IPsec Support

The AWE-7200R and CloudEOS router provides robust support for using IPsec to establish and maintain IPsec tunnels for secure or encrypted communications between virtual router peer instances and virtual peer instances to non-virtual routers.

The AWE-7200R and CloudEOS router supports the use of IPsec to:
  • Secure the communications between AWE-7200R and CloudEOS router instances.

     

  • Secure the communications between AWE-7200R and CloudEOS router instances and third-party virtual router instances.

     

    Note: See the AWE-7200R and CloudEOS router Release Notes for the latest information on the types of virtual routers that can share IPsec tunnels with AWE-7200R and CloudEOS router.

     

  • Supported Tunnel Types

    The AWE-7200R and CloudEOS router supports the use of two basic types of IPsec tunnels. The tunnel types are determined based on the encapsulation mode.

     

  • Requirements when Behind a NAT

    The AWE-7200R and CloudEOS router supports using NAT-Traversal to communicate with the remote peer virtual router. To ensure that the tunnel configuration between the AWE-7200R and CloudEOS router and peer router is successful, make sure that the AWE-7200R and CloudEOS router tunnel configuration meets the requirements for using NAT.

     

    Note: NAT-Traversal for IPsec is not supported for DCS-7020SRG.

     

  • Using IPsec on CloudEOS and AWE-7200R and CloudEOS router Instances

    The AWE-7200R and CloudEOS router enables you to establish and maintain GRE-over-IPsec and VTI IPsec tunnels for secure or encrypted communications between peer AWE-7200R and CloudEOS router instances.

     

  • Using IPsec on CloudEOS and AWE-7200R and CloudEOS router and Third-Party Devices

    The AWE-7200R and CloudEOS router enables you to establish and maintain IPsec tunnels for secure or encrypted communications between AWE-7200R and CloudEOS router instances and third-party peer router instances.

     

  • CloudEOS IPsec Connectivity to Azure Virtual Network Gateway

 

Supported Tunnel Types

 

The AWE-7200R and CloudEOS router supports the use of two basic types of IPsec tunnels. The tunnel types are determined based on the encapsulation mode.

The supported tunnel types are:
GRE-over-IPsec
  • In GRE-over-IPsec encapsulation mode, the application payload is first encapsulated within a GRE packet. IPsec then encrypts the GRE packet, which results in the packet being encapsulated and encrypted by the IPsec header.

     

  • Select this encapsulation type by specifying tunnel mode gre for the tunnel interface to which the IPsec profile is applied. This ensures that the packets forwarded on the interface are encrypted.

     

  • When using GRE-over-IPsec encapsulation mode, both IPsec mode options are supported (select either transport or tunnel).

     

VTI IPsec
  • In VTI encapsulation mode, the application payload is directly encapsulated and encrypted by the IPsec header.

     

  • Select this encapsulation type by specifying tunnel mode ipsec for the tunnel interface to which the IPsec profile is applied. This ensures that the packets forwarded on the interface are encrypted.

     

  • When using VTI encapsulation mode, set the IPsec mode to tunnel. The transport option under the IPsec mode has no effect.

Requirements when Behind a NAT

 

The AWE-7200R and CloudEOS router supports using NAT-Traversal to communicate with the remote peer behind a NAT. Configure the tunnel source with the outgoing interface IP address on the router.

Flow Parallelization

Enable the IPsec flow parallelization feature to achieve high throughput over an IPsec connection. Multiple cores parallelize the IPsec encryption and decryption processing when the feature is enabled. To enable this feature, include the flow parallelization encapsulation udp command in the IPsec profile configuration.

Note: The feature must be enabled on both sides of the tunnel. Other vendors do not support Flow Parallelization.

 

Note: This feature should be used with GRE over IPsec.

 

If the IPsec session is established without the feature enabled, complete the following tasks:
  • Under the tunnel's IPsec profile, use the flow parallelization encapsulation udp command to enable the feature.
  • Shut down the tunnel on the tunnel interface.
  • Bring the tunnel back up on the tunnel interface. After it is up, this enables the feature.

Using IPsec on AWE-7200R and CloudEOS Router Instances

The AWE-7200R and CloudEOS router establishes and maintains GRE-over-IPsec and VTI IPsec tunnels for secure or encrypted communications between peer AWE-7200R and CloudEOS router instances.

Topology

Use the AWE-7200R and CloudEOS router Router to establish and maintain IPsec tunnels between peer AWE-7200R and CloudEOS router Router instances in different topologies of varying complexity.

The diagram below represents a basic IPsec tunnel configuration in which AWE-7200R and CloudEOS router Router instances use an IPsec tunnel.

Router instances and third-party devices peer router instances.

The basic process for establishing secure communications using IPsec involves the following tasks:
  • Creating an IKE Policy to establish IKE with the peer.
  • Specifying the encryption integrity protocols for the Security Association (SA) Policy.
  • Apply IKE and SA policies to a given profile.
  • Apply the profile to a tunnel interface.

Configuring IPsec Tunnels on AWE-7200R and CloudEOS Router Instances

Use this procedure to configure GRE-over-IPsec or VTI IPsec tunnels on peer AWE-7200R and CloudEOS router instances.

The procedure provides all the steps required to set up either GRE-over-IPsec or VTI IPsec tunnels. Most steps are identical for both tunnel types (Steps 1 through 6 are the same). Step 7 is the step to select the tunnel type.

 

Note:AWE-7200R and CloudEOS router, by default, uses IKE version 2 for all IPsec tunnels. To configure a tunnel that uses IKE version 1, explicitly configure the AWE-7200R and CloudEOS router to use IKE version 1.

 

Procedure

Complete the following steps to configure GRE-over-IPsec or VTI IPsec tunnels on AWE-7200R and CloudEOS router instances. This configuration will be the default IKE version 2 procedure.

  1. Use this command to enter IP security mode. 
    router(config)# ip security

     

  2. To use IKE version 1, complete the following before completing the default IKE version the steps below. 
    router(config)# ip security
router(config-ipsec)# ike policy ike-peerRtr
router(config-ipsec-ike)# version 1

     

  3. Create an IKE Policy to communicate with the peer to establish IKE. You have the option to configure multiple IKE policies.
    The default IKE Policy values are:
    • Encryption- AES256
    • Integrity - SHA256
    • DH group - Group 14
    • IKE lifetime - 8 hours 
      router(config-ipsec)# ike policy ike-vrouter 
router(config-ipsec-ike)# encryption aes256 
router(config-ipsec-ike)# integrity sha256 
router(config-ipsec-ike)# dh-group 24
router(config-ipsec-ike)# version 2

       

  4. Configure the local-id with the local public IP address if the router is behind a NAT. The public IP corresponds to the underlying interface over which the IKE communications are done with the peer. 
    router(config-ipsec-ike)# local-id <public ip address>

     

  5. Create an IPsec Security Association policy to be used in the data path for encryption and integrity. Use the option to enable Perfect Forward Secrecy by configuring a DH group to the SA.
    In this example, AES256 is used for encryption, SHA 256 is used for integrity, and Perfect Forward Secrecy is enabled (the DH group is 14). 
    router(config-ipsec)# sa policy sa-vrouter 
router(config-ipsec-sa)# esp encryption aes256 
router(config-ipsec-sa)# esp integrity sha256 
router(config-ipsec-sa)# pfs dh-group 14 
router(config-ipsec-sa)# sa lifetime 2 
router(config-ipsec-sa)# exit

     

  6. Bind or associate the IKE and SA policies together using an IPsec profile. Provide a shared key, which must be common to both peers. The default profile assigns default values for all parameters not explicitly configured in the other profiles.
    In this example, tunnel mode is set to transport. The IKE Policy ike-peerRtr and SA Policy sa-peerRtr are applied to profile peer-Rtr. Dead Peer Detection is enabled and configured to delete the connection when the peer is down for over 50 seconds. The peer peer-Rtr is set to be the responder. 
    router(config-ipsec)# profile default
router(config-ipsec-profile)# ike-policy ikedefault
router(config-ipsec-profile)# sa-policy sadefault
router(config-ipsec-profile)# shared-key arista
router(config-ipsec)# profile vrouter
router(config-ipsec-profile)# ike-policy ike-vrouter
router(config-ipsec-profile)# sa-policy sa-vrouter
router(config-ipsec-profile)# dpd 10 50 clear
router(config-ipsec-profile)# connection add
router(config-ipsec-profile)# mode transport

     

  7. Configure the AWE-7200R and CloudEOS router interface to be the underlying interface for the tunnel. You must specify an L3 address for the tunnel. If you do not use the tunnel, the router cannot route packets using the tunnel. 
    router(config)# interface Et1 
router(config-if-Et1)# no routerport
router(config-if-Et1)# ip address 1.0.0.1/24
router(config-if-Et1)# mtu 1500

