
 ike policy ikeazure
encryption aes256
dh-group 2
local-id 3.212.212.81

BGP over ipsec

In the BGP configuration in section Creating virtual network gateway, the BGP configuration is added for AnetOnPremSite1 with ASN as 65530 and BGP peer IP address as 10.100.1.1. In this scenario, BGP address and the IP address on the tunnel interface are same, but, this is not a configuration limitations both the IP addresses can be different.
cloudeos(config)#router bgp 65530
cloudeos(config-router-bgp)#neighbor 172.27.0.254 remote-as 65515
cloudeos(config-router-bgp)#neighbor 172.27.0.254 update-source Tunnel1
cloudeos(config-router-bgp)#neighbor 172.27.0.254 ebgp-multihop 4
cloudeos(config-router-bgp)#address-family ipv4
cloudeos(config-router-bgp-af)#neighbor 172.27.0.254 activate
cloudeos(config-router-bgp-af)#network 10.100.100.0/24
cloudeos(config-router-bgp-af)#ex
cloudeos(config-router-bgp)#ex
cloudeos(config)#

BGP Routes Advertised to Neighbor

cloudeos(config)#show ip bgpneighbors 172.27.0.254 advertised-routes 
BGP routing table information for VRF default
router identifier 198.18.0.65, local AS number 65530
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast, q - Queued for advertisement
% - Pending BGP convergence
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI Origin Validation codes: V - valid, I - invalid, U - unknown
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop

networkNext HopMetricLocPref WeightPath
 * >10.100.100.0/2410.100.1.1- - - 65530 i

BGP Routes Received from the Neighbor

cloudeos(config)#show ip bgpneighbors 172.27.0.254received-routes 
BGP routing table information for VRF default
router identifier 198.18.0.65, local AS number 65530
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast
% - Pending BGP convergence
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI Origin Validation codes: V - valid, I - invalid, U - unknown
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop

networkNext HopMetricLocPref WeightPath
 * >172.27.0.0/16172.27.0.254- - - 65515 i
cloudeos(config)#

Verifying the BGP Connection

cloudeos(config)#show ip bgp summ
BGP summary information for VRF default
router identifier 198.18.0.65, local AS number 65530
Neighbor Status Codes: m - Under maintenance
Neighbor VAS MsgRcvd MsgSentInQ OutQUp/Down State PfxRcd PfxAcc
172.27.0.254 4655151942140 000:00:06Estab 11
cloudeos(config)#