IPSec Tunnel from Aviatrix Transit to Cisco ISR over Public Internet
Following configuration builds a route based (VTI) tunnel with Aviatrix Transit Gateway.
Current configuration : 9974 bytes
!
! Last configuration change at 18:27:43 UTC Thu Jul 30 2020 by shahzad
!
version 16.12
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname sjc-branch-router
!
boot-start-marker
boot-end-marker
!
!
vrf definition GS
rd 100:100
!
address-family ipv4
exit-address-family
!
logging persistent size 1000000 filesize 8192 immediate
!
no aaa new-model
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
login on-success log
subscriber templating
multilink bundle-name authenticated
!
license udi pid CSR1000V sn 9EBGJZL2HDE
diagnostic bootup level minimal
memory free low-watermark processor 72406
!
spanning-tree extend system-id
!
username ec2-user privilege 15
username admin privilege 15 password 7 106F1F100403000214556B
username shahzad privilege 15 password 7 047A1D0F0E355E471148574453
redundancy
!
crypto keyring 13_57_117_173-52_152_194_128
pre-shared-key address 52.152.194.128 key Aviatrix123!
crypto keyring 13_57_117_173-52_188_38_190
pre-shared-key address 52.188.38.190 key Aviatrix123!
!
crypto isakmp policy 1
encryption aes 256
hash sha256
authentication pre-share
group 14
lifetime 28800
crypto isakmp keepalive 10 3 periodic
crypto isakmp profile 13_57_117_173-52_152_194_128
keyring 13_57_117_173-52_152_194_128
self-identity address
match identity address 52.152.194.128 255.255.255.255
crypto isakmp profile 13_57_117_173-52_188_38_190
keyring 13_57_117_173-52_188_38_190
self-identity address
match identity address 52.188.38.190 255.255.255.255
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set ipsec-prop-vpn-00f63c190256eb4ad-0 esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set 13_57_117_173-52_152_194_128 esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec transform-set 13_57_117_173-52_188_38_190 esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec df-bit clear
!
crypto ipsec profile 13_57_117_173-52_152_194_128
set transform-set 13_57_117_173-52_152_194_128
set pfs group14
set isakmp-profile 13_57_117_173-52_152_194_128
!
crypto ipsec profile 13_57_117_173-52_188_38_190
set transform-set 13_57_117_173-52_188_38_190
set pfs group14
set isakmp-profile 13_57_117_173-52_188_38_190
!
interface Loopback0
ip address 55.1.1.1 255.255.255.255
!
interface Loopback1
ip address 66.1.1.1 255.255.255.255
!
interface Tunnel1000000
ip address 169.254.245.125 255.255.255.252
ip mtu 1436
ip tcp adjust-mss 1387
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 52.152.194.128
tunnel protection ipsec profile 13_57_117_173-52_152_194_128
ip virtual-reassembly
!
interface Tunnel1000001
ip address 169.254.116.77 255.255.255.252
ip mtu 1436
ip tcp adjust-mss 1387
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 52.188.38.190
tunnel protection ipsec profile 13_57_117_173-52_188_38_190
ip virtual-reassembly
!
interface VirtualPortGroup0
vrf forwarding GS
ip address 192.168.35.101 255.255.255.0
ip nat inside
no mop enabled
no mop sysid
!
interface GigabitEthernet1
ip address dhcp
ip nat outside
ip access-group AVX-INGRESS-SECURITY in
negotiation auto
no mop enabled
no mop sysid
!
router bgp 65511
bgp log-neighbor-changes
neighbor 169.254.116.78 remote-as 65410
neighbor 169.254.116.78 timers 10 30 30
neighbor 169.254.245.126 remote-as 65410
neighbor 169.254.245.126 timers 10 30 30
!
address-family ipv4
redistribute connected
neighbor 169.254.116.78 activate
neighbor 169.254.116.78 soft-reconfiguration inbound
neighbor 169.254.245.126 activate
neighbor 169.254.245.126 soft-reconfiguration inbound
maximum-paths 4
exit-address-family
!
