IPsec Support

The AWE-7200R and CloudEOS router provides robust support for using IPsec to establish and maintain IPsec tunnels for secure or encrypted communications between virtual router peer instances and virtual peer instances to non-virtual routers.

The AWE-7200R and CloudEOS router supports the use of IPsec to:
  • Secure the communications between AWE-7200R and CloudEOS router instances.

     

  • Secure the communications between AWE-7200R and CloudEOS router instances and third-party virtual router instances.

     

    Note: See the AWE-7200R and CloudEOS router Release Notes for the latest information on the types of virtual routers that can share IPsec tunnels with AWE-7200R and CloudEOS router.

     

  • Supported Tunnel Types

    The AWE-7200R and CloudEOS router supports the use of two basic types of IPsec tunnels. The tunnel types are determined based on the encapsulation mode.

     

  • Requirements when Behind a NAT

    The AWE-7200R and CloudEOS router supports using NAT-Traversal to communicate with the remote peer virtual router. To ensure that the tunnel configuration between the AWE-7200R and CloudEOS router and peer router is successful, make sure that the AWE-7200R and CloudEOS router tunnel configuration meets the requirements for using NAT.

     

    Note: NAT-Traversal for IPsec is not supported for DCS-7020SRG.

     

  • Using IPsec on CloudEOS and AWE-7200R and CloudEOS router Instances

    The AWE-7200R and CloudEOS router enables you to establish and maintain GRE-over-IPsec and VTI IPsec tunnels for secure or encrypted communications between peer AWE-7200R and CloudEOS router instances.

     

  • CloudEOS IPsec Connectivity to Azure Virtual Network Gateway

 

Supported Tunnel Types

 

The AWE-7200R and CloudEOS router supports the use of two basic types of IPsec tunnels. The tunnel types are determined based on the encapsulation mode.

The supported tunnel types are:
GRE-over-IPsec
  • In GRE-over-IPsec encapsulation mode, the application payload is first encapsulated within a GRE packet. IPsec then encrypts the GRE packet, which results in the packet being encapsulated and encrypted by the IPsec header.

     

  • Select this encapsulation type by specifying tunnel mode gre for the tunnel interface to which the IPsec profile is applied. This ensures that the packets forwarded on the interface are encrypted.

     

  • When using GRE-over-IPsec encapsulation mode, both IPsec mode options are supported (select either transport or tunnel).

     

VTI IPsec
  • In VTI encapsulation mode, the application payload is directly encapsulated and encrypted by the IPsec header.

     

  • Select this encapsulation type by specifying tunnel mode ipsec for the tunnel interface to which the IPsec profile is applied. This ensures that the packets forwarded on the interface are encrypted.

     

  • When using VTI encapsulation mode, set the IPsec mode to tunnel. The transport option under the IPsec mode has no effect.

Requirements when Behind a NAT

 

The AWE-7200R and CloudEOS router supports using NAT-Traversal to communicate with the remote peer behind a NAT. Configure the tunnel source with the outgoing interface IP address on the router.

Flow Parallelization

Enable the IPsec flow parallelization feature to achieve high throughput over an IPsec connection. Multiple cores parallelize the IPsec encryption and decryption processing when the feature is enabled. To enable this feature, include the flow parallelization encapsulation udp command in the IPsec profile configuration.

Note: The feature must be enabled on both sides of the tunnel. Other vendors do not support Flow Parallelization.

 

Note: This feature should be used with GRE over IPsec.

 

If the IPsec session is established without the feature enabled, complete the following tasks:
  • Under the tunnel's IPsec profile, use the flow parallelization encapsulation udp command to enable the feature.
  • Shut down the tunnel on the tunnel interface.
  • Bring the tunnel back up on the tunnel interface. After it is up, this enables the feature.

Using IPsec on AWE-7200R and CloudEOS Router Instances

The AWE-7200R and CloudEOS router establishes and maintains GRE-over-IPsec and VTI IPsec tunnels for secure or encrypted communications between peer AWE-7200R and CloudEOS router instances.

