Configure Tunnels with Cisco ISR
Follow the steps in this guide to connect a Cisco ISR-G2, ISR4K, or CSR router through an IPsec (Internet Protocol Security) IKEv2 (Internet Key Exchange, version 2) tunnel to Cisco Secure Access.
Table of Contents
- Prerequisites
- Configure Tunnels in Secure Access
- Configure ISR (G2, 4K) or CSR
- Test Your Configuration
Prerequisites
The following prerequisites must be met for the tunnel to work successfully.
Licensing and Hardware
- A valid Cisco Secure Access account.
- A Cisco Secure Access organization ID. For more information, see Find Your Organization ID.
- A router (ISR-G2, ISR4K, or CSR) with a security K9 license to establish an IPsec tunnel.
Note: An HSEC license is required to get high-throughput internet bandwidth for SLVPN tunnel setup.
Network Access
- You must select a Secure Access data center IP address when creating the IPsec tunnel. In the sample commands,
<sse_dc_ip>
refers to this IP address. We recommend choosing the IP address based on the data center located closest to your device. - Open UDP ports 500 and 4500 before connecting to the tunnel.
Cisco router (ISR-G2, ISR4K, or CSR) devices do not require public static IPv4 addresses configured on the interface that connects to the public internet and Secure Access. You can deploy these devices behind a NAT device. This is because we can specify a text as its IKE ID. This ID in combination with the PSK is used to successfully authenticate the Cisco router (ISR-G2, ISR4K, or CSR) devices with Secure Access.
Text as an IKE ID also allows multiple tunnels to be established from the same Cisco router device with a single IP address. This provides an opportunity to increase bandwidth by increasing the number of tunnels.
Configure Tunnels in Secure Access
- Follow the steps in Add Network Tunnel Group.
The new tunnel appears in the Secure Access dashboard with a status of UnEstablished. The tunnel status is updated once it is fully configured and connected with the Cisco ISR.
Configure ISR (G2, 4K) or CSR
Follow these steps to connect the Cisco router to Secure Access.
- Configure the IKEv2 proposal.
ISR routers support a default proposal and policy for IKEv2, with a predefined encryption, integrity, and DH group. These values change across different software versions. You can either use the default proposal or you can create your own proposal. Your proposal needs to be attached to the policy with matching parameters. Create an IKEv2 keyring profile and configure the peer address and pre-shared key, associate the keyring profile to the IKEv2 profile, set the local identity as email and configure the IKE ID (email) which you get from the Tunnel Configuration dashboard.
For example, the default IKE proposal of an ISR running 16.11.01a:
ISR-4221#sh ver
Cisco IOS XE Software, Version 16.11.01a
ISR-4221#show crypto ikev2 proposal sse-prop
IKEv2 proposal: sse-prop
Encryption : AES-GCM-256
Integrity : none
PRF : SHA256
DH Group : DH_GROUP_256_ECP/Group 19 DH_GROUP_384_ECP/Group 20
- Define the IKEv2 Keyring and IKEv2 profile.
Create your IKEv2 keyring and IKEv2 profile with the [sse_dc_ip] of the Secure Access data center closest to your location. Then associate the IKEv2 keyring to the IKEv2 profile.
Replace [Portal_Tunnel_ID] and [Portal_Tunnel_Passphrase] with the Tunnel ID and Passphrase you configured in section Add Network Tunnel Group.
crypto ikev2 keyring sse-kr
peer sse
address [sse_dc_ip]
pre-shared-key [sse-tunnel-psk]
!
crypto ikev2 profile sse-profile
match identity remote address [enter the specific DC IP from the tunnel group in Secure Access]
identity local email [sse-email]
authentication remote pre-share
authentication local pre-share
keyring local sse-kr
dpd 10 3 periodic
!
- Define the IPSec transform-set, profile, and policy.
Create the transform-set and IPsec profile. Then associate the transform-set and IKEv2 Profile with the IPSec profile. Refer to Supported IPsec Parameters for the recommended algorithms.
crypto ipsec transform-set sse-ts esp-gcm 256
mode tunnel
crypto ipsec profile sse
set transform-set sse-ts
set ikev2-profile sse-profile
crypto ikev2 policy sse
match address local [Router_WAN_IP]
proposal sse-proposal
- Create the tunnel interface.
Define the static tunnel interface with the peer IP as the Secure Access VPN headend IP and associate the IPsec profile under the tunnel. Make sure the tunnel interface does not contain NAT related commands; traffic sent to Secure Access should not have NAT applied.
interface Tunnel1
ip unnumbered [interface-name]
ip tcp adjust-mss 1350
tunnel source [interface-name]
tunnel mode ipsec ipv4
tunnel destination [sse_dc_ip]
tunnel protection ipsec profile sse
- Configure routing rules.
Define the traffic which needs to be tunneled to the CDFW. Based on the requirements, these ACL rules can be modified.
The route-map needs to be associated with the LAN interface of the router where the device receives the traffic.
In the following examples, 192.168.20.0/24
is the LAN subnet, and GigabitEthernet
is the LAN interface.
ip access-list extended traffic-to-sse
permit ip [lan-ip] any
!
route-map sse-route-map permit 10
match ip address traffic-to-sse
set interface Tunnel1
!
interface GigabitEthernet [lan-interface-name]
ip policy route-map sse-route-map
Test Your Configuration
Check Tunnel Status
Use the following command to verify the tunnel status on your ISR.
show crypto session detail
and the output must show the tunnel status as UP-ACTIVE.
Substitute the IP address of the Secure Access data center nearest your location for [sse_dc_ip]
.
ISR#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
Interface: Tunnel1
Profile: sse
Uptime: 14:53:47
Session status: UP-ACTIVE
Peer: [sse_dc_ip] port 4500 fvrf: (none) ivrf: (none)
Phase1_id: [sse_dc_ip]
Desc: (none)
Session ID: 1
IKEv2 SA: local 10.10.10.201/4500 remote [sse_dc_ip]/4500 Active
Capabilities:DFNXU connid:4 lifetime:09:06:13
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4608000/2499
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4608000/2499
Manually Trigger the Tunnel
Should the tunnel not come up immediately, or should it need to be manually triggered for any reason, select the tunnel interface, and issue the shutdown
and no shutdown
commands.
ISR(config)#int T1
ISR(config-if)#shutdown
ISR(config-if)#no shutdown
Verify Tunnel Status
Verify the tunnel status with show crypto session remote <Headend IP> detail
. See the example output.
ISR#show crypto session remote 146.112.66.2 detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
S - SIP VPN
Interface: Tunnel1
Profile: sse
Uptime: 00:39:11
Session status: UP-ACTIVE
Peer: 192.0.2.0 port 4500 fvrf: (none) ivrf: (none)
Phase1_id: 192.0.2.0
Desc: (none)
Session ID: 1
IKEv2 SA: local 192.0.2.0/4500 remote 146.112.66.2/4500 Active
Capabilities:DN connid:3 lifetime:23:20:49
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4607996/1248
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4607997/1248
Configure Tunnels with Catalyst SD-WAN cEdge and vEdge < Configure Tunnels with Cisco ISR > Configure Tunnels with Cisco Adaptive Security Appliance
Updated about 2 months ago