IPsec VPN between Versa SD-WAN CPE and Cisco Routers

This article will showcase how to create Site to Site IPSEC Tunnel between a VOS SD-WAN CPE and a Cisco router. The procedure mentioned in this document was tested on VOS™ 20.2 Release

Topology

Configurations presented in this document are based on the following topology.

Network Topology

Configuration objectives

  • Build IKE v1 site-to-site tunnel between SD-WAN Branch1 and Cisco Router
  • Pre-shared key and IP address for peer authentication
  • Cisco IPsec configuration
  • Verification

WAN and LAN configuration in Versa CPE.
The screenshot below shows the interface configurations that are present in Versa SD-WAN CPE

Interface configurations

VPN profile configuration using Versa Director

To configure VPN profile, navigate correct template or appliance and then new VPN profile
Services > IPsec > VPN Profiles > Add by clicking sign on top right

Adding new VPN profile named CISCO

IKE related parameters to be added in IKE tab as shown below

IKE properties addition

IPsec parameters to be added in IPsec tab

IPsec properties addition

Configuration as seen using CLI

\\
set orgs org-services ISP ipsec vpn-profile CISCO vpn-type site-to-site
set orgs org-services ISP ipsec vpn-profile CISCO local-auth-info
set orgs org-services ISP ipsec vpn-profile CISCO local-auth-info auth-type psk
set orgs org-services ISP ipsec vpn-profile CISCO local-auth-info id-type ip
set orgs org-services ISP ipsec vpn-profile CISCO local-auth-info key 123456
set orgs org-services ISP ipsec vpn-profile CISCO local-auth-info id-string 20.20.20.65
set orgs org-services ISP ipsec vpn-profile CISCO local
set orgs org-services ISP ipsec vpn-profile CISCO local address 20.20.20.65
set orgs org-services ISP ipsec vpn-profile CISCO routing-instance INTERNET-Transport-VR
set orgs org-services ISP ipsec vpn-profile CISCO tunnel-routing-instance Tenant2-LAN-VR
set orgs org-services ISP ipsec vpn-profile CISCO tunnel-initiate automatic
\\
set orgs org-services ISP ipsec vpn-profile CISCO ipsec fragmentation pre-fragmentation
set orgs org-services ISP ipsec vpn-profile CISCO ipsec force-nat-t disable
set orgs org-services ISP ipsec vpn-profile CISCO ipsec transform esp-aes128-sha1
set orgs org-services ISP ipsec vpn-profile CISCO ipsec mode tunnel
set orgs org-services ISP ipsec vpn-profile CISCO ipsec pfs-group mod-none
set orgs org-services ISP ipsec vpn-profile CISCO ipsec anti-replay enable
set orgs org-services ISP ipsec vpn-profile CISCO ipsec life duration 1800
\\
set orgs org-services ISP ipsec vpn-profile CISCO ike version v1
set orgs org-services ISP ipsec vpn-profile CISCO ike mode main
set orgs org-services ISP ipsec vpn-profile CISCO ike group mod2
set orgs org-services ISP ipsec vpn-profile CISCO ike transform aes128-sha1
set orgs org-services ISP ipsec vpn-profile CISCO ike lifetime 28800
set orgs org-services ISP ipsec vpn-profile CISCO ike dpd-timeout 30
\\
set orgs org-services ISP ipsec vpn-profile CISCO peer-auth-info
set orgs org-services ISP ipsec vpn-profile CISCO peer-auth-info auth-type psk
set orgs org-services ISP ipsec vpn-profile CISCO peer-auth-info id-type ip
set orgs org-services ISP ipsec vpn-profile CISCO peer-auth-info key 123456
set orgs org-services ISP ipsec vpn-profile CISCO peer-auth-info id-string 20.20.20.65
set orgs org-services ISP ipsec vpn-profile CISCO peer
set orgs org-services ISP ipsec vpn-profile CISCO peer address \[ 20.20.20.77 \]
set orgs org-services ISP ipsec vpn-profile CISCO hardware-accelerator any
set orgs org-services ISP ipsec vpn-profile CISCO rule LAN protocol any
set orgs org-services ISP ipsec vpn-profile CISCO rule LAN src inet 100.10.2.0/24
set orgs org-services ISP ipsec vpn-profile CISCO rule LAN src port 0
set orgs org-services ISP ipsec vpn-profile CISCO rule LAN dst inet 100.10.5.0/24
set orgs org-services ISP ipsec vpn-profile CISCO rule LAN dst port 0
\\

Cisco Configuration [ VPN only configuration shown]

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key 123456 address 20.20.20.65
 
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
mode tunnel
 
crypto map MYTUNNEL 1 ipsec-isakmp
set peer 20.20.20.65
set security-association lifetime seconds 1800
set transform-set MYSET
match address 100
 
access-list 100 permit ip 100.10.5.0 0.0.0.255 100.10.2.0 0.0.0.255
 
interface GigabitEthernet2
ip address 20.20.20.77 255.255.255.252
negotiation auto
crypto map MYTUNNEL

Verification Logs

To validate the tunnel status navigate to Monitor tab in versa director and choose the right CPE. IPsec tunnel status can be seen under Services>IPSEC as shown below.

Verification using Versa director Monitor Tab

Verification on Cisco Router

CISCO-Br#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
20.20.20.77 20.20.20.65 QM_IDLE 1023 ACTIVE
IPv6 Crypto ISAKMP SA
CISCO-Br#

CISCO-Br#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect
Interface: GigabitEthernet2
Uptime: 6d19h
Session status: UP-ACTIVE
Peer: 20.20.20.65 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 20.20.20.65
Desc: (none)
Session ID: 0
IKEv1 SA: local 20.20.20.77/500 remote 20.20.20.65/500 Active
Capabilities:(none) connid:1023 lifetime:05:42:15
IPSEC FLOW: permit ip 100.10.5.0/255.255.255.0 100.10.2.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 3715 drop 0 life (KB/Sec) 4607998/250
Outbound: #pkts enc'ed 3719 drop 0 life (KB/Sec) 4607999/250

CISCO-Br#show crypto ipsec sa
interface: GigabitEthernet2
Crypto map tag: MYTUNNEL, local addr 20.20.20.77
protected vrf: (none)
local ident (addr/mask/prot/port): (100.10.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (100.10.2.0/255.255.255.0/0/0)
current_peer 20.20.20.65 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3719, #pkts encrypt: 3719, #pkts digest: 3719
#pkts decaps: 3715, #pkts decrypt: 3715, #pkts verify: 3715
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 20.20.20.77, remote crypto endpt.: 20.20.20.65
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2
current outbound spi: 0x2006F97(33582999)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xB35C201(188072449)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2779, flow_id: CSR:779, sibling_flags FFFFFFFF80000048, crypto map: MYTUNNEL
sa timing: remaining key lifetime (k/sec): (4607998/229)
IV size: 16 bytes
replay detection support: Y
ecn bit support: N status: off
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2006F97(33582999)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2780, flow_id: CSR:780, sibling_flags FFFFFFFF80000048, crypto map: MYTUNNEL
sa timing: remaining key lifetime (k/sec): (4607999/229)
IV size: 16 bytes
replay detection support: Y
ecn bit support: N status: off
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
CISCO-Br#

Branch to Branch traffic flow validation