Topology

Use the AWE-7200R and CloudEOS router Router to establish and maintain IPsec tunnels between peer AWE-7200R and CloudEOS router Router instances in different topologies of varying complexity.

The diagram below represents a basic IPsec tunnel configuration in which AWE-7200R and CloudEOS router Router instances use an IPsec tunnel.

Router instances and third-party devices peer router instances.

The basic process for establishing secure communications using IPsec involves the following tasks:
  • Creating an IKE Policy to establish IKE with the peer.
  • Specifying the encryption integrity protocols for the Security Association (SA) Policy.
  • Apply IKE and SA policies to a given profile.
  • Apply the profile to a tunnel interface.

Configuring IPsec Tunnels on AWE-7200R and CloudEOS Router Instances

Use this procedure to configure GRE-over-IPsec or VTI IPsec tunnels on peer AWE-7200R and CloudEOS router instances.

The procedure provides all the steps required to set up either GRE-over-IPsec or VTI IPsec tunnels. Most steps are identical for both tunnel types (Steps 1 through 6 are the same). Step 7 is the step to select the tunnel type.

 

Note:AWE-7200R and CloudEOS router, by default, uses IKE version 2 for all IPsec tunnels. To configure a tunnel that uses IKE version 1, explicitly configure the AWE-7200R and CloudEOS router to use IKE version 1.

 

Procedure

Complete the following steps to configure GRE-over-IPsec or VTI IPsec tunnels on AWE-7200R and CloudEOS router instances. This configuration will be the default IKE version 2 procedure.

  1. Use this command to enter IP security mode. 
    router(config)# ip security

     

  2. To use IKE version 1, complete the following before completing the default IKE version the steps below. 
    router(config)# ip security
router(config-ipsec)# ike policy ike-peerRtr
router(config-ipsec-ike)# version 1

     

  3. Create an IKE Policy to communicate with the peer to establish IKE. You have the option to configure multiple IKE policies.
    The default IKE Policy values are:
    • Encryption- AES256
    • Integrity - SHA256
    • DH group - Group 14
    • IKE lifetime - 8 hours 
      router(config-ipsec)# ike policy ike-vrouter 
router(config-ipsec-ike)# encryption aes256 
router(config-ipsec-ike)# integrity sha256 
router(config-ipsec-ike)# dh-group 24
router(config-ipsec-ike)# version 2

       

  4. Configure the local-id with the local public IP address if the router is behind a NAT. The public IP corresponds to the underlying interface over which the IKE communications are done with the peer. 
    router(config-ipsec-ike)# local-id <public ip address>

     

  5. Create an IPsec Security Association policy to be used in the data path for encryption and integrity. Use the option to enable Perfect Forward Secrecy by configuring a DH group to the SA.
    In this example, AES256 is used for encryption, SHA 256 is used for integrity, and Perfect Forward Secrecy is enabled (the DH group is 14). 
    router(config-ipsec)# sa policy sa-vrouter 
router(config-ipsec-sa)# esp encryption aes256 
router(config-ipsec-sa)# esp integrity sha256 
router(config-ipsec-sa)# pfs dh-group 14 
router(config-ipsec-sa)# sa lifetime 2 
router(config-ipsec-sa)# exit

     

  6. Bind or associate the IKE and SA policies together using an IPsec profile. Provide a shared key, which must be common to both peers. The default profile assigns default values for all parameters not explicitly configured in the other profiles.
    In this example, tunnel mode is set to transport. The IKE Policy ike-peerRtr and SA Policy sa-peerRtr are applied to profile peer-Rtr. Dead Peer Detection is enabled and configured to delete the connection when the peer is down for over 50 seconds. The peer peer-Rtr is set to be the responder. 
    router(config-ipsec)# profile default
router(config-ipsec-profile)# ike-policy ikedefault
router(config-ipsec-profile)# sa-policy sadefault
router(config-ipsec-profile)# shared-key arista
router(config-ipsec)# profile vrouter
router(config-ipsec-profile)# ike-policy ike-vrouter
router(config-ipsec-profile)# sa-policy sa-vrouter
router(config-ipsec-profile)# dpd 10 50 clear
router(config-ipsec-profile)# connection add
router(config-ipsec-profile)# mode transport

