Vyatta VTI IPSec to Cisco IOS router

Today, I will show how to build site to site IPSec VPN between Vyatta and Cisco IOS router by use of Vyatta Virtual tunnel interface.

Below is the network topology for our configuration. NOTE: we will use VTI IPSec on Cisco IOS router.

Vyatta VTI IPSec Cisco IOS

Vyatta

Cisco IOS Routter

Ethernet Interface

set interfaces ethernet eth0 address ‘192.168.107.88/24’

set interfaces ethernet eth1 address ‘10.1.1.53/24’

Ethernet Interface

interface FastEthernet0/0

ip address 10.1.1.52 255.255.255.0

interface Loopback0

ip address 10.10.91.52 255.255.255.0

Virtual Tunnel Interface

set interfaces vti vti0 address ‘172.16.31.1/30’

Virtual Tunnel Interface

interface Tunnel1

ip address 172.16.31.2 255.255.255.252

tunnel source 10.1.1.52

tunnel destination 10.1.1.53

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

IPSec

set vpn ipsec esp-group ESP-1W compression ‘disable’

set vpn ipsec esp-group ESP-1W lifetime ‘3600’

set vpn ipsec esp-group ESP-1W mode ‘tunnel’

set vpn ipsec esp-group ESP-1W pfs ‘enable’

set vpn ipsec esp-group ESP-1W proposal 1 encryption ‘3des’

set vpn ipsec esp-group ESP-1W proposal 1 hash ‘md5’

set vpn ipsec ike-group IKE-1W lifetime ‘14400’

set vpn ipsec ike-group IKE-1W proposal 1 dh-group ‘2’

set vpn ipsec ike-group IKE-1W proposal 1 encryption ‘3des’

set vpn ipsec ike-group IKE-1W proposal 1 hash ‘md5’

set vpn ipsec ipsec-interfaces interface ‘eth1’

set vpn ipsec site-to-site peer 10.1.1.52 authentication mode ‘pre-shared-secret’

set vpn ipsec site-to-site peer 10.1.1.52 authentication pre-shared-secret ‘test_key_1’

set vpn ipsec site-to-site peer 10.1.1.52 connection-type ‘initiate’

set vpn ipsec site-to-site peer 10.1.1.52 ike-group ‘IKE-1W’

set vpn ipsec site-to-site peer 10.1.1.52 local-address ‘10.1.1.53’

set vpn ipsec site-to-site peer 10.1.1.52 vti bind ‘vti0’

set vpn ipsec site-to-site peer 10.1.1.52 vti esp-group ‘ESP-1W’

IPSec

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 14400

crypto isakmp key test_key_1 address 10.1.1.53

crypto ipsec transform-set TS esp-3des esp-md5-hmac

crypto ipsec profile VTI

set transform-set TS

set pfs group2

Routing

set protocols static interface-route 10.10.91.0/24 next-hop-interface vti0

Routing

ip route 192.168.107.0 255.255.255.0 Tunnel1

IPSec Status

vyatta@vyatta:~$ show vpn ike sa

Peer ID / IP Local ID / IP

———— ————-

10.1.1.52 10.1.1.53

State Encrypt Hash D-H Grp NAT-T A-Time L-Time

—– ——- —- ——- —– —— ——

up 3des md5 2 no 1055 14400

vyatta@vyatta:~$ show vpn ipsec sa

Peer ID / IP Local ID / IP

———— ————-

10.1.1.52 10.1.1.53

Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto

—— —– ————- ——- —- —– —— —— —–

vti up 500.0/500.0 3des md5 no 847 3600 all

vyatta@vyatta:~$ show vpn ipsec sa statistics

Peer ID / IP Local ID / IP

———— ————-

10.1.1.52 10.1.1.53

Tunnel Dir Source Network Destination Network Bytes

—— — ————– ——————- —–

vti in 0.0.0.0/0 0.0.0.0/0 500

vti out 0.0.0.0/0 0.0.0.0/0 500

IPSec Status

IPSec#show crypto isakmp sa

dst src state conn-id slot status

10.1.1.52 10.1.1.53 QM_IDLE 1 0 ACTIVE

10.1.1.53 10.1.1.52 MM_NO_STATE 2 0 ACTIVE (deleted)

IPSec#show crypto ipsec sa

interface: Tunnel1

Crypto map tag: Tunnel1-head-0, local addr 10.1.1.52

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer 10.1.1.53 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 10.1.1.52, remote crypto endpt.: 10.1.1.53

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0xC0F3B01C(3237195804)

inbound esp sas:

spi: 0x9A510884(2589001860)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2001, flow_id: SW:1, crypto map: Tunnel1-head-0

sa timing: remaining key lifetime (k/sec): (4570194/3556)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xC0F3B01C(3237195804)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2002, flow_id: SW:2, crypto map: Tunnel1-head-0

sa timing: remaining key lifetime (k/sec): (4570194/3555)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

NOTE: VTI will show as “Admin Down A/D” before VPN is up.

vyatta@vyatta:~$ show interfaces

Codes: S – State, L – Link, u – Up, D – Down, A – Admin Down

Interface IP Address S/L Description

——— ———- — ———–

eth1 10.1.1.53/24 u/u

eth2 192.168.107.88/24 u/u

lo 127.0.0.1/8 u/u

::1/128

vti0 172.16.31.1/30 A/D

Update: we should use static interface-route instead of static route

One thought on “Vyatta VTI IPSec to Cisco IOS router”

Pingback: Vyatta Virtuanl Tunnel Interface for Site to Site IPSec – InsidePacket

Share this:

Like this:

One thought on “Vyatta VTI IPSec to Cisco IOS router”

Leave a Reply Cancel reply