iox
ip forward-protocol nd
ip tcp mss 1387
ip tcp window-size 8192
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 192.168.11.1
ip route vrf GS 0.0.0.0 0.0.0.0 GigabitEthernet1 192.168.11.1 global
ip ssh rsa keypair-name ssh-key
ip ssh version 2
ip ssh pubkey-chain
username ec2-user
key-hash ssh-rsa BF29B2896E9286C9B44DD472EF3397DA ec2-user
key-hash ssh-rsa F3365B36A9AD760DF10F8C5A88D4775F ec2-user
ip scp server enable
!
ip access-list standard GS_NAT_ACL
10 permit 192.168.35.0 0.0.0.255
20 permit 10.61.0.0 0.0.0.255
!
ip access-list extended AVX-INGRESS-SECURITY
10 remark ACE 10: Allow Aviatrix Controller SSH session
10 remark ACE 10000: Remove "permit ip any any" and configure whitelist ACEs
10 permit tcp host 3.221.120.255 any eq 22
10000 permit ip any any
!
control-plane
!
line con 0
stopbits 1
line vty 0 4
privilege level 15
login local
transport input ssh
line vty 5 20
privilege level 15
login local
transport input ssh
!
app-hosting appid guestshell
app-vnic gateway1 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.35.102 netmask 255.255.255.0
app-default-gateway 192.168.35.101 guest-interface 0
name-server0 8.8.8.8
end
Following is the configuration provided by Aviatrix Controller
Aviatrix Site2Cloud configuration template
!
! This connection has two IPsec tunnels between the customer gateway and
! Aviatrix gateways in the cloud. Tunnel #1 is the primary tunnel. The
! customer gateway should be configured in such a way that it should
! switch over to tunnel #2 when tunnel #1 fails.
!
! You need to populate these values throughout the config based on your setup:
! <isakmp_policy_number1>: the isakmp policy number
! <tunnel_number1>: the primary IPSec tunnel interface number
! <tunnel_number2>: the backup IPSec tunnel interface number
! <ios_wan_interface1>: the primary source interafce of tunnel packets
! <ios_wan_interface2>: the backup source interafce of tunnel packets
! <customer_tunnel_ip1>: any un-used IPv4 address for the primary tunnel interface
! when static routing is used
! <customer_tunnel_ip2>: any un-used IPv4 address for the backup tunnel interface
! when static routing is used
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #1 (Primary)
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
!
crypto keyring 13.57.117.173-52.152.194.128
pre-shared-key address 52.152.194.128 key Aviatrix123!
!
crypto isakmp policy <isakmp_policy_number1>
encryption aes 256
authentication pre-share
group 14
lifetime 28800
crypto isakmp keepalive 10 3 periodic
crypto isakmp profile 13.57.117.173-52.152.194.128
keyring 13.57.117.173-52.152.194.128
self-identity address
match identity address 52.152.194.128 255.255.255.255
!
!---------------------------------------------------------------------------------
! #2: IPSec Configuration
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
crypto ipsec transform-set 13.57.117.173-52.152.194.128 esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec df-bit clear
!
crypto ipsec profile 13.57.117.173-52.152.194.128
set security-association lifetime seconds 3600
set transform-set 13.57.117.173-52.152.194.128
set pfs group14
set isakmp-profile 13.57.117.173-52.152.194.128
!
!---------------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
! The virtual tunnel interface is used to communcate with the remote IPSec endpoint
! to establish the IPSec tunnel.
!
interface Tunnel <tunnel_number1>
ip address 169.254.245.125 255.255.255.252
ip mtu 1436
ip tcp adjust-mss 1387
tunnel source <ios_wan_interface1>
tunnel mode ipsec ipv4
tunnel destination 52.152.194.128
tunnel protection ipsec profile 13.57.117.173-52.152.194.128
ip virtual-reassembly
!
