Latest

How to configure IPSEC static route in Cisco Viptela SDWAN


As we discussed on ZTP, Zero trust model, secure segmentation, Fabric operations and Application aware routing in Cisco SDWAN solution, now we will talk about the IPSEC static route in Cisco SDWAN solution.

Secure data traffic flow between vEdges, IPSEC is the mode of transport for data traffic to flow from one vEdge to another vEdge as overlay network. IPsec tunnels that run the Internet Key Exchange (IKE) protocol provide authentication and encryption to ensure secure packet transport.

Tunnel Redundancy
The interface is the IPsec tunnel interface in VPN 0. You can configure one or two IPsec tunnel interfaces. If you configure two, the first is the primary IPsec tunnel, and the second is the backup. With two interfaces, all packets are sent only to the primary tunnel. If that tunnel fails, all packets are then sent to the secondary tunnel. If the primary tunnel comes back up, all traffic is moved back to the primary IPsec tunnel.

Fig 1.1- Sample Topology SDWAN

IPsec interfaces are logical interfaces, and configure IKE protocol parameters on the IPsec interface, and you can configure other interface properties.

vEdge (config)# vpn 0 interface ipsec 1
vEdge (config-interface-ipsec)# ip address 192.168.10.1 255.255.255.0
vEdge (config-interface-ipsec)# tunnel-source-interface ge0/1.1108
vEdge (config-interface-ipsec)# tunnel-destination 172.16.1.1
vEdge (config-interface-ipsec)# no shutdown

How to configure the IPSEC static route
To direct traffic from the service VPN to an IPsec tunnel in the transport VPN (VPN 0), you configure an IPsec-specific static route in a service VPN, here let’s take VPN 1.

vEdge (config) # vpn 1
vEdge(config-vpn) # ip ipsec-route 192.168.10.1 vpn 0 interface ipsec 1
vEdge(config)# vpn vpn-id interface ipsec 1 ike

Enable IKE 1
vEdge(config-ike)# mode aggressive
vEdge(config)# vpn 1 interface ipsec 1 ike
vEdge(config-ike)# group 15
vEdge(config)# vpn 1 interface ipsec 1 ike
vEdge(config-ike)# cipher-suite aes128-cbc-sha1 (SHA Value)
vEdge(config)# vpn 1 interface ipsec 1 ike
vEdge(config-ike)# rekey 3600 ( Seconds)
vEdge(config)# vpn 1 interface ipsec 1 ike
vEdge(config-ike)# authentication-type pre-shared-key pre-shared-secret NDNA
vEdge (config-authentication-type) # local-id 192.168.10.1
vEdge(config-authentication-type) # remote-id 172.16.1.1


Enable IKE 2
vEdge(config)# vpn 1 interface ipsec 1 ike
vEdge(config-ike)# group 15
vEdge(config-ike)# cipher-suite aes128-cbc-sha1 (SHA Value)
vEdge(config-ike)# rekey 3600 ( Seconds)
vEdge(config-ike)# authentication-type pre-shared-key pre-shared-secret NDNA
vEdge (config-authentication-type) # local-id 192.168.10.1
vEdge(config-authentication-type) # remote-id 172.16.1.1
vEdge(config-interface-ipsec 1)# ipsec
vEdge(config-ipsec)# cipher-suite aes256-cbc-sha1
vEdge(config-ike)# rekey 3600 ( Seconds)
vEdge(config-ipsec)# perfect-forward-secrecy group-15
vEdge(config-ipsec)# replay-window 256