     

  8. Apply the IPsec profile to a new tunnel interface. You create the new tunnel interface as part of this step. You can configure the tunnel as a GRE-over-IPsec tunnel or a VTI IPsec tunnel.
    (GRE-over-IPsec): In this example, the new tunnel interface is Tunnel0. The new tunnel interface is configured to use IPsec, and the tunnel mode is set to GRE. The other end of the tunnel also needs to be configured as a GRE-over-IPsec tunnel. 
    router(config)# interface tunnel0
router(config-if-Tu0)# ip address 1.0.3.1/24 
router(config-if-Tu0)# tunnel mode gre 
router(config-if-Tu0)# mtu 1394
router(config-if-Tu0)# tunnel source 1.0.0.1
router(config-if-Tu0)# tunnel destination 1.0.0.2 
router(config-if-Tu0)# tunnel ipsec profilevrouter
  9. (VTI IPsec): To configure a VTI IPsec tunnel, you must set the tunnel mode to tunnel mode ipsec. The other tunnel element settings are the same as the settings for GRE-over-IPsec. 
    router(config)# interface tunnel0
router(config-if-Tu0)# ip address 1.0.3.1/24 
router(config-if-Tu0)# tunnel mode ipsec 
router(config-if-Tu0)# mtu 1394
router(config-if-Tu0)# tunnel source 1.0.0.1
router(config-if-Tu0)# tunnel destination 1.0.0.2 
router(config-if-Tu0)# tunnel ipsec profile vrouter
    To move the tunnel interface to a different VRF, complete Step 9. To achieve high throughput, complete Step 10.
  10. Create the GRE-over-IPsec tunnel interface in a VRF using the vrf forwarding command. If a VRF is needed,create and configure the GRE tunnel interface. If tunnels in different VRFs need to share the IPsec connection, configure the same tunnel source, destination, IPsec profile, and a unique tunnel key for each tunnel.
    Note: If tunnels in different VRFs need to share the IPsec connection, specify the same source, destination, and IPsec profile.
    router(config)# vrf definition red
router(config-vrf-red)# rd 1:3 
router(config-vrf-red)# interface tunnel0
router(config-if-Tu0)# tunnel key 100
router(config-if-Tu0)# vrf forwarding red
router(config-if-Tu0)# ip address 1.0.3.1/24
router(config-if-Tu0)# mtu 1394
router(config-if-Tu0)# tunnel source 1.0.0.1
router(config-if-Tu0)# tunnel destination 1.0.0.2
router(config-if-Tu0)# tunnel key 100 
router(config-if-Tu0)# tunnel ipsec profile vrouter
router(config)# vrf definition blue 
router(config-vrf-blue)# rd 1:4 
router(config-vrf-blue)# interface tunnel1
router(config-if-Tu1)# tunnel key 200
router(config-if-Tu1)# vrf forwarding blue 
router(config-if-Tu1)# ip address 1.0.4.1/24 
router(config-if-Tu1)# tunnel mode gre 
router(config-if-Tu1)# mtu 1394
router(config-if-Tu1)# tunnel source 1.0.0.1
router(config-if-Tu1)# tunnel destination 1.0.0.2
router(config-if-Tu1)# tunnel ipsec profile vrouter
  11. Enable the IPsec flow parallelization feature to achieve high throughput over the IPsec tunnel. To enable the feature, include the flow parallelization encapsulation udp command in the IPsec profile configuration. Then, the IPsec profile configuration is applied to the tunnel interface.
    (IPsec profile configuration) 
    router(config-ipsec)# profile vrouter
router(config-ipsec-profile)# ike-policy ike-vrouter
router(config-ipsec-profile)# sa-policy sa-vrouter
router(config-ipsec-profile)# dpd 10 50 clear
router(config-ipsec-profile)# connection start
router(config-ipsec-profile)# mode transport
router(config-ipsec-profile)# flow parallelization encapsulation udp

     

    Example: (Applying IPsec profile to tunnel interface) 
    router(config)# interface tunnel0
router(config-if-Tu0)# tunnel ipsec profile vrouter
    Note: Repeat Step 9 on the other end of the tunnel. The IPsec flow parallelization feature must be enabled on both ends of the tunnel.

Examples of Running-configurations for GRE-over-IPsec Tunnels

 

The following examples show the running configurations for two AWE-7200R and CloudEOS router instances (AWE-7200R and CloudEOS router1 and AWE-7200R and CloudEOS router2). The instances are the tunnel endpoints of a GRE-over-IPsec tunnel.

Running Configuration for AWE-7200R and CloudEOS router1

ip security
ike policy ikebranch1
integrity sha256
dh-group 15
!
sa policy sabranch1 
sa lifetime 2
pfs dh-group 14
!
profile hq
mode tunnel
ike-policy ikebranch1
sa-policy sabranch1
connection add
shared-key keyAristaHq 
dpd 10 50 clear
!
interface Tunnel1 
mtu 1404
ip address 1.0.3.1/24
tunnel mode gre
tunnel source 1.0.0.1
tunnel destination 1.0.0.2
tunnel ipsec profile hq
!
interface Ethernet1 
no routerport
ip address 1.0.0.1/24
!

Running Configuration for AWE-7200R and CloudEOS router2

ip security
ike policy ikebranch1
integrity sha256
dh-group 15
!
ike policy ikebranch2
dh-group 15
version 1
local-id 200.0.0.1
!
ike policy ikedefault
!
sa policy sabranch1 
sa lifetime 2
pfs dh-group 14
!
profile hq
mode tunnel
ike-policy ikebranch1
sa-policy sabranch1 
connection start
shared-key keyAristaHq
dpd 10 50 clear
!
interface Tunnel1 
mtu 1404
ip address 1.0.3.2/24 
tunnel mode gre 
tunnel source 1.0.0.2
tunnel destination 1.0.0.1
tunnel ipsec profile hq
!
interface Ethernet2 
no routerport
ip address 1.0.0.2/24
!

Examples of Running-configurations for VTI IPsec Tunnels

The following examples show the running configurations for two AWE-7200R and CloudEOS router instances (AWE-7200R and CloudEOS router1 and AWE-7200R and CloudEOS router 2). The instances are the tunnel endpoints of a VTI IPsec tunnel.

Running Configuration for AWE-7200R and CloudEOS router 1

ip security
ike policy ikebranch1
integrity sha256
dh-group 15
!
sa policy sabranch1 
sa lifetime 2
pfs dh-group 14
!
profile hq
mode tunnel
ike-policy ikebranch1
sa-policy sabranch1
connection add
shared-key keyAristaHq
dpd 10 50 clear
!
interface Ethernet1
no routerport
ip address 1.0.0.1/24
!
interface Management1
ip address dhcp
!
interface Tunnel1 
mtu 1404
ip address 1.0.3.1/24
tunnel mode ipsec
tunnel source 1.0.0.1
tunnel destination 1.0.0.2
tunnel ipsec profile hq
!

Running Configuration for AWE-7200R and CloudEOS router 2

ip security
ike policy ikebranch1
integrity sha256
dh-group 15
!
ike policy ikebranch2
dh-group 15
version 1
local-id 200.0.0.1
!
ike policy ikedefault
!
sa policy sabranch1
sa lifetime 2
pfs dh-group 14
!
profile hq
mode tunnel
ike-policy ikebranch1
sa-policy sabranch1
connection start
shared-key keyAristaHq
dpd 10 50 clear
!
interface Ethernet2 
no routerport
ip address 1.0.0.2/24
!
interface Management1 ip address dhcp
!
interface Tunnel1 
mtu 1404
ip address 1.0.3.2/24 
tunnel mode ipsec 
tunnel source 1.0.0.2
tunnel destination 1.0.0.1
tunnel ipsec profile hq
!

Using IPsec on AWE-7200R and CloudEOS and Third Party Devices

The AWE-7200R and CloudEOS Router establishes and maintains IPsec tunnels for secure or encrypted communications between CloudEOS and router instances and third-party devices peer router instances.

The basic process for establishing secure communications using IPsec involves these tasks:
  • Creating an IKE Policy to establish IKE with the peer.
  • Specifying the encryption and integrity protocols for the Security Association (SA) Policy.
  • Apply IKE and SA policies to a given profile.
  • Apply the profile to a tunnel interface.
This section discusses the following topics:

Topology

Use the Router to establish and maintain IPsec tunnels between router instances and third-party router instances in different topologies of varying complexity.

The following diagram represents a basic IPsec tunnel configuration where a router instance and a third-party router instance are connected using an IPsec tunnel.

Figure 1. IPsec Interoperability

Interoperability Support

The AWE-7200R and CloudEOS Router establishes and maintains IPsec tunnels for the secure or encrypted communications between AWE-7200R and CloudEOS Router instances and third-party device peer router instances.