     

  7. Configure the AWE-7200R and CloudEOS router interface to be the underlying interface for the tunnel. You must specify an L3 address for the tunnel. If you do not use the tunnel, the router cannot route packets using the tunnel. 
    router(config)# interface Et1 
router(config-if-Et1)# no routerport
router(config-if-Et1)# ip address 1.0.0.1/24
router(config-if-Et1)# mtu 1500

     

  8. Apply the IPsec profile to a new tunnel interface. You create the new tunnel interface as part of this step. You can configure the tunnel as a GRE-over-IPsec tunnel or a VTI IPsec tunnel.
    (GRE-over-IPsec): In this example, the new tunnel interface is Tunnel0. The new tunnel interface is configured to use IPsec, and the tunnel mode is set to GRE. The other end of the tunnel also needs to be configured as a GRE-over-IPsec tunnel. 
    router(config)# interface tunnel0
router(config-if-Tu0)# ip address 1.0.3.1/24 
router(config-if-Tu0)# tunnel mode gre 
router(config-if-Tu0)# mtu 1394
router(config-if-Tu0)# tunnel source 1.0.0.1
router(config-if-Tu0)# tunnel destination 1.0.0.2 
router(config-if-Tu0)# tunnel ipsec profilevrouter
  9. (VTI IPsec): To configure a VTI IPsec tunnel, you must set the tunnel mode to tunnel mode ipsec. The other tunnel element settings are the same as the settings for GRE-over-IPsec. 
    router(config)# interface tunnel0
router(config-if-Tu0)# ip address 1.0.3.1/24 
router(config-if-Tu0)# tunnel mode ipsec 
router(config-if-Tu0)# mtu 1394
router(config-if-Tu0)# tunnel source 1.0.0.1
router(config-if-Tu0)# tunnel destination 1.0.0.2 
router(config-if-Tu0)# tunnel ipsec profile vrouter
    To move the tunnel interface to a different VRF, complete Step 9. To achieve high throughput, complete Step 10.
  10. Create the GRE-over-IPsec tunnel interface in a VRF using the vrf forwarding command. If a VRF is needed,create and configure the GRE tunnel interface. If tunnels in different VRFs need to share the IPsec connection, configure the same tunnel source, destination, IPsec profile, and a unique tunnel key for each tunnel.
    Note: If tunnels in different VRFs need to share the IPsec connection, specify the same source, destination, and IPsec profile.
    router(config)# vrf definition red
router(config-vrf-red)# rd 1:3 
router(config-vrf-red)# interface tunnel0
router(config-if-Tu0)# tunnel key 100
router(config-if-Tu0)# vrf forwarding red
router(config-if-Tu0)# ip address 1.0.3.1/24
router(config-if-Tu0)# mtu 1394
router(config-if-Tu0)# tunnel source 1.0.0.1
router(config-if-Tu0)# tunnel destination 1.0.0.2
router(config-if-Tu0)# tunnel key 100 
router(config-if-Tu0)# tunnel ipsec profile vrouter
router(config)# vrf definition blue 
router(config-vrf-blue)# rd 1:4 
router(config-vrf-blue)# interface tunnel1
router(config-if-Tu1)# tunnel key 200
router(config-if-Tu1)# vrf forwarding blue 
router(config-if-Tu1)# ip address 1.0.4.1/24 
router(config-if-Tu1)# tunnel mode gre 
router(config-if-Tu1)# mtu 1394
router(config-if-Tu1)# tunnel source 1.0.0.1
router(config-if-Tu1)# tunnel destination 1.0.0.2
router(config-if-Tu1)# tunnel ipsec profile vrouter
  11. Enable the IPsec flow parallelization feature to achieve high throughput over the IPsec tunnel. To enable the feature, include the flow parallelization encapsulation udp command in the IPsec profile configuration. Then, the IPsec profile configuration is applied to the tunnel interface.
    (IPsec profile configuration) 
    router(config-ipsec)# profile vrouter
router(config-ipsec-profile)# ike-policy ike-vrouter
router(config-ipsec-profile)# sa-policy sa-vrouter
router(config-ipsec-profile)# dpd 10 50 clear
router(config-ipsec-profile)# connection start
router(config-ipsec-profile)# mode transport
router(config-ipsec-profile)# flow parallelization encapsulation udp

