Configure Tunnels with NEC IX2000 Series Router
The content provided here explains how you can configure an IPsec tunnel with NECIX2000 Series Router. The objective is to protect devices behind the NEC IX2000 Series Router through a route-based IPsec tunnel.
Table of Contents
- Prerequisites
- Configure tunnels in Secure Access
- Configure the NEC IX router
- Test the NEC IX router Deployment
- Other Resources
Prerequisites
The following prerequisites must be met for the tunnel to work successfully.
Licensing
- A valid Cisco Secure Access account.
- A Cisco Secure Access organization ID. For more information, see Find Your Organization ID.
Network Access
- You must select a Secure Access data center IP address when creating the Network Tunnel Group (IPsec tunnel). In the sample commands,
<sse_primary_dc_ip,sse_secondary_dc_ip>
refers to this IP address. We recommend choosing the IP address based on the data center located closest to your device. - Open UDP ports 500 and 4500 before connecting to the tunnel.
NEC IX router devices do not require public static IPv4 address(es) configured on the interface that will connect to the public internet and Cisco Secure Access Network Tunnel Group. They can be behind a NAT device. This is because we can specify a text as its IKE ID. This ID in combination with the PSK is used to successfully authenticate the NEC IX router devices with the Cisco Secure Access Network Tunnel Group.
Configure Tunnels in Secure Access
- Follow the steps mentioned in Add Network Tunnel Group.
The new tunnel appears in the Secure Access dashboard with a status of UnEstablished. The tunnel status is updated once it is fully configured and connected with the NEC IX router.
Configure the NEC IX router
Follow these steps to connect the Cisco router to Secure Access.
a. Configure the WAN and the LAN interface.
interface GigaEthernet0.0
description WAN1
ip address <WAN ip-address>
ip tcp adjust-mss auto
interface GigaEthernet1.0
description LAN1
ip address <LAN ip-address>
b. Create an IKEv2 authentication.
ikev2 authentication psk id rfc822-addr <sse-primary-tunnel-id (e.g. [email protected])> key char <sse-tunnel-passphrase>
ikev2 authentication psk id rfc822-addr <sse-secondary-tunnel-id (e.g. [email protected])> key char <sse-tunnel-passphrase>
c. Create an IKEv2 profile.
ikev2 profile SSE-primary
child-lifetime 3600
child-pfs off
child-proposal enc aes-gcm-256-16
child-proposal integrity sha1
dpd interval 10
local-authentication psk id rfc822-addr <sse-primary-tunnel-id (e.g. [email protected])>
sa-lifetime 14400
sa-proposal enc aes-gcm-256-16
sa-proposal dh 2048-bit
ikev2 profile SSE-secondary
child-lifetime 3600
child-pfs off
child-proposal enc aes-gcm-256-16
child-proposal integrity sha1
dpd interval 10
local-authentication psk id rfc822-addr <sse-secondary-tunnel-id (e.g. [email protected])>
sa-lifetime 14400
sa-proposal enc aes-gcm-256-16
sa-proposal dh 2048-bit
d. Create a tunnel interface.
interface Tunnel0.0
tunnel mode ipsec-ikev2
ip address 169.254.0.4/31
ip tcp adjust-mss 1280
ikev2 connect-type auto
ikev2 local-authentication id rfc822-addr <sse-primary-tunnel-id (e.g. [email protected])>
ikev2 nat-traversal keepalive 20
ikev2 peer <sse_primary_dc_ip>
interface Tunnel1.0
tunnel mode ipsec-ikev2
ip address 169.254.0.8/31
ip tcp adjust-mss 1280
ikev2 connect-type auto
ikev2 local-authentication id rfc822-addr <sse-secondary-tunnel-id (e.g. [email protected])>
ikev2 nat-traversal keepalive 20
ikev2 peer <sse_secondary_dc_ip>
e. Create a BGP routing.
router bgp <local AS number>
neighbor 169.254.0.5 remote-as 64512
neighbor 169.254.0.5 update-source Tunnel0.0
neighbor 169.254.0.9 remote-as 64512
neighbor 169.254.0.9 update-source Tunnel1.0
address-family ipv4 unicast
network <advertised route>
f. Create two static routes for the BGP peer addresses.
ip route 169.254.0.5/32(BGP peer address) Tunnel0.0
ip route 169.254.0.9/32(BGP peer address) Tunnel1.0
g. Apply the IKEv2 outgoing interface to the tunnel interfaces.
interface Tunnel0.0
ikev2 outgoing-interface GigaEthernet0.0 <WAN next-hop-ip-address>
interface Tunnel1.0
ikev2 outgoing-interface GigaEthernet0.0 <WAN next-hop-ip-address>
h. Permit for tunnel establishment between sse dc ip addresses.
ip access-list sse-ipsec permit ip src <sse_primary_dc_ip> dest any
ip access-list sse-ipsec permit ip src <sse_secondary_dc_ip> dest any
ip route <sse_primary_dc_ip> <WAN next-hop-ip-address>
ip route <sse_secondary_dc_ip> <WAN next-hop-ip-address>
interface GigaEthernet0.0
ip filter sse-ipsec 1 in
Test the NEC IX router Deployment
After completing the NEC IX router deployment and updating the route table, the deployment is ready for testing.
Use the following commands on the NEC IX router to verify the tunnel connectivity status and traffic processing:
show ikev2 sa
show ikev2 child-sa
show logging (logging subsystem ikev2)
show ip bgp
show ip route
Other Resources
Supported IPsec Parameters
NEC IX router
Configure Tunnels with Meraki MX < Configure Tunnels with NEC IX2000 Series Router > Manage Resource Connectors and Groups
Updated about 2 months ago