Below are the types of IPsec tunnels to set up between CloudEOS, AWE-7200R and CloudEOS Router instances, and third-party virtual router instances.
  • Palo Alto Firewall VM
    • Set up these IPsec tunnels between AWE-7200R and CloudEOS Router instances, and Palo Alto firewall VM router instances.
      • VTI IPsec

         

  • CSR
    • Set up these IPsec tunnels between AWE-7200R and CloudEOS Router instances, and CSR router instances.
      • GRE-over-IPsec
      • VTI IPsec

         

  • AWS VPN Specific Cloud
    • Set up these IPsec tunnels between AWE-7200R and CloudEOS Router instances, and AWS VPN Specific Cloud router instances.
      • VTI IPsec

         

  • vSRX
    • Set up these t IPsec tunnels between AWE-7200R and CloudEOS Router instances, and vSRX router instances.
      • VTI IPsec

         

 

Note: See Supported Tunnel Types for descriptions of the GRE-over-IPsec and VTI IPsec tunnel types.

 

AWE-7200R and CloudEOS Router and Palo Alto Firewall VM

 

The AWE-7200R and CloudEOS Router establishes and maintains IPsec tunnels for secure or encrypted communications between AWE-7200R and CloudEOS Router instances and third-party device peer router instances.

AWE-7200R and CloudEOS Router Configuration

 

Use this procedure to configure GRE-over-IPsec tunnels on a AWE-7200R and CloudEOS Router instance. Once the procedure is complete, configure the other tunnel end-point on the third-party peer router.

Note:By default, the AWE-7200R and CloudEOS Router use IKE version 2 for all IPsec tunnels. If you want to configure a GRE-over-IPsec tunnel that uses IKE version 1, explicitly configure the AWE-7200R and CloudEOS Router to use IKE version 1.

Procedure

Complete the following steps to configure the AWE-7200R and CloudEOS Router instance to share a GRE-over IPsec tunnel.

To use IKE version 1, complete the section below, then continue with the following steps. To use the default version IKE, version 2, begin with Step 1 below. 
router(config)#ip security
router(config-ipsec)#ike policy ike-peerRtr
router(config-ipsec-ike)#version 1

 

  1. Use this command to enter IP security mode. 
    router(config)# ip security

     

  2. Create an IKE Policy to communicate with the peer to establish IKE Phase 1. There is an option to configure multiple IKE policies.
    The default IKE Policy values are:
    • Encryption - AES256
    • Integrity - SHA256
    • DH group - Group 14
    • IKE lifetime - 8 hours
    router(config-ipsec)# ike policy ike-vrouter 
router(config-ipsec-ike)# encryption aes256 
router(config-ipsec-ike)# integrity sha256 
router(config-ipsec-ike)# dh-group 24
router(config-ipsec-ike)# version 2 
router(config-ipsec-ike)# exit
router(config-ipsec)# ike policy ike-default 
router(config-ipsec-ike)# version 2 
router(config-ipsec-ike)# exit

     

  3. Configure the local-id with the local public IP address if the router is behind a NAT. 
    router(config-ipsec-ike)# local-id <public ip address>

    Create an IPsec Security Association policy for encryption and integrity in the data path. The option is to enable Perfect Forward Secrecy by configuring a DH group to the SA.

     


  4. In this example, AES256 is used for encryption, SHA 256 is used for integrity, and Perfect Forward Secrecy is enabled (the DH group is 14). 
    router(config-ipsec)# sa policy sa-vrouter 
router(config-ipsec-sa)# esp encryption aes256 
router(config-ipsec-sa)# esp integrity sha256 
router(config-ipsec-sa)# pfs dh-group 14 
router(config-ipsec-sa)# sa lifetime 2 
router(config-ipsec-sa)# exit
router(config-ipsec)# sa policy sa-default 
router(config-ipsec-sa)# exit

     

  5. Bind or associate the IKE and SA policies together using an IPsec profile. Provide a shared key, which must be common to both peers. The default profile assigns default values for all parameters not explicitly configured in the other profiles.
    In this example, tunnel mode is set to transport. The IKE Policy ike-peerRtr and SA Policy sa-peerRtr are applied to profile peer-Rtr. Dead Peer Detection is enabled and configured to delete the connection when the peer is down for over50 seconds. The peer (peer-Rtr) is set to be the responder. 
    router(config-ipsec)# profile default
router(config-ipsec-profile)# ike-policy ikedefault
router(config-ipsec-profile)# sa-policy sadefault
router(config-ipsec-profile)# shared-key arista

router(config-ipsec)# profile peer-Rtr
router(config-ipsec-profile)# ike-policy ike-peerRtr
router(config-ipsec-profile)# sa-policy sa-peerRtr
router(config-ipsec-profile)# dpd 10 50 clear
router(config-ipsec-profile)# connection add
router(config-ipsec-profile)# mode transport

     

  6. Configure the AWE-7200R and CloudEOS router interface to be the underlying interface for the tunnel. Specify an L3 address for the tunnel. If the L3 address is not specified, the router cannot route packets using the tunnel. 
    router(config)# interface Et1
router(config-if-Et1)# no routerport
router(config-if-Et1)# ip address 1.0.0.1/24 
router(config-if-Et1)# mtu 1500

     

  7. Apply the IPsec profile to a new tunnel interface. Create the new tunnel interface as part of this step.
    In this example, the new tunnel interface is Tunnel0. The new tunnel interface is configured to use IPsec, and the tunnel mode is set to GRE. Configure the other end of the tunnel also as a GRE-over-IPsec tunnel. 
    router(config)# interface tunnel0
router(config-if-Tu0)# ip address 1.0.3.1/24 
router(config-if-Tu0)# tunnel mode gre 
router(config-if-Tu0)# mtu 1400
router(config-if-Tu0)# tunnel source 1.0.0.1
router(config-if-Tu0)# tunnel destination 1.0.0.2 
router(config-if-Tu0)# tunnel ipsec profile vrouter

     

  8. Create the GRE-over-IPsec tunnel interface in a VRF using the vrf forwarding command. Create the VRF, then create and configure the GRE tunnel interface. Make sure to specify the tunnel key that is unique across all tunnels.
    Note: If tunnels in different VRFs need to share the IPsec connection, specify the same source, destination, and ipsec profile.
    router(config)# vrf definition red
router(config-vrf-red)# rd 1:3 
router(config-vrf-red)# interface tunnel0 
router(config-if-Tu0)# ip address 1.0.3.1/24 
router(config-if-Tu0)# vrf forwarding red 
router(config-if-Tu0)# tunnel mode gre 
router(config-if-Tu0)# mtu 1400
router(config-if-Tu0)# tunnel source 1.0.0.1
router(config-if-Tu0)# tunnel destination 1.0.0.2
router(config-if-Tu0)# tunnel key 100 
router(config-if-Tu0)# tunnel ipsec profile vrouter

router(config)# vrf definition blue 
router(config-vrf-blue)# rd 1:4 
router(config-vrf-blue)# interface tunnel1 
router(config-if-Tu1)# ip address 1.0.4.1/24 
router(config-if-Tu1)# vrf forwarding blue 
router(config-if-Tu1)# tunnel mode gre 
router(config-if-Tu1)# mtu 1400
router(config-if-Tu1)# tunnel source 1.0.0.1
router(config-if-Tu1)# tunnel destination 1.0.0.2
router(config-if-Tu1)# tunnel key 200 
router(config-if-Tu1)# tunnel ipsec profile vrouter

     

  9. Configure the GRE-over-IPsec tunnel on the peer router.

Configuring VTI IPsec Tunnels

The AWE-7200R and CloudEOS Router can configure VTI IPsec tunnels between a AWE-7200R and CloudEOS Router instance and a third-party peer router instance (such as a Palo Alto firewall VM). First, complete the set up of the tunnel on the AWE-7200R and CloudEOS Router instance, then set up the other end of the tunnel on the third-party peer router instance.

This section discusses the following topics:
Palo Alto Firewall VM Configuration

Use this configuration when pairing a Palo Alto firewall VM instance and AWE-7200R and CloudEOS Router instance as tunnel endpoints of an IPsec VTI IPsec tunnel.

Note: Refer to the Palo Alto firewall VM documentation for configuration details, including the different interfaces to complete the configuration and all the parameters and options.

 

Supported Tunnel Types

Set up IPsec VTI tunnels using the Palo Alto firewall VM as a peer router instance with a AWE-7200R and CloudEOS Router instance. IPsec GRE-over-IPsec tunnels using this combination of router instances as peers is not permitted.

Configuration Guidelines

The following are guidelines to follow when configuring the Palo Alto firewall VM.
  • IP address settings.

