Vyatta VTI IPSec to Cisco IOS router

Today, I will show how to build site to site IPSec VPN between Vyatta and Cisco IOS router by use of Vyatta Virtual tunnel interface.

Below is the network topology for our configuration. NOTE: we will use VTI IPSec on Cisco IOS router.

Vyatta VTI IPSec Cisco IOS

Vyatta Cisco IOS Routter
Ethernet Interface

set interfaces ethernet eth0 address ‘192.168.107.88/24’

set interfaces ethernet eth1 address ‘10.1.1.53/24’

Ethernet Interface

interface FastEthernet0/0

ip address 10.1.1.52 255.255.255.0

interface Loopback0

ip address 10.10.91.52 255.255.255.0

Virtual Tunnel Interface

set interfaces vti vti0 address ‘172.16.31.1/30’

Virtual Tunnel Interface

interface Tunnel1

ip address 172.16.31.2 255.255.255.252

tunnel source 10.1.1.52

tunnel destination 10.1.1.53

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

IPSec

set vpn ipsec esp-group ESP-1W compression ‘disable’

set vpn ipsec esp-group ESP-1W lifetime ‘3600’

set vpn ipsec esp-group ESP-1W mode ‘tunnel’

set vpn ipsec esp-group ESP-1W pfs ‘enable’

set vpn ipsec esp-group ESP-1W proposal 1 encryption ‘3des’

set vpn ipsec esp-group ESP-1W proposal 1 hash ‘md5’

set vpn ipsec ike-group IKE-1W lifetime ‘14400’

set vpn ipsec ike-group IKE-1W proposal 1 dh-group ‘2’

set vpn ipsec ike-group IKE-1W proposal 1 encryption ‘3des’

set vpn ipsec ike-group IKE-1W proposal 1 hash ‘md5’

set vpn ipsec ipsec-interfaces interface ‘eth1’

set vpn ipsec site-to-site peer 10.1.1.52 authentication mode ‘pre-shared-secret’

set vpn ipsec site-to-site peer 10.1.1.52 authentication pre-shared-secret ‘test_key_1’

set vpn ipsec site-to-site peer 10.1.1.52 connection-type ‘initiate’

set vpn ipsec site-to-site peer 10.1.1.52 ike-group ‘IKE-1W’

set vpn ipsec site-to-site peer 10.1.1.52 local-address ‘10.1.1.53’

set vpn ipsec site-to-site peer 10.1.1.52 vti bind ‘vti0’

set vpn ipsec site-to-site peer 10.1.1.52 vti esp-group ‘ESP-1W’

IPSec

crypto isakmp policy 1

 encr 3des

 hash md5

 authentication pre-share

 group 2

 lifetime 14400

crypto isakmp key test_key_1 address 10.1.1.53

!

!

crypto ipsec transform-set TS esp-3des esp-md5-hmac

!

crypto ipsec profile VTI

 set transform-set TS

 set pfs group2

Routing

set protocols static interface-route 10.10.91.0/24 next-hop-interface vti0

Routing

ip route 192.168.107.0 255.255.255.0 Tunnel1

IPSec Status

 

vyatta@vyatta:~$ show vpn ike sa

Peer ID / IP                            Local ID / IP

————                            ————-

10.1.1.52                               10.1.1.53

 

State  Encrypt  Hash  D-H Grp  NAT-T  A-Time  L-Time

—–  ——-  —-  ——-  —–  ——  ——

up     3des     md5   2        no     1055    14400

vyatta@vyatta:~$ show vpn ipsec sa

Peer ID / IP                            Local ID / IP

————                            ————-

10.1.1.52                               10.1.1.53

 

Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto

——  —–  ————-  ——-  —-  —–  ——  ——  —–

vti     up     500.0/500.0    3des     md5   no     847     3600    all

 

 

vyatta@vyatta:~$ show vpn ipsec sa statistics

Peer ID / IP                            Local ID / IP

————                            ————-

10.1.1.52                               10.1.1.53

 

Tunnel Dir Source Network               Destination Network          Bytes

—— — ————–               ——————-          —–

vti    in  0.0.0.0/0                    0.0.0.0/0                    500

 

vti    out 0.0.0.0/0                    0.0.0.0/0                    500

 

 

IPSec Status

IPSec#show crypto isakmp sa

dst             src             state          conn-id slot status

10.1.1.52       10.1.1.53       QM_IDLE              1    0 ACTIVE

10.1.1.53       10.1.1.52       MM_NO_STATE          2    0 ACTIVE (deleted)

IPSec#show crypto ipsec sa

interface: Tunnel1

Crypto map tag: Tunnel1-head-0, local addr 10.1.1.52

protected vrf: (none)

local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer 10.1.1.53 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

 

local crypto endpt.: 10.1.1.52, remote crypto endpt.: 10.1.1.53

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0xC0F3B01C(3237195804)

inbound esp sas:

spi: 0x9A510884(2589001860)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2001, flow_id: SW:1, crypto map: Tunnel1-head-0

sa timing: remaining key lifetime (k/sec): (4570194/3556)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

 

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xC0F3B01C(3237195804)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2002, flow_id: SW:2, crypto map: Tunnel1-head-0

sa timing: remaining key lifetime (k/sec): (4570194/3555)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

NOTE: VTI will show as “Admin Down A/D” before VPN is up.

vyatta@vyatta:~$    show interfaces

Codes: S – State, L – Link, u – Up, D – Down, A – Admin Down

Interface        IP Address                        S/L  Description

———        ———-                        —  ———–

eth1             10.1.1.53/24                      u/u

eth2             192.168.107.88/24                 u/u

lo               127.0.0.1/8                       u/u

::1/128

vti0             172.16.31.1/30                    A/D  

Update: we should use static interface-route instead of static route

One thought on “Vyatta VTI IPSec to Cisco IOS router

  1. Pingback: Vyatta Virtuanl Tunnel Interface for Site to Site IPSec – InsidePacket

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s