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #2 (Backup)
! --------------------------------------------------------------------------------
! #4: Internet Key Exchange (IKE) Configuration
!
crypto keyring 13.57.117.173-52.188.38.190
pre-shared-key address 52.188.38.190 key Aviatrix123!
!
crypto isakmp profile 13.57.117.173-52.188.38.190
keyring 13.57.117.173-52.188.38.190
self-identity address
match identity address 52.188.38.190 255.255.255.255
!
!
!---------------------------------------------------------------------------------
! #5: IPSec Configuration
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
crypto ipsec transform-set 13.57.117.173-52.188.38.190 esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile 13.57.117.173-52.188.38.190
set security-association lifetime seconds 3600
set transform-set 13.57.117.173-52.188.38.190
set pfs group14
set isakmp-profile 13.57.117.173-52.188.38.190
!
!---------------------------------------------------------------------------------------
! #6: Tunnel Interface Configuration
! The virtual tunnel interface is used to communcate with the remote IPSec endpoint
! to establish the IPSec tunnel.
!
interface Tunnel <tunnel_number2>
ip address 169.254.116.77 255.255.255.252
ip mtu 1436
ip tcp adjust-mss 1387
tunnel source <ios_wan_interface1>
tunnel mode ipsec ipv4
tunnel destination 52.188.38.190
tunnel protection ipsec profile 13.57.117.173-52.188.38.190
ip virtual-reassembly
!
!
!---------------------------------------------------------------------------------------
! #7: BGP Routing Configuration
! The Border Gateway Protocol (BGPv4) is used to exchange routes from the VPC to on-prem
! network. Each BGP router has an Autonomous System Number (ASN).
!
router bgp 65511
bgp log-neighbor-changes
neighbor 169.254.245.126 remote-as 65410
neighbor 169.254.245.126 timers 10 30 30
neighbor 169.254.116.78 remote-as 65410
neighbor 169.254.116.78 timers 10 30 30
!
address-family ipv4
redistribute connected
neighbor 169.254.245.126 activate
neighbor 169.254.245.126 soft-reconfiguration inbound
neighbor 169.254.116.78 activate
neighbor 169.254.116.78 soft-reconfiguration inbound
maximum-paths 4
exit-address-family
!
For vendor specific instructions, please go to the following URL:
http://docs.aviatrix.com/#site2cloud
IPSec Tunnel from Aviatrix Transit to Cisco ISR over Azure Express Route / AWS Direct Connect / GCP Cloud InterConnect Private Circuit
AZSC-DC1-CSR1#sh run!
hostname AZSC-DC1-CSR1
!vrf definition GS
rd 100:100
!
address-family ipv4
exit-address-family
!
logging persistent size 1000000 filesize 8192 immediate
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local none
!
ip domain name AZSC-DC1-CSR1.cloudapp.netcrypto pki trustpoint TP-self-signed-1046829957
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1046829957
revocation-check none
rsakeypair TP-self-signed-1046829957
!
!
license udi pid CSR1000V sn 9C2QUET5FU6
no license smart enable
diagnostic bootup level minimal
memory free low-watermark processor 71873
!
!
username saad privilege 15 password 7 0132100D5A1F1406391D1C5A58
!
redundancy
!
!
crypto ikev2 proposal Pureport_prop
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy Pureport_Pol_ikev2
proposal Pureport_prop
!
crypto ikev2 keyring Pureport_key
peer ALL
address 45.40.38.4
pre-shared-key local aviatrix
pre-shared-key remote aviatrix
!
!
!
crypto ikev2 profile Pureport_Profile_ikev2
match identity remote address 45.40.38.4 255.255.255.255
identity local address 169.254.0.10
authentication remote pre-share
authentication local pre-share
keyring local Pureport_key
dpd 10 2 on-demand
!
!
!
!