    Configure the first interface to be configured (typically named eth0), as the management interface. Use the public IP address on this interface to open the GUI of the Palo Alto firewall VM.

    Management interface.

    Use this interface only for control plane traffic.

     

  • Management profile.

    When configuring the profile, select all protocols allowed on the management interface.

     

Procedure

  1. Create a new management profile. Select all of the protocols allowed on the management interface.
  2. Create a new tunnel interface and specify the following parameters.
    • Name: (for example, tunnel 1.)
    • Virtual router: (Select the existing virtual router.)
    • Security Zone: (Select the layer 3 internal zone, which is the zone from which the traffic originates.)
    • IP address: (Tunnel IP address.)

       

  3. Add a new IKE Crypto profile and specify the IKE options.
    Note: Make sure the settings match the IKE settings on the other end of the tunnel (the AWE-7200R and CloudEOS Router instance). This setting ensures that the IKE negotiation is successful.

     

    • Name: (can be any name.)
    • Virtual router: (Select the existing virtual router.)
    • Security Zone: (Select the layer 3 internal zone, the zone from which the traffic originates.)
    • IP address: (Tunnel IP address.)

       

  4. Configure the IKE gateway.
    Note: Make sure the pre-shared key matches the key defined on the other end of the tunnel (the AWE-7200R and CloudEOS Router instance).

     

  5. Add a new IKE Crypto profile for the IKE options.
    Note: Make sure the settings match the IKE settings on the other end of the tunnel (the AWE-7200R and CloudEOS Router instance). This setting ensures that the IKE negotiation of IPsec SAs is successful.

     

  6. Create a new IPsec tunnel, and select the tunnel interface, IKE gateway, IKE crypto profile, and IKE crypto profile defined earlier in the procedure. Selecting these elements binds them to the new tunnel interface.
    Note: Enter the destination IP address of the tunnel interface of the AWE-7200R and CloudEOS Router in the Destination IP option (one of the Tunnel Monitor settings on the Palo Alto firewall VM).

     

  7. Create a new static route for the network behind the remote tunnel endpoint. This new static route ensures traffic flows through the tunnel to the other tunnel endpoint.
     
  8. Commit (save) the configuration.
AWE-7200R and CloudEOS, Palo Alto Firewall VM Pairing (VTI IPsec Tunnel)

 

The following example shows a VTI IPsec tunnel between a AWE-7200R and CloudEOS Router instance and a third-party Palo Alto firewall VM router instance.

Running Configuration for AWE-7200R and CloudEOS
ip security
ike policy ikebranch1
integrity sha256 
dh-group 15
!
sa policy sabranch1 
sa lifetime 2
pfs dh-group 14
!
profile hq
ike-policy ikebranch1 
sa-policy sabranch1 
connection add
shared-key keyAristaHq 
dpd 10 50 clear
!
interface Ethernet1 
no routerport
ip address 1.0.0.1/24
!
interface Management1 
ip address dhcp
!

interface Tunnel1 
mtu 1404
ip address 1.0.3.1/24
tunnel mode ipsec 
tunnel source 1.0.0.1
tunnel destination 1.0.0.2
tunnel ipsec profile hq
!

 

Running Configuration on Palo Alto Firewall VM
"ike": {
               "crypto-profiles": {
                  "ike-crypto-profiles": [
                 {
                        "@name": "veos12-IKE-Phase1",
                        "hash": {
                           "member": "sha512"
                        },
                        "dh-group": {
                           "member": "group20"
                        },
                        "encryption": {
                           "member": "aes-256-cbc"
                        },
                        "lifetime": {
                           "hours": "8"
                        }
                     }
        ]

 "ipsec-crypto-profiles": [
               {
                        "@name": "veos12-IPSEC-Phase2",
                        "esp": {
                           "authentication": {
                              "member": "sha256"
                           },
                           "encryption": {
                              "member": "aes-256-cbc"
                           }
                        },
                        "lifetime": {
                           "hours": "2"
                        },
                        "dh-group": "group20"
                     }

"gateway": {
                  "entry": {
                     "@name": "veos12-IKE-Gateway",
                     "authentication": {
                        "pre-shared-key": {
                           "key": "-AQ==ocHnGzxJ4JVLomPyHuZNlg84S7I=BCiu0HIvFeFOSQOx/gmhNQ=="
                        }
                     },
                     "protocol": {
                        "ikev1": {
                           "dpd": {
                              "enable": "yes",
                              "interval": "100",
                              "retry": "100"
                           },
                           "ike-crypto-profile": "veos12-IKE-Phase1"
                        },
                        "ikev2": {
                           "dpd": {
                              "enable": "yes"
                           },
                           "ike-crypto-profile": "veos12-IKE-Phase1"
                        },
                        "version": "ikev2-preferred"
                     }

 "tunnel": {
               "ipsec": {
                  "entry": {
                     "@name": "veos12-IPSEC-Tunnel",
                     "auto-key": {
                        "ike-gateway": {
                           "entry": {
                              "@name": "veos12-IKE-Gateway"
                           }
                        },
                        "ipsec-crypto-profile": "veos12-IPSEC-Phase2"
                     },
                     "tunnel-monitor": {
                        "enable": "yes",
                        "destination-ip": "1.0.3.1",
                        "tunnel-monitor-profile": "Test"
                     },
                     "tunnel-interface": "tunnel.1",
                     "disabled": "no"
                  }
               }
            }
         }

 

AWE-7200R and CloudEOS Router Configuration

Use this procedure to configure VTI IPsec tunnels on an Arista router instance. Complete the procedure, then configure the other tunnel endpoint on the third-party peer router.

Note: By default, the AWE-7200R and CloudEOS Router use IKE version 2 for all IPsec tunnels. To configure a VTI IPsec tunnel that uses IKE version 1, explicitly configure the AWE-7200R and CloudEOS Router instance to use IKE version 1.

Procedure

Complete the following steps to configure a AWE-7200R and CloudEOS Router instance to share a VTI IPsec tunnel.

To use IKE version 1, complete the section below, then continue with the steps below. To use IKE version 2, the default version, start with Step 1 below.

router(config)#ip security
router(config-ipsec)#ike policy ike-peerRtr
router(config-ipsec-ike)#version 1

 

  1. Use this command to enter IP security mode. 
    router(config)# ip security

     

  2. Create an IKE Policy to communicate with the peer to establish IKE Phase 1 options. There is the option of configuring multiple IKE policies.
    The default IKE Policy values are:
    • Encryption - AES256
    • Integrity - SHA256
    • DH group - Group 14
    • IKE lifetime - 8 hours
    router(config)# ip security
router(config-ipsec)# ike policy ike-vrouter-PA
router(config-ipsec)# integrity sha512 
router(config-ipsec)# encryption aes256
router(config-ipsec)# dh-group 20

     

  3. Configure the local-id with the local public IP address if the router is behind a NAT. 
    router(config-ipsec-ike)# local-id <public ipaddress>

     

  4. Create an IPsec Security Association policy in the data path for encryption and integrity. There is the option of enabling Perfect Forward Secrecy by configuring a DH group to the SA.
    In this example, AES256 is used for encryption, SHA 256 is used for integrity, and Perfect Forward Secrecy is enabled (the DH group is 20). 
    router(config-ipsec)# sa policy sa-vrouter-PA
router(config-ipsec)# esp encryption aes256
router(config-ipsec)# esp integrity sha256
router(config-ipsec)# sa lifetime 2
router(config-ipsec)# pfs dh-group 20

     

  5. Bind or associate the IKE and SA policies together using an IPsec profile. Provide a shared key, which must be common to both peers. The default profile assigns default values for all parameters not explicitly configured in the other profiles.
    In this example, the IKE Policy ike-vrouter-PA and SA Policy sa-vrouter-PA are applied to profile vrouter-PA. Dead Peer Detection is enabled and configured to delete the connection when the peer is down for over 30 seconds. 
    router(config-ipsec)# profile vrouter-PA
router(config-ipsec-profile)# ike-policy ike-vrouter-PA
router(config-ipsec-profile)# sa-policy sa-vrouter-PA
router(config-ipsec-profile)# connection start
router(config-ipsec-profile)# shared-key Arista1234
router(config-ipsec-profile)# dpd 10 30 clear

     

  6. Create a tunnel interface for the VTI tunnel. When tunnel mode is set to IPsec, configure a tunnel key on the router instance to ensure traffic can be forwarded through the tunnel. 
    router(config)# interface Tunnel1
router(config-if-Tu1)# mtu 1400
router(config-if-Tu1)# ip address 1.0.3.1/24
router(config-if-Tu1)# tunnel mode ipsec
router(config-if-Tu1)# tunnel source 10.2.201.149
router(config-if-Tu1)# tunnel destination 10.3.31.30
router(config-if-Tu1)# tunnel ipsec profile vrouter-PA

     

Configure the VTI IPsec tunnel on the peer router (see Palo Alto Firewall VM Configuration).