     

    Example: (Applying IPsec profile to tunnel interface) 
    router(config)# interface tunnel0
router(config-if-Tu0)# tunnel ipsec profile vrouter
    Note: Repeat Step 9 on the other end of the tunnel. The IPsec flow parallelization feature must be enabled on both ends of the tunnel.

Examples of Running-configurations for GRE-over-IPsec Tunnels

 

The following examples show the running configurations for two AWE-7200R and CloudEOS router instances (AWE-7200R and CloudEOS router1 and AWE-7200R and CloudEOS router2). The instances are the tunnel endpoints of a GRE-over-IPsec tunnel.

Running Configuration for AWE-7200R and CloudEOS router1

ip security
ike policy ikebranch1
integrity sha256
dh-group 15
!
sa policy sabranch1 
sa lifetime 2
pfs dh-group 14
!
profile hq
mode tunnel
ike-policy ikebranch1
sa-policy sabranch1
connection add
shared-key keyAristaHq 
dpd 10 50 clear
!
interface Tunnel1 
mtu 1404
ip address 1.0.3.1/24
tunnel mode gre
tunnel source 1.0.0.1
tunnel destination 1.0.0.2
tunnel ipsec profile hq
!
interface Ethernet1 
no routerport
ip address 1.0.0.1/24
!

Running Configuration for AWE-7200R and CloudEOS router2

ip security
ike policy ikebranch1
integrity sha256
dh-group 15
!
ike policy ikebranch2
dh-group 15
version 1
local-id 200.0.0.1
!
ike policy ikedefault
!
sa policy sabranch1 
sa lifetime 2
pfs dh-group 14
!
profile hq
mode tunnel
ike-policy ikebranch1
sa-policy sabranch1 
connection start
shared-key keyAristaHq
dpd 10 50 clear
!
interface Tunnel1 
mtu 1404
ip address 1.0.3.2/24 
tunnel mode gre 
tunnel source 1.0.0.2
tunnel destination 1.0.0.1
tunnel ipsec profile hq
!
interface Ethernet2 
no routerport
ip address 1.0.0.2/24
!

Examples of Running-configurations for VTI IPsec Tunnels

The following examples show the running configurations for two AWE-7200R and CloudEOS router instances (AWE-7200R and CloudEOS router1 and AWE-7200R and CloudEOS router 2). The instances are the tunnel endpoints of a VTI IPsec tunnel.

Running Configuration for AWE-7200R and CloudEOS router 1

ip security
ike policy ikebranch1
integrity sha256
dh-group 15
!
sa policy sabranch1 
sa lifetime 2
pfs dh-group 14
!
profile hq
mode tunnel
ike-policy ikebranch1
sa-policy sabranch1
connection add
shared-key keyAristaHq
dpd 10 50 clear
!
interface Ethernet1
no routerport
ip address 1.0.0.1/24
!
interface Management1
ip address dhcp
!
interface Tunnel1 
mtu 1404
ip address 1.0.3.1/24
tunnel mode ipsec
tunnel source 1.0.0.1
tunnel destination 1.0.0.2
tunnel ipsec profile hq
!

Running Configuration for AWE-7200R and CloudEOS router 2

ip security
ike policy ikebranch1
integrity sha256
dh-group 15
!
ike policy ikebranch2
dh-group 15
version 1
local-id 200.0.0.1
!
ike policy ikedefault
!
sa policy sabranch1
sa lifetime 2
pfs dh-group 14
!
profile hq
mode tunnel
ike-policy ikebranch1
sa-policy sabranch1
connection start
shared-key keyAristaHq
dpd 10 50 clear
!
interface Ethernet2 
no routerport
ip address 1.0.0.2/24
!
interface Management1 ip address dhcp
!
interface Tunnel1 
mtu 1404
ip address 1.0.3.2/24 
tunnel mode ipsec 
tunnel source 1.0.0.2
tunnel destination 1.0.0.1
tunnel ipsec profile hq
!