!
crypto keyring mykey
pre-shared-key address 172.16.10.68 key aviatrix
pre-shared-key address 172.16.10.196 key aviatrix
!
!
crypto isakmp policy 1
encryption aes 256
hash sha256
authentication pre-share
group 14
lifetime 28800
crypto isakmp keepalive 10 3 periodic
crypto isakmp profile myprofile
keyring mykey
self-identity address
match identity address 40.119.33.170 255.255.255.255
match identity address 40.124.96.45 255.255.255.255
!
!
crypto ipsec transform-set Pureport_ts esp-aes 256 esp-sha256-hmac
mode transport
crypto ipsec transform-set myset esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec df-bit clear
!
crypto ipsec profile Pureport_ipsec_profile
set transform-set Pureport_ts
set pfs group14
set ikev2-profile Pureport_Profile_ikev2
!
!
crypto ipsec profile ipsec_profile
set transform-set myset
set pfs group14
set isakmp-profile myprofile
!
!
!
interface Tunnel0
ip address 169.254.0.10 255.255.255.252
ip tcp adjust-mss 1387
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 45.40.38.4
tunnel protection ipsec profile Pureport_ipsec_profile
!
interface Tunnel1
ip address 169.254.234.45 255.255.255.252
ip tcp adjust-mss 1387
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 172.16.10.68
tunnel protection ipsec profile ipsec_profile
!
interface Tunnel2
ip address 169.254.217.29 255.255.255.252
ip tcp adjust-mss 1387
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 172.16.10.196
tunnel protection ipsec profile ipsec_profile
!
interface VirtualPortGroup0
vrf forwarding GS
ip address 192.168.35.101 255.255.255.0
ip nat inside
!
interface GigabitEthernet1
ip address dhcp
negotiation auto
!
interface GigabitEthernet2
ip address dhcp
negotiation auto
!
router bgp 65021
bgp log-neighbor-changes
neighbor 169.254.0.9 remote-as 394351
neighbor 169.254.0.9 timers 10 30 30
neighbor 169.254.217.30 remote-as 65020
neighbor 169.254.217.30 timers 10 30 30
neighbor 169.254.234.46 remote-as 65020
neighbor 169.254.234.46 timers 10 30 30
!
address-family ipv4
redistribute connected
neighbor 169.254.0.9 activate
neighbor 169.254.0.9 route-map RM_BGP-TO-PUREPORT out
neighbor 169.254.217.30 activate
neighbor 169.254.217.30 route-map RM_BGP-TO-AVIATRIX-TRANSIT-GWs out
neighbor 169.254.234.46 activate
neighbor 169.254.234.46 route-map RM_BGP-TO-AVIATRIX-TRANSIT-GWs out
maximum-paths 4
exit-address-family
!
iox
ip forward-protocol nd
ip tcp window-size 8192
ip http server
ip http secure-server
!
ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload
ip route 0.0.0.0 0.0.0.0 172.16.9.1
ip route vrf GS 0.0.0.0 0.0.0.0 GigabitEthernet1 172.16.9.1 global
ip ssh rsa keypair-name sshkeys
ip ssh server algorithm publickey ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-rsa x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp521
ip scp server enable
!
ip access-list standard GS_NAT_ACL
10 permit 192.168.35.0 0.0.0.255
!
!
ip access-list standard 1
10 permit 172.16.9.0
ip access-list standard 2
10 permit 172.16.9.16
!
!
route-map RM_BGP-TO-PUREPORT permit 10
match ip address 1
!
route-map RM_BGP-TO-AVIATRIX-TRANSIT-GWs permit 10
match ip address 2
!
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input ssh
line vty 5 20
transport input ssh
!
!
!
!
!
!
app-hosting appid guestshell
app-vnic gateway1 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.35.102 netmask 255.255.255.0
app-default-gateway 192.168.35.101 guest-interface 0
name-server0 8.8.8.8
endAZSC-DC1-CSR1#