CSR Router Show Commands

This section discusses the available CSR Router show commands and their example outputs.

Use the different show commands for CSR router instances to do the following:

View all Existing ISAKMP SAs

Use the show crypto isakmp sa command to view the ISAKMP SAs for all existing or current IPsec connections.

Example 
router# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dstsrc state conn-id status
1.0.0.11.0.0.2 QM_IDLE 1331 ACTIVE
vrouter-ikev1-isakmp-profile

IPv6 Crypto ISAKMP SA

 

View all Existing IPsec SAs

Use the show crypto ipsec sa command to view the IPsec SAs for all existing or current IPsec connections.

Example 
router# show crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr1.0.0.2

 protected vrf: (none)

 local ident (addr/mask/prot/port): 
(1.0.0.2/255.255.255.255/47/0)
 remote ident (addr/mask/prot/port): 
(1.0.0.1/255.255.255.255/47/0)
 current_peer 1.0.0.1 port 500 
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest:1f
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify:1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed:0
#pkts not decompressed: 0, #pkts decompress failed:0
#send errors 0, #recv errors 0

local crypto endpt.: 1.0.0.2, remote crypto endpt.: 
1.0.0.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb
GigabitEthernet2
current outbound spi: 0xCB8FB740(3415193408) 
PFS (Y/N): N, DH group: none
Dummy packet: Initializing

inbound esp sas:
spi: 0x36383677(909653623)
transform: esp-aes esp-sha-hmac , 
in use settings ={Tunnel, }
conn id: 5287, flow_id: CSR:3287, sibling_flags 
FFFFFFFF80004048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec):(4607999/3598)
IV size: 16 bytes
replay detection support: Y 
Status: ACTIVE(ACTIVE)

inbound ah sas: 

inbound pcp sas: 

outbound esp sas:
spi: 0xCB8FB740(3415193408)
transform: esp-aes esp-sha-hmac , 
in use settings ={Tunnel, }
conn id: 5288, flow_id: CSR:3288, sibling_flags 
FFFFFFFF80004048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec):(4607999/3598)
IV size: 16 bytes
replay detection support : Y 
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

 

View Crypto (Encryption) Session Details

Use the show crypto session detail command to view details about the crypto session for all current IPsec connections.

Example 
router# show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect

Interface: Tunnel0
Profile: vrouter-ikev1-isakmp-profile
Uptime: 00:20:23
Session status: UP-ACTIVE
Peer: 1.0.0.1 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 1.0.0.1
Desc: (none)
 Session ID: 0
 IKEv1 SA: local 1.0.0.2/500 remote 1.0.0.1/500 Active
Capabilities:(none) connid:1332 lifetime:07:39:35
 IPSEC FLOW: permit 47 host 1.0.0.2 host 1.0.0.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 42 drop 0 life (KB/Sec)
4607997/2375
Outbound: #pkts enc'ed 44 drop 0 life (KB/Sec)
4607995/2375

 

View IKEv2 SAs

Use the show crypto ikev2 sa command to view summary information about all IKE version 2 SAs used by existing IPsec connections.

Example 
router# show crypto ikev2 sa
IPv4 Crypto IKEv2SA

Tunnel-id Local Remotefvrf/ivrfStatus
1 3.3.3.3/500 3.3.3.1/500 none/noneREADY

Encr: AES-CBC, keysize: 128, PRF: sha256, Hash: SHA96, 
DH Grp:14, Auth sign: PSK, Auth verify: PSK
 Life/Active Time: 86400/5349 sec

IPv6 Crypto IKEv2SA

 

View IKEv2 SA Details

Use the show crypto ikev2 sa detailed command to view details about all IKE version 2 SAs used by existing IPsec connections.

Example 
router# show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remotefvrf/ivrfStatus
1 3.3.3.3/500 3.3.3.1/500 none/noneREADY

Encr: AES-CBC, keysize: 128, PRF: sha256, Hash: SHA96, 
DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/5358 sec
CE id: 1351, Session-id: 6
Status Description: Negotiation done
Local spi: 9FA0B7B1F7746E69 Remote spi:
4B1652D32691E8AF
Local id: 3.3.3.3
Remote id: 3.3.3.1
Local req msg id: 4Remote req msg id: 8
Local next msg id:4Remote next msg id:8
Local req queued: 4Remote req queued: 8
Local window: 5Remote window: 1
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes

IPv6 Crypto IKEv2 SA

 

IPsec Show Commands

The AWE-7200R and CloudEOS Router provide commands to view all current or established IPsec tunnels and all profiles currently used by established tunnels.

The show commands are:
  • show ip security connection
  • show ip security connection detail

Examples

The example below shows the use of the show ip security connection command to view a summary of all current (established) IPsec tunnels. 
router# show ip security connection
Tunnel SourceDest Status Uptime 
Tunnel01.0.0.1 1.0.0.2Established14 minutes 

Input OutputReauth Time
589 bytes 608 bytes		 8 hours 
7 pkts36 pkts

 

The example below shows the use of the show ip security connection detail command to view the details for a specified IPsec tunnel. 
router# show ip security connection detail
source address 1.0.0.1, dest address 1.0.0.2
 Inbound SPI 0x672F6CC3:
request id 1, mode transport replay-window 32, seq 0x0
stats errors:
 replay-window 0, replay 0, integrity_failed 0
lifetime config:
 softlimit 18446744073709551615 bytes, hardlimit 18446744073709551615 bytes
 softlimit 18446744073709551615 pkts, hardlimit 18446744073709551615 pkts
 expire add 0 secs, hard 0 secs
lifetime current:
 589 bytes, 7 pkts
 add time Wed Aug 17 17:50:28 2016, use time Wed Aug 17 17:50:31 2016
 Outbound SPI 0xc5f3c373:
request id 1, mode transport replay-window 32, seq 0x0
stats errors:
 replay-window 0, replay 0, integrity_failed 0
lifetime config:
 softlimit 18446744073709551615 bytes, hardlimit 18446744073709551615 bytes
 softlimit 18446744073709551615 pkts, hardlimit 18446744073709551615 pkts
 expire add 0 secs, hard 0 secs
lifetime current:
 608 bytes, 7 pkts
 add time Wed Aug 17 17:50:28 2016, use time Wed Aug 17 17:50:31 2016

 

The example below shows the use of the show ip sec applied-profile command to view all profiles currently used by established tunnels. 
router# show ip sec applied-profile 
Profile Name Interface
Arista Tunnel0

 

AWE-7200R and CloudEOS Routers and CSR

 

Use this configuration process to set up GRE-over-IPsec tunnels on CSR peer routers. Procedures are provided for configuration using IKE version 1 or IKE version 2. Make sure to use the correct procedure based on the selected version of IKE.

CSR Configuration

The configuration of VTI IPsec tunnels on CSR peer router instances is almost identical to that of GRE-over-IPsec tunnels on CSR peer router instances. The only difference in the configurations is tunnel mode.

For VTI IPsec tunnels, tunnel mode must be set to ipsec instead of gre (for GRE-over-IPsec tunnels, tunnel mode must be set to gre.)

This example shows a basic VTI IPsec tunnel configuration for a CSR peer router instance.

Example

router(config)# interface Tunnel0
router(config-if)# ip address 1.0.3.1 255.255.255.0 
router(config-if)# tunnel source 10.3.31.30 
router(config-if)# tunnel destination 10.2.201.149 
router(config-if)# tunnel mode ipsec ipv4 
router(config-if)# tunnel protection ipsec profile vrouter-ikev1-ipsec-profile

 

Note: Make sure you use the correct procedure based on the version of IKE you need to use.

Sharing IPsec Connections

You can configure multiple GRE tunnels using the same IPsec connection on CSR.

You need to add an extra shared keyword after the profile name on every tunnel interface that is to be shared. 
router(config)# interface Tunnel0
router(config-if)# tunnel protection ipsec profile vrouter-ikev2-ipsec-profile shared
router(config-if)# exit

IKEv1 Configuration

The CSR configuration to create a GRE over IPsec tunnel is similar to the AWE-7200R and CloudEOS Router setup using the ikev1 version.

