CloudEOS and vEOS Router Configuration

Use this procedure to configure VTI IPsec tunnels on an Arista router instance. Complete the procedure, then configure the other tunnel endpoint on the third party peer router.

Note: The CloudEOS and vEOS Router by default uses IKE version 2 for all IPsec tunnels. To configure a VTI IPsec tunnel that uses IKE version 1, explicitly configure the CloudEOS and vEOS Router instance to use IKE version 1.


Complete the following steps to configure a CloudEOS and vEOS Router instance to share a VTI IPsec tunnel.

To use IKE version 1, complete the section below, then continue with the steps below. To use IKE version 2, which is the default version, start with Step 1 below.

switch(config)#ip security
switch(config-ipsec)#ike policy ike-peerRtr
switch(config-ipsec-ike)#version 1
  1. Use this command to enter IP security mode.
    switch(config)#ip security
  2. Create an IKE Policy to communicate with the peer to establish IKE Phase 1 options. There is the option of configuring multiple IKE policies.
    The default IKE Policy values are:
    • Encryption - AES256
    • Integrity - SHA256
    • DH group - Group 14
    • IKE lifetime - 8 hours
    switch(config)#ip security
    switch(config-ipsec)#ike policy ike-vrouter-PA
    switch(config-ipsec)#integrity sha512 
    switch(config-ipsec)#encryption aes256
    switch(config-ipsec)#dh-group 20
  3. If the router is behind a NAT, configure the local-id with the local public IP address.
    switch(config-ipsec-ike)#local-id <public ipaddress>
  4. Create an IPsec Security Association policy in the data path for encryption and integrity. There is the option of enabling Perfect Forward Secrecy by configuring a DH group to the SA.
    Example: In this example, AES256 is used for encryption, SHA 256 is used for integrity, and Perfect Forward Secrecy is enabled (the DH group is 20).
    switch(config-ipsec)#sa policy sa-vrouter-PA
    switch(config-ipsec)#esp encryption aes256
    switch(config-ipsec)#esp integrity sha256
    switch(config-ipsec)#sa lifetime 2
    switch(config-ipsec)#pfs dh-group 20
  5. Bind or associate the IKE and SA policies together using an IPsec profile. Provide a shared-key, which must be common on both peers. The default profile assigns default values for all parameters that are not explicitly configured in the other profiles.
    Example: In this example, the IKE Policy ike-vrouter-PA and SA Policy sa-vrouter-PA are applied to profile vrouter-PA. Dead Peer Detection is enabled and configured to delete the connection when the peer is down for more than 30 seconds.
    switch(config-ipsec)#profile vrouter-PA
    switch(config-ipsec-profile)#ike-policy ike-vrouter-PA
    switch(config-ipsec-profile)#sa-policy sa-vrouter-PA
    switch(config-ipsec-profile)#connection start
    switch(config-ipsec-profile)#shared-key Arista1234
    switch(config-ipsec-profile)#dpd 10 30 clear
  6. Create a tunnel interface for the VTI tunnel. When tunnel mode is set to IPsec, configure a tunnel key on the vEOS Router instance to ensure that traffic can be forwarded through the tunnel.
    switch(config)#interface Tunnel1
    switch(config-if-Tu1)#mtu 1400
    switch(config-if-Tu1)#ip address
    switch(config-if-Tu1)#tunnel mode ipsec
    switch(config-if-Tu1)#tunnel source
    switch(config-if-Tu1)#tunnel destination
    switch(config-if-Tu1)#tunnel ipsec profile vrouter-PA

Configure the VTI IPsec tunnel on the peer router (see Palo Alto Firewall VM Configuration).