Create a Site-to-Site IPSec VPN with Cisco CSR 1000V

Prerequisites

• A working Cisco CSR 1000V instance (click here for instruction)
• An internal host in the same private subnet of Cisco router

Network diagram

Once VPN tunnel is established, we can ping from our internal host to the host behind peer’s VPN Gateway.

IPSec parameters

Cisco VPN Configuration

Phase 1:

Add a pre-shared key “test” for remote peer gateway IP 54.194.6.72

Create a new IKE policy with number 100, define the parameters as specified above in IPSec parameters.

ip-192-168-1-100#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ip-192-168-1-100(config)#crypto isakmp key test address 54.194.6.72
ip-192-168-1-100(config)#crypto isakmp policy 100
ip-192-168-1-100(config-isakmp)#encr 256-aes
ip-192-168-1-100(config-isakmp)#hash sha
ip-192-168-1-100(config-isakmp)#authentication pre-share
ip-192-168-1-100(config-isakmp)#group 2
ip-192-168-1-100(config-isakmp)#lifetime 28800
ip-192-168-1-100(config-isakmp)#end


ip-192-168-1-100#show crypto isakmp policy

Global IKE policy
Protection suite of priority 100
	encryption algorithm:	AES - Advanced Encryption Standard (256 bit keys).
	hash algorithm:		Secure Hash Standard
	authentication method:	Pre-Shared Key
	Diffie-Hellman group:	#2 (1024 bit)
	lifetime:		28800 seconds, no volume limit

Phase 2

Defind phase 2 paramters

ip-192-168-1-100(config)#crypto ipsec transform-set vpn-sha1-aes256 esp-aes 256 esp-sha-hmac

ip-192-168-1-100(config)#crypto map testmap 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
	and a valid access list have been configured.
ip-192-168-1-100(config-crypto-map)#set peer 54.194.6.72
ip-192-168-1-100(config-crypto-map)#set transform-set vpn-sha1-aes256
ip-192-168-1-100(config-crypto-map)#match address NET-R

Add access-list

The rule will allow all IP traffic between the two hosts.

ip-192-168-1-100(config)#ip access-list extended NET-R
ip-192-168-1-100(config-ext-nacl)#permit ip host 3.6.74.40 host 54.247.86.104

Add crypto map on the external network interface

ip-192-168-1-100(config)#interface GigabitEthernet 1
ip-192-168-1-100(config-if)#crypto map testmap

ip-192-168-1-100#sho running-config interface GigabitEthernet 1
interface GigabitEthernet1
 ip address dhcp
 ip nat outside
 negotiation auto
 crypto map testmap
end

Configure NATing

When remote host sends traffic to the public IP 3.6.74.40 of our host, Cisco router will translate the public IP to internal IP 192.168.0.88 and routed to the internal host.

ip-192-168-1-100(config)#ip nat inside source static 192.168.0.88 3.6.74.40

Configure Routing on internal host

Our internal host will use Cisco router as default Gateway to route traffic to remote host.

/sbin/route add 54.247.86.104 gw 192.168.0.100

Note

1. You must disable the source/dest check for the second Network Interface(subnet private) of Cisco Router.
   
   By default , the check is enabled, now we need to disable it.
   

2. If there is still problem, update security group of Cisco router to allow UDP port 500 and 4500.

Check VPN status

Phase 1 status:

ip-192-168-1-100#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
54.194.6.72     192.168.1.100   QM_IDLE           1001 ACTIVE

Phase2 status:

ip-192-168-1-100#show crypto ipsec sa peer 54.194.6.72
interface: GigabitEthernet1
    Crypto map tag: testmap, local addr 192.168.1.100

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (3.6.74.40/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (54.247.86.104/255.255.255.255/0/0)
   current_peer 54.194.6.72 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 601, #pkts encrypt: 601, #pkts digest: 601
    #pkts decaps: 254, #pkts decrypt: 254, #pkts verify: 254
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.1.100, remote crypto endpt.: 54.194.6.72
     plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0xF260702C(4066406444)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xF8C0B0DD(4173377757)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80004048, crypto map: testmap
         sa timing: remaining key lifetime (k/sec): (4607967/2951)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xF260702C(4066406444)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80004048, crypto map: testmap
         sa timing: remaining key lifetime (k/sec): (4607950/2951)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

note that we see “Status: ACTIVE” in “inbound esp sas” and “outbound esp sas“, which indicates IPSec tunnel is established.

Test from host

It’s time to make an end-to-end test, simply ping the remote host’s public IP, the remote network need to allow ICMP incoming.

root@ip-192-168-0-88:/tftp# ping 54.247.86.104
PING 54.247.86.104 (54.247.86.104) 56(84) bytes of data.
64 bytes from 54.247.86.104: icmp_seq=1 ttl=62 time=127 ms
64 bytes from 54.247.86.104: icmp_seq=2 ttl=62 time=124 ms
64 bytes from 54.247.86.104: icmp_seq=3 ttl=62 time=128 ms
64 bytes from 54.247.86.104: icmp_seq=4 ttl=62 time=127 ms
^C
--- 54.247.86.104 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 123.633/126.206/127.685/1.534 ms

So we have successfully established site-to-site IPSec VPN tunnel between the two sites!