To ensure that the v EOS Router can establish a tunnel with CSR, it needs to set the ikev1 version as follows: 
router(config)# ip security
router(config-ipsec)# ike policy ike-peerRtr
router(config-ipsec-ike)# version 1
  1. Enter the configuration terminal mode to configure IPsec. 
    router# config terminal

     

  2. Configure a pre-shared key for the router and CSR to authenticate each other. Create a keyring to hold the keys. 
    router(config)# crypto keyring vrouter-keyring  
router(conf-keyring)# pre-shared-key address 1.0.0.2 key arista

    Create an ISAKMP policy. The policy's function is communicating with the peer to establish IKE Phase 1. In the example below, a policy with AES256 is created with the following parameters: SHA1, DH group 15, authentication pre-share, and a lifetime of 28800 seconds.

    router(config)# crypto isakmp policy 1
router(config-isakmp)# encr aes 256
router(config-isakmp)# hash sha
router(config-isakmp)# authentication pre-share
router(config-isakmp)# group 15
router(config-isakmp)# lifetime 28800

     

  3. Create an ISAKMP profile associated with the router to match its outside IP Address and the keyring created earlier to identify the pre-shared secret. 
    router(config)# crypto isakmp profile vrouter-ikev1-isakmp-profile
router(conf-isa-prof)# keyring vrouter-keyring
router(conf-isa-prof)# match identity address 1.0.0.2 255.2-55.255.255
router(conf-isa-prof)# local-address GigabitEthernet2

     

  4. Create the IPsec transform-set configuration settings. The transform-set defines the encryption and hash algorithm for the child/IPsec SA. This example creates a transform-set with AES cipher for the ESP encryption and SHA1 for the authentication. The mode for the IPsec is set to transport mode. 
    router(config)# crypto ipsec transform-set vrouter-tset esp-aes 256 esp-sha-hmac
router(cfg-crypto-trans)# mode transport

     

  5. Create the IPsec profile, which includes the transform-set, SA idle time, lifetime, and replay windows used to create the child SA. 
    router(config)# crypto ipsec profile vrouter-ikev1-ipsec-profile
router(ipsec-profile)# set security-association idle-time 3600
router(ipsec-profile)# set security-association dummy seconds 3600
router(ipsec-profile)# set transform-set vrouter-tset
router(ipsec-profile)# set isakmp-profile vroute-ikev1-isakmp-profile

     

  6. Configure the AWE-7200R and CloudEOS router interface as the underlying interface for the tunnel. To route packets, the tunnel is given an L3 IP address. 
    router(config)# interface GigabitEthernet2
router(config-if)# ip address 1.0.0.2 255.255.255.0
router(config-if)# mtu 9001
router(config-if)# negotiation auto
  7. Apply the IPsec profile to a tunnel interface. The example creates a tunnel interface (Tunnel0) and configures the tunnel interface to use IPsec. 
    router(config-if)# exit
router(config)# interface Tunnel0
router(config-if)# ip address 1.0.3.1 255.255.255.0
router(config-if)# tunnel source 1.0.0.2
router(config-if)# tunnel destination 1.0.0.1
router(config-if)# tunnel protection ipsec profile vrouter-ikev1-ipsec-profile
router(config-if)# exit

     

IKEv2 Configuration

The CSR configuration to create a GRE over IPsec tunnel is similar to the AWE-7200R and CloudEOS Router setup using ikev2 version.

The AWE-7200R and CloudEOS Router is configured to run in IKEv2 version by default. Make sure the version is not set to 1 under the ike policy. The configuration steps for CSR IKEv2 are slightly different from those of IKEv1.

Complete the following steps to configure the CSR.

  1. Enter the configuration terminal mode to configure IPsec. 
    router# configure terminal

     

  2. Create a pre-shared key for CSR and the AWE-7200R and CloudEOS Router to authenticate each other. Create a keyring to hold the keys. Specify the peer AWE-7200R and CloudEOS Router under which the keys and matching IP address of the peer are configured. 
    router(config)# crypto keyring vrouter-ikev2-keyring
router(conf-keyring)# pre-shared-key address 1.0.0.2 key arista

     

  3. Create an IKEv2 proposal to specify the encryption, integrity, and group. In the example, it specifies AES256, SHA1, and DH group 14. 
    router(config)# crypto ikev2 proposal vrouter-ikev2-proposal
router(config-ikev2-proposal)# encryption aes-cbc-256
router(config-ikev2-proposal)# integrity sha1
router(config-ikev2-proposal)# group 14
router(config-ikev2-proposal)# exit

     

  4. Create an IKEv2 policy and attach the proposal created in the previous step. 
    router(config)# crypto ikev2 policy vrouter-ikev2-policy 
router(config-ikev2-policy)# match fvrf any
router(config-ikev2-policy)# proposal vrouter-ikev2-proposal
router(config-ikev2-policy)# exit

     

  5. Create an IKEv2 profile and specify the match identity for the remote peer's address, authentication pre-share, and the keyring that was previously created. 
    router(config)# crypto ikev2 profile vrouter-ikev2-profile
router(config-ikev2-profile)# match fvrf any
router(config-ikev2-profile)# match identity remote address 1.0.0.1 255.255.255.255
router(config-ikev2-profile)# authentication remote pre-share key arista
router(config-ikev2-profile)# authentication local pre-share key arista
router(config-ikev2-policy)# exit

     

  6. Create an IPsec transform-set configuration settings. This step is similar to the step in IKEv1 configuration. The transform-set defines the encryption and hash algorithm for the child/IPsec SA. The example creates a transform-set with AES cipher for the ESP encryption and SHA1 for the authentication. The mode for the IPsec is set to the transport mode. 
    router(config)# crypto ipsec transform-set vrouter-tset esp-aes 256 esp-sha-hmac
router(cfg-crypto-trans)# mode transport

     

  7. Create the IPsec profile similar to IKEv1. This profile includes the transform-set, SA idle time, lifetime, and replay windows used to create the child SA and specifies the IKEv2 profile to use. 
    router(config)# crypto ipsec profile vrouter-ikev2-ipsec-profile
router(ipsec-profile)# set security-association idle-time 3600
router(ipsec-profile)# set security-association dummy seconds 3600
router(ipsec-profile)# set transform-set vrouter-tset
router(ipsec-profile)# set ikev2-profile vrouter-ikev2-profile
router(ipsec-profile)# exit

     

  8. Configure the interface to use as the underlying interface for the tunnel. To route packets, the tunnel is given an L3 IP address. 
    router(config)# interface GigabitEthernet2
router(config-if)# ip address 1.0.0.1 255.255.255.0
router(config-if)# negotiation auto

     

  9. Apply the IPsec profile to a tunnel interface. The example creates a tunnel interface (Tunnel0) and configures the tunnel interface to use IPsec. 
    router(config-if)# exit
router(config)# interface Tunnel0
router(config-if)# ip address 1.0.3.1 255.255.255.0
router(config-if)# tunnel path-mtu-discovery
router(config-if)# tunnel source 1.0.0.1
router(config-if)# tunnel destination 1.0.0.2
router(config-if)# tunnel protection ipsec profile vrouter-ikev2-ipsec-profile
router(config-if)# exit

AWE-7200R and CloudEOS Router (GRE-over-IPsec Tunnel)

The IPsec tunnels represented in these examples include GRE-over-IPsec tunnels on AWE-7200R and CloudEOS Router instances.

Running Configuration for AWE-7200R and CloudEOS
ip security
ike policy ikebranch1 encryption aes256 dh-group 15
!
sa policy sabranch1 sa lifetime 2
pfs dh-group 14
!
profile hq
ike-policy ikebranch1 sa-policy sabranch1 connection add
shared-key keyAristaHq dpd 10 50 clear
!
interface Tunnel1
ip address 1.0.3.1/24 tunnel mode gre tunnel source 1.0.0.1
tunnel destination 1.0.0.2 tunnel ipsec profile hq
interface Ethernet1 no routerport
ip address 1.0.0.1/24

AWE-7200R and CloudEOS Router (VTI IPsec Tunnel)

The IPsec tunnels in these examples include VTI IPsec tunnels between AWE-7200R and CloudEOS Router instances and third-party CSR router instances.

Running Configuration for AWE-7200R and CloudEOS
ip security 
ike policy ikebranch1 
encryption aes256 
dh-group 15
!
sa policy sabranch1 
sa lifetime 2
pfs dh-group 14
!
profile hq
ike-policy ikebranch1
sa-policy sabranch1 
connection add
shared-key keyAristaHq 
dpd 10 50 clear
!
interface Tunnel1
ip address 1.0.3.1/24 
tunnel mode ipsec 
tunnel source 1.0.0.1
tunnel destination 1.0.0.2
tunnel key 100
tunnel ipsec profile hq
interface Ethernet1 
no routerport
ip address 1.0.0.1/24

CSR Commands

The CSR router has show commands for several IPsec tunnel elements on CSR router instances.

CSR Router Show Commands

This section discusses the available CSR Router show commands and their example outputs.

Use the different show commands for CSR router instances to do the following:
View all Existing ISAKMP SAs

Use the show crypto isakmp sa command to view the ISAKMP SAs for all existing or current IPsec connections.