AWE-7200R and CloudEOS IPsec Connectivity to Azure Virtual Network Gateway

This section discusses establishing an IPsec connection between the AWE-7200R and CloudEOS router and Azure Virtual Network Gateway. This document also documents establishing a BGP connection over the IPsec tunnel.

Creating an IPsec Azure Virtual Network Gateway

The following topology is for IPsec Azure Virtual Network Gateway.

The following steps are to create an IPsec Azure Virtual Network Gateway.

  1. Create a Resource Group.
  2. Create the Virtual Network.
  3. Create a Virtual Network Gateway.
  4. Configure Local Network Gateway.
  5. Create Site-to-site Connections.

     

For more information on creating an IPsec Azure Virtual Network Gateway, refer to:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

Creating a Resource Group

  • Create a new resource group if not already created; all other resources, such as Virtual Network Gateway, Virtual Networks, and other resources, are created under this group. For example, AnetVPN is created as a resource group.

Creating a Virtual Network

  1. A virtual network is created in the Azure Cloud and is reached through the Azure Virtual Network Gateway. For example, a virtual network, AnetNet1, with an IP address space of 172.27.0.0/16, is created. A subnet AnetSubnet1(172.27.1.0/24) is also created and used as the subnet for Virtual Network Gateway.

     

  2. Click the Create button.

     

  3. Fill in the mandatory fields in the Project Details section.

     

  4. Fill in the IP address section with the IP address and Subnets.

     

  5. Click the Review+create tab to validate the deployment.

     

  6. Finally, you will see this screen if the deployment passes the validation.

     

Creating an Virtual Network Gateway

  1. After creating the virtual network, a virtual network gateway (AnetVGW) is created. The Virtual Network Gateway must have a public IP address. By default, BGP is disabled on the Virtual Network Gateway, and in this example below, the BGP is enabled to demonstrate the BGP session over the IPsec connection.

     

  2. Provide the public IP address name.

     

  3. Click the Review+create tab to proceed with the deployment.

     

  4. Finally, you see this page on successful deployment.

     

  5. This page provides information about the resources and other information related to the deployment.

     

Configuring the Local Network Gateway

An on-prem router (Local Network Gateway) is connected to the Azure Virtual Network Gateway at a customer site. The on-prem router's public IP address, BGP peering address, and ASN are configured in the Local Network Gateway.

 

Creating Site-to-Site Connections

A site-to-site connection is configured to connect a Virtual Network Gateway to the Local Network Gateway. In addition to this, the IKE version and shared key used for IKE authentication is configured. The rest of the cryptographic parameters cannot be configured from the Azure portal but can be configured using PowerShell. The complete list of Azure crypto suites is here:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell#params

 

Configuring AWE-7200R and CloudEOS Router IPsec

This section discusses the AWE-7200R and CloudEOS router configuration instance. The following are the default cryptographic parameters used in Azure Virtual Network Gateway configuration. 
IKE - Ikev2/AES256/SHA256/DH-Group2
IPsec - ESP/AES256/SHA256

Configure the IKE Policy

router(config-ipsec-ike)# ip security 
router(config-ipsec)# ike policy ikeAzure
router(config-ipsec-ike)# encryption aes256 
router(config-ipsec-ike)# integrity sha256 
router(config-ipsec-ike)# version 2
router(config-ipsec-ike)# dh-group 2
router(config-ipsec-ike)# ex
router(config-ipsec)#

 

Configure the SA Policy

router(config-ipsec)# sa policy saAzure
router(config-ipsec-sa)# esp encryption aes256
router(config-ipsec-sa)# esp integrity sha256 
router(config-ipsec-sa)# ex
router(config-ipsec)#