Example 
router# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dstsrc state conn-id status
1.0.0.11.0.0.2 QM_IDLE 1331 ACTIVE
vrouter-ikev1-isakmp-profile

IPv6 Crypto ISAKMP SA

 

View all Existing IPsec SAs

Use the show crypto ipsec sa command to view the IPsec SAs for all existing or current IPsec connections.

Example 
router# show crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr1.0.0.2

 protected vrf: (none)

 local ident (addr/mask/prot/port): 
(1.0.0.2/255.255.255.255/47/0)
 remote ident (addr/mask/prot/port): 
(1.0.0.1/255.255.255.255/47/0)
 current_peer 1.0.0.1 port 500 
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest:1f
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify:1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed:0
#pkts not decompressed: 0, #pkts decompress failed:0
#send errors 0, #recv errors 0

local crypto endpt.: 1.0.0.2, remote crypto endpt.: 
1.0.0.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb
GigabitEthernet2
current outbound spi: 0xCB8FB740(3415193408) 
PFS (Y/N): N, DH group: none
Dummy packet: Initializing

inbound esp sas:
spi: 0x36383677(909653623)
transform: esp-aes esp-sha-hmac , 
in use settings ={Tunnel, }
conn id: 5287, flow_id: CSR:3287, sibling_flags 
FFFFFFFF80004048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec):(4607999/3598)
IV size: 16 bytes
replay detection support: Y 
Status: ACTIVE(ACTIVE)

inbound ah sas: 

inbound pcp sas: 

outbound esp sas:
spi: 0xCB8FB740(3415193408)
transform: esp-aes esp-sha-hmac , 
in use settings ={Tunnel, }
conn id: 5288, flow_id: CSR:3288, sibling_flags 
FFFFFFFF80004048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec):(4607999/3598)
IV size: 16 bytes
replay detection support : Y 
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

 

View Crypto (Encryption) Session Details

Use the show crypto session detail command to view details about the crypto session for all current IPsec connections.

Example 
router# show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect

Interface: Tunnel0
Profile: vrouter-ikev1-isakmp-profile
Uptime: 00:20:23
Session status: UP-ACTIVE
Peer: 1.0.0.1 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 1.0.0.1
Desc: (none)
 Session ID: 0
 IKEv1 SA: local 1.0.0.2/500 remote 1.0.0.1/500 Active
Capabilities:(none) connid:1332 lifetime:07:39:35
 IPSEC FLOW: permit 47 host 1.0.0.2 host 1.0.0.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 42 drop 0 life (KB/Sec)
4607997/2375
Outbound: #pkts enc'ed 44 drop 0 life (KB/Sec)
4607995/2375

 

View IKEv2 SAs

Use the show crypto ikev2 sa command to view summary information about all IKE version 2 SAs used by existing IPsec connections.

Example 
router# show crypto ikev2 sa
IPv4 Crypto IKEv2SA

Tunnel-id Local Remotefvrf/ivrfStatus
1 3.3.3.3/500 3.3.3.1/500 none/noneREADY

Encr: AES-CBC, keysize: 128, PRF: sha256, Hash: SHA96, 
DH Grp:14, Auth sign: PSK, Auth verify: PSK
 Life/Active Time: 86400/5349 sec

IPv6 Crypto IKEv2SA

 

View IKEv2 SA Details

Use the show crypto ikev2 sa detailed command to view details about all IKE version 2 SAs used by existing IPsec connections.

Example 
router# show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remotefvrf/ivrfStatus
1 3.3.3.3/500 3.3.3.1/500 none/noneREADY

Encr: AES-CBC, keysize: 128, PRF: sha256, Hash: SHA96, 
DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/5358 sec
CE id: 1351, Session-id: 6
Status Description: Negotiation done
Local spi: 9FA0B7B1F7746E69 Remote spi:
4B1652D32691E8AF
Local id: 3.3.3.3
Remote id: 3.3.3.1
Local req msg id: 4Remote req msg id: 8
Local next msg id:4Remote next msg id:8
Local req queued: 4Remote req queued: 8
Local window: 5Remote window: 1
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes

IPv6 Crypto IKEv2 SA

 

AWE-7200R and CloudEOS Routers and AWS Specific Cloud Configuration

This section discusses the configuration steps for an AWS-specific cloud on a AWE-7200R and CloudEOS Router instance.

IPsec Between the AWE-7200R and CloudEOS Router and AWS Specific Cloud Configuration

This section discusses the steps and running configuration for setting up an IPsec connection between the CloudEOS Router, and the AWS Specific Cloud. The AWS Specific Cloud only supports IKE1 and not IKE2.

The following configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. These can be modified to take advantage of AES256, SHA256, or other DH groups such as 5, 14-17, and 24.

Running-configuration of the AWE-7200R and CloudEOS Router and AWS Specific Cloud

 

The sample configuration below sets up the running configuration of the AWE-7200R and CloudEOS router and AWS Specific Cloud. In the configuration, the local-id is the router's external IP when it is behind a NAT device, and the tunnel destination is the external IP of the AWS Specific Cloud. 
ip security
 ike policy AWS-IKE1
integrity sha1
version 1
local-id 52.165.228.195
 !
 ike policy ikedefault
encryption aes256
 !
 sa policy AWS-SA1
esp encryption aes128
esp integrity sha1
pfs dh-group 14
 !
 profile AWS-profile
ike-policy AWS-IKE1
sa-policy AWS-SA1
connection start
sharded-key LwYbARmDJmpFGAOrAbPGk2uQiWwvbmfU
 !
 profile default
ike-policy
sa-policy AWS-SA1
shared-key arista
 !
interface Tunnel1
 ip address 169.254.11.162/30
 tunnel mode ipsec
 tunnel source 10.2.0.4
 tunnel destination 52.53.75.160
 tunnel ipsec profile AWS-profile

 

AWS Specific Cloud Configuration

 

Internet Key Exchange Configuration

The address of the external interface for a customer gateway must be static. The customer gateway can reside behind a Network Address Translation (NAT) device. To ensure that NAT Transversal (NAT-T) can function, add, and update the firewall rules. The UDP port 4500 is allowed. Disable NAT-T if the customer gateway is not behind a NAT gateway.
  • Authentication Method: Pre-Shared Key
  • Pre-Shared Key: LwYbARmDJmpFGOrAbPGk2uQiWwvbmfU
  • Authentication Algorithm: sha1
  • Encryption Algorithm: aes-128-cbc
  • Lifetime: 28800 seconds
  • Phase 1 Negotiation Method: main
  • Perfect Forward Secrecy: Diffie-Hellman Group 2

AWS Specific Cloud Configuration Modifications

 

  • Internet Key Exchange SA Configuration

    The address of the external interface for the customer gateway must be static. The customer gateway can reside behind a Network Address Translation device (NAT). To ensure that NAT traversal (NAT-T) functions correctly, add or update the firewall rule to allow UDP port 4500. Disable NAT-T if the customer gateway is not behind a NAT gateway.

    Use the following sample configuration files to set up an Internet key exchange SA configuration.
    • Authentication Method: Pre-shared Key
    • Pre-shard Key: LwYbARmDJmpFGAOrAbPGk2uQiWwvbmfU
    • Authentication Algorithm: sha1
    • Encryption Algorithm: aes-128-cbc
    • Lifetime: 28800 seconds
    • Phase 1 Negotiation Mode: main
    • Perfect Forward Secrecy: Diffie-Hellman Group 2

     

  • IPsec Configuration

    Use the following sample configuration files to configure the IPsec. Modification of the sample configuration files may be needed to take advantage of additionally supported IPsec parameters for encryption, such as AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.

    • Protocol: esp
    • Authentication Algorithm: hmac-sha-96
    • Encryption Algorithm: aes-128-cbc
    • Lifetime: 3600 seconds
    • Mode: tunnel
    • Perfect Forward Secrecy: Diffie-Hellman Group2

     

  • The IPsec Dead Peer Detection (DPD) is enabled on the AWS Specific Cloud endpoint. Configure the DPD on your endpoint as follows:
    • DPD interval: 10
    • DPD Retries: 3
  • The IPsec Encapsulating Security Payload (ESP) inserts additional headers to transmit the packets. These headers require additional space, reducing the space available to transmit application data. The following configuration is recommended on the customer gateway to limit the impact of this behavior:
    • TCP MSS Adjustment: 1379 bytes
    • Clear Don't fragment Bit: enabled
    • Fragmentation: Before encryption
  • Tunnel Interface Configuration

    Configure the customer gateway with a tunnel interface associated with the IPsec tunnel.All traffic transmitted to the tunnel interface is encrypted and transmitted to the virtual private gateway.

    The customer gate and the virtual private gateway each have two addresses that relate to this IPsec tunnel. Each one contains an outside address, where the encrypted traffic is exchanged. Both gateways also contain an inside address associated with the tunnel interface. The customer gateway outside the IP address is provided upon creation of the customer gateway. To change the IP address of the customer gateway, create a new customer gateway. The customer gateway inside the IP address must be configured on the interface tunnel.
    • Outside IP Addresses:
      • Customer Gateway: 52.165.228.195
      • Virtual Private Gateway: 52.53.75.160

        The customer gateway IP address is the IP address of the firewall that the AWE-7200R and CloudEOS instance in the DC with NAT behind.

        The virtual private gateway IP address is the external IP address of the AWS Specific Cloud.

       

    • Inside IP Addresses
      • Customer Gateway: 169.254.11.162/30
      • Virtual Private Gateway: 169.254.11.161/30

        The virtual private gateway IP address is the tunnel IP address of the AWS Specific Cloud.

       

  • Static Routing Configuration

    The router traffic between the internal network and the VPC and AWS-specific cloud, such as adding a static router to the AWE-7200R and CloudEOS router.

    Next Hop: 169.254.11.162

    Any subnet that requires a route to DC must have a route pointing to the AWS Specific Cloud tunnel IP address.

    For traffic destined for the Internet Network, add static routes on the VGW.

 

AWE-7200R and CloudEOS IPsec Connectivity to Azure Virtual Network Gateway

This section discusses establishing an IPsec connection between the AWE-7200R and CloudEOS router and Azure Virtual Network Gateway. This document also documents establishing a BGP connection over the IPsec tunnel.

Creating an IPsec Azure Virtual Network Gateway

The following topology is for IPsec Azure Virtual Network Gateway.

The following steps are to create an IPsec Azure Virtual Network Gateway.

  1. Create a Resource Group.
  2. Create the Virtual Network.
  3. Create a Virtual Network Gateway.
  4. Configure Local Network Gateway.
  5. Create Site-to-site Connections.

     

For more information on creating an IPsec Azure Virtual Network Gateway, refer to:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

Creating a Resource Group

  • Create a new resource group if not already created; all other resources, such as Virtual Network Gateway, Virtual Networks, and other resources, are created under this group. For example, AnetVPN is created as a resource group.

Creating a Virtual Network

  1. A virtual network is created in the Azure Cloud and is reached through the Azure Virtual Network Gateway. For example, a virtual network, AnetNet1, with an IP address space of 172.27.0.0/16, is created. A subnet AnetSubnet1(172.27.1.0/24) is also created and used as the subnet for Virtual Network Gateway.

     

  2. Click the Create button.

     

  3. Fill in the mandatory fields in the Project Details section.

     

  4. Fill in the IP address section with the IP address and Subnets.

     

  5. Click the Review+create tab to validate the deployment.

     

  6. Finally, you will see this screen if the deployment passes the validation.

     

Creating an Virtual Network Gateway

  1. After creating the virtual network, a virtual network gateway (AnetVGW) is created. The Virtual Network Gateway must have a public IP address. By default, BGP is disabled on the Virtual Network Gateway, and in this example below, the BGP is enabled to demonstrate the BGP session over the IPsec connection.

     

  2. Provide the public IP address name.

     

  3. Click the Review+create tab to proceed with the deployment.

     

  4. Finally, you see this page on successful deployment.

     

  5. This page provides information about the resources and other information related to the deployment.

     

Configuring the Local Network Gateway

An on-prem router (Local Network Gateway) is connected to the Azure Virtual Network Gateway at a customer site. The on-prem router's public IP address, BGP peering address, and ASN are configured in the Local Network Gateway.

 

Creating Site-to-Site Connections

A site-to-site connection is configured to connect a Virtual Network Gateway to the Local Network Gateway. In addition to this, the IKE version and shared key used for IKE authentication is configured. The rest of the cryptographic parameters cannot be configured from the Azure portal but can be configured using PowerShell. The complete list of Azure crypto suites is here:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell#params

 

Configuring AWE-7200R and CloudEOS Router IPsec

This section discusses the AWE-7200R and CloudEOS router configuration instance. The following are the default cryptographic parameters used in Azure Virtual Network Gateway configuration. 
IKE - Ikev2/AES256/SHA256/DH-Group2
IPsec - ESP/AES256/SHA256

Configure the IKE Policy

router(config-ipsec-ike)# ip security 
router(config-ipsec)# ike policy ikeAzure
router(config-ipsec-ike)# encryption aes256 
router(config-ipsec-ike)# integrity sha256 
router(config-ipsec-ike)# version 2
router(config-ipsec-ike)# dh-group 2
router(config-ipsec-ike)# ex
router(config-ipsec)#

 

Configure the SA Policy

router(config-ipsec)# sa policy saAzure
router(config-ipsec-sa)# esp encryption aes256
router(config-ipsec-sa)# esp integrity sha256 
router(config-ipsec-sa)# ex
router(config-ipsec)#

 

Configure the Profile

router(config-ipsec)# profile profAzure
router(config-ipsec-profile)# ike-policy ikeAzure
router(config-ipsec-profile)# sa-policy saAzure
router(config-ipsec-profile)# connection start
router(config-ipsec-profile)# shared-key arista
router(config-ipsec-profile)# ex
router(config-ipsec)#

 

Configuring the IPsec Tunnel (VTI) Interface

router(config)# interface Tunnel 1
router(config-if-Tu1)# ip address 10.100.1.1/24
router(config-if-Tu1)# tunnel mode ipsec
router(config-if-Tu1)# tunnel source 3.212.212.81
router(config-if-Tu1)# tunnel destination 13.77.139.173
router(config-if-Tu1)# tunnel ipsec profile profAzure
! IPSec adds an overhead of up to 82 bytes. Example: A GRE tunnel with an MTU=1476 should be changed to 1394 when using IPSec.
router(config-if-Tu1)# ex
router(config)#show

 

Verifying the IPsec Connection


router(config)# show ip securityconnection
TunnelSource Dest Status UptimeInput Output Rekey Time
Tunnel1 3.212.212.81 13.77.139.173Established1 second0 bytes 0 bytes44 minutes
 0 pkts 0 pkts

 

 

On-Prem AWE-7200R and CloudEOS behind a NAT Device

If the on-prem router instance is behind a NAT device, configure the public IP address in the local-ID under the IKE policy configuration, as shown in the example below. 
router# ip security
 ike policy ikeAzure
encryption aes256
dh-group 2
local-id 3.212.212.81

 

BGP over IPsec

In the BGP configuration in the Creating Virtual Network Gateway section, the BGP configuration is added for AnetOnPremSite1 with ASN as 65530 and BGP peer IP address as 10.100.1.1. In this scenario, the BGP address and the IP address on the tunnel interface are the same, but this is not a configuration limitation; both IP addresses can be different. 
CloudEOS(config)# router bgp 65530
CloudEOS(config-router-bgp)# neighbor 172.27.0.254 remote-as 65515
CloudEOS(config-router-bgp)# neighbor 172.27.0.254 update-source Tunnel1
CloudEOS(config-router-bgp)# neighbor 172.27.0.254 ebgp-multihop 4
CloudEOS(config-router-bgp)# address-family ipv4
CloudEOS(config-router-bgp-af)# neighbor 172.27.0.254 activate
CloudEOS(config-router-bgp-af)# network 10.100.100.0/24
CloudEOS(config-router-bgp-af)# ex
CloudEOS(config-router-bgp)# ex
CloudEOS(config)#

 

BGP Routes Advertised to Neighbor

router(config)# show ip bgpneighbors 172.27.0.254 advertised-routes 
BGP routing table information for VRF default
Router identifier 198.18.0.65, local AS number 65530
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast, q - Queued for advertisement
% - Pending BGP convergence
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI Origin Validation codes: V - valid, I - invalid, U - unknown
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop

Network Next Hop MetricLocPref WeightPath
 * >10.100.100.0/24 10.100.1.1 - - - 65530 i

 

BGP Routes Received from the Neighbor

router(config)# show ip bgpneighbors 172.27.0.254received-routes 
BGP routing table information for VRF default
Router identifier 198.18.0.65, local AS number 65530
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast
% - Pending BGP convergence
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI Origin Validation codes: V - valid, I - invalid, U - unknown
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop

NetworkNext Hop MetricLocPref WeightPath
 * >172.27.0.0/16172.27.0.254 - - - 65515 i
router(config)#

 

Verifying the BGP Connection

router(config)# show ip bgp summmary
BGP summary information for VRF default
Router identifier 198.18.0.65, local AS number 65530
Neighbor Status Codes: m - Under maintenance
NeighborVASMsgRcvd MsgSent InQ OutQUp/DownState PfxRcd PfxAcc
172.27.0.254465515 194 214 0 000:00:06Estab 11
router(config)#