 

Configure the Profile

router(config-ipsec)# profile profAzure
router(config-ipsec-profile)# ike-policy ikeAzure
router(config-ipsec-profile)# sa-policy saAzure
router(config-ipsec-profile)# connection start
router(config-ipsec-profile)# shared-key arista
router(config-ipsec-profile)# ex
router(config-ipsec)#

 

Configuring the IPsec Tunnel (VTI) Interface

router(config)# interface Tunnel 1
router(config-if-Tu1)# ip address 10.100.1.1/24
router(config-if-Tu1)# tunnel mode ipsec
router(config-if-Tu1)# tunnel source 3.212.212.81
router(config-if-Tu1)# tunnel destination 13.77.139.173
router(config-if-Tu1)# tunnel ipsec profile profAzure
! IPSec adds an overhead of up to 82 bytes. Example: A GRE tunnel with an MTU=1476 should be changed to 1394 when using IPSec.
router(config-if-Tu1)# ex
router(config)#show

 

Verifying the IPsec Connection


router(config)# show ip securityconnection
TunnelSource Dest Status UptimeInput Output Rekey Time
Tunnel1 3.212.212.81 13.77.139.173Established1 second0 bytes 0 bytes44 minutes
 0 pkts 0 pkts

 

 

On-Prem AWE-7200R and CloudEOS behind a NAT Device

If the on-prem router instance is behind a NAT device, configure the public IP address in the local-ID under the IKE policy configuration, as shown in the example below. 
router# ip security
 ike policy ikeAzure
encryption aes256
dh-group 2
local-id 3.212.212.81

 

BGP over IPsec

In the BGP configuration in the Creating Virtual Network Gateway section, the BGP configuration is added for AnetOnPremSite1 with ASN as 65530 and BGP peer IP address as 10.100.1.1. In this scenario, the BGP address and the IP address on the tunnel interface are the same, but this is not a configuration limitation; both IP addresses can be different. 
CloudEOS(config)# router bgp 65530
CloudEOS(config-router-bgp)# neighbor 172.27.0.254 remote-as 65515
CloudEOS(config-router-bgp)# neighbor 172.27.0.254 update-source Tunnel1
CloudEOS(config-router-bgp)# neighbor 172.27.0.254 ebgp-multihop 4
CloudEOS(config-router-bgp)# address-family ipv4
CloudEOS(config-router-bgp-af)# neighbor 172.27.0.254 activate
CloudEOS(config-router-bgp-af)# network 10.100.100.0/24
CloudEOS(config-router-bgp-af)# ex
CloudEOS(config-router-bgp)# ex
CloudEOS(config)#

 

BGP Routes Advertised to Neighbor

router(config)# show ip bgpneighbors 172.27.0.254 advertised-routes 
BGP routing table information for VRF default
Router identifier 198.18.0.65, local AS number 65530
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast, q - Queued for advertisement
% - Pending BGP convergence
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI Origin Validation codes: V - valid, I - invalid, U - unknown
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop

Network Next Hop MetricLocPref WeightPath
 * >10.100.100.0/24 10.100.1.1 - - - 65530 i

 

BGP Routes Received from the Neighbor

router(config)# show ip bgpneighbors 172.27.0.254received-routes 
BGP routing table information for VRF default
Router identifier 198.18.0.65, local AS number 65530
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast
% - Pending BGP convergence
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI Origin Validation codes: V - valid, I - invalid, U - unknown
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop

NetworkNext Hop MetricLocPref WeightPath
 * >172.27.0.0/16172.27.0.254 - - - 65515 i
router(config)#

 

Verifying the BGP Connection

router(config)# show ip bgp summmary
BGP summary information for VRF default
Router identifier 198.18.0.65, local AS number 65530
Neighbor Status Codes: m - Under maintenance
NeighborVASMsgRcvd MsgSent InQ OutQUp/DownState PfxRcd PfxAcc
172.27.0.254465515 194 214 0 000:00:06Estab 11
router(config)#