IPsec VPN Configuration On Cisco IOS XE - Part 1 - Policy Based VPN

Santosh SalunkeNetwork Security Lead
Published:
Updated:
This article is about building a site to site VPN tunnels in Cisco CSR1000V router with IOS XE.
There are two Policy Based IPsec VPN tunnels configured on CSR1000V router one with NAT and another without NAT.

While working with Cisco routers with IOS XE, I noticed that on the Internet there is very little information about configuring VPN tunnels in IOS XE. And whatever information available is not useful to configure routers. This provoked me to write this series of articles. I am going to write series of articles on IPsec VPN configurations on IOS XE platform, this article is first of the series and provides sample configuration for policy-based VPN tunnel.


This is an imaginary setup of a company which has Data Centre (DC) with Application and Storage servers. And two branches ( a and b) connect to DC via IPSEC VPN tunnels with the Internet as an underlay. Details of IP addresses and device connections are shown in the diagram.


Goals of this scenario are -


1) Create Policy based IPSec VPN tunnel between "dc-gw1" in DC to "branch-a-gw1" in Branch A.

2) Create Policy based IPSec VPN tunnel between "dc-gw1" in DC to "branch-b-gw1" in Branch B.

3) Traffic between "app1" server to "user" in branch A will be NATed. We have to configure "inside" and "outside" NAT.



Router IOS version used for this setup are -

dc-gw1 = Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2)
branch-a-gw1 and branch-b-gw1 = Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)


I had configured Interface IP's on DC router and branch routers and implemented default route towards Internet router. This simulates underlay Internet links for DC and branches.


Interface And Route Configuration On DC Router = "dc-gw1"

 

interface GigabitEthernet1
platform ring rx 256
ip address 10.0.0.2 255.255.255.252
ip nat outside
negotiation auto
crypto map branch-vpn
!
interface GigabitEthernet2
platform ring rx 256
ip address 100.0.10.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet3
platform ring rx 256
ip address 100.0.20.1 255.255.255.0
negotiation auto

ip route 0.0.0.0 0.0.0.0 10.0.0.1


Interface And Route Configuration On Branch A Router = "branch-a-gw1"


interface GigabitEthernet0/0
ip address 20.0.0.2 255.255.255.252
duplex full
speed 1000
media-type gbic
negotiation auto
crypto map app-dc

interface GigabitEthernet1/0
ip address 192.168.10.1 255.255.255.0
negotiation auto

ip route 0.0.0.0 0.0.0.0 20.0.0.1


Interface And Route Configuration On Branch B Router = "branch-b-gw1"


interface GigabitEthernet0/0
ip address 30.0.0.2 255.255.255.252
duplex full
speed 1000
media-type gbic
negotiation auto
crypto map vpn-to-dc

interface GigabitEthernet1/0
ip address 192.168.20.1 255.255.255.0
negotiation auto

ip route 0.0.0.0 0.0.0.0 30.0.0.1


Next is  Policy-based IPsec VPN configuration for DC router and branch routers. 


IPsec VPN Configuration On DC Router = "dc-gw1"


crypto keyring branch-a
pre-shared-key address 20.0.0.2 key acme

crypto keyring branch-b
pre-shared-key address 30.0.0.2 key acme

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14

crypto isakmp profile branch-a
keyring branch-a
match identity address 20.0.0.2 255.255.255.255

crypto isakmp profile branch-b
keyring branch-b
match identity address 30.0.0.2 255.255.255.255

crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac
mode tunnel

crypto map branch-vpn 10 ipsec-isakmp
set peer 20.0.0.2
set transform-set AES-256-SHA
set pfs group14
set isakmp-profile branch-a
match address vpn-to-branch-a

crypto map branch-vpn 11 ipsec-isakmp
set peer 30.0.0.2
set transform-set AES-256-SHA
set pfs group14
set isakmp-profile branch-b
match address vpn-to-branch-b

ip access-list extended vpn-to-branch-a
permit ip 100.0.20.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 172.16.10.0 0.0.0.255 192.168.10.0 0.0.0.255

ip access-list extended vpn-to-branch-b
permit ip 100.0.10.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 100.0.20.0 0.0.0.255 192.168.20.0 0.0.0.255


IPsec VPN Configuration On Branch A Router = "branch-a-gw1"


crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14

crypto isakmp key acme address 10.0.0.2

crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac

crypto map app-dc 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set AES-256-SHA
set pfs group14
match address cry-acl-app-dc

ip access-list extended cry-acl-app-dc
permit ip 192.168.10.0 0.0.0.255 100.0.20.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 172.16.10.0 0.0.0.255


IPsec VPN Configuration On Branch B Router = "branch-b-gw1"


crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14

crypto isakmp key acme address 10.0.0.2

crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac

crypto map vpn-to-dc 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set AES-256-SHA
set pfs group14
match address vpn-to-dc

ip access-list extended vpn-to-dc
permit ip 192.168.20.0 0.0.0.255 100.0.10.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 100.0.20.0 0.0.0.255


This completes our goals 1 and 2, and we have VPN tunnels between DC and branches. The next part is about implementing NAT on DC router. 


This NAT will change App server IP from 100.0.10.10 to 172.16.10.10


I did not use the "ip nat outside" command for this NAT, because I want to keep traffic between Storage server to Branch-A user without NAT.


ip nat pool source-nat-pool 172.16.10.10 172.16.10.10 prefix-length 30

ip access-list extended source-nat-acl
permit ip host 100.0.10.10 host 172.17.10.10

route-map source-nat-routemap permit 10
match ip address source-nat-acl

ip nat inside source route-map source-nat-routemap pool source-nat-pool


And this NAT configuration will change branch user IP from 172.17.10.10 to 192.168.10.10.


ip nat outside source static 192.168.10.10 172.17.10.10


In all configuration given above one thing to notice is, NAT configuration will have an effect on VPN access lists.


- access list rule between storage server to branch users = Source Network and Destination Network are same (original IP)


- access list rule between app server to branch users = Source Network 100.0.10.0/24 will change to 172.16.10.0/24 (NAT IP) and Destination Network are same (original IP)


ip access-list extended vpn-to-branch-ado
permit ip 100.0.20.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 172.16.10.0 0.0.0.255 192.168.10.0 0.0.0.255

ip access-list extended vpn-to-branch-b
permit ip 100.0.10.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 100.0.20.0 0.0.0.255 192.168.20.0 0.0.0.255


And here are the ping commands to generate traffic.


app1> ping 172.17.10.10
84 bytes from 172.17.10.10 icmp_seq=1 ttl=62 time=27.005 ms
84 bytes from 172.17.10.10 icmp_seq=2 ttl=62 time=45.009 ms
84 bytes from 172.17.10.10 icmp_seq=3 ttl=62 time=40.008 ms
84 bytes from 172.17.10.10 icmp_seq=4 ttl=62 time=20.004 ms
84 bytes from 172.17.10.10 icmp_seq=5 ttl=62 time=35.507 ms

app1> ping 192.168.20.10
84 bytes from 192.168.20.10 icmp_seq=1 ttl=62 time=43.509 ms
84 bytes from 192.168.20.10 icmp_seq=2 ttl=62 time=44.009 ms
84 bytes from 192.168.20.10 icmp_seq=3 ttl=62 time=46.510 ms
84 bytes from 192.168.20.10 icmp_seq=4 ttl=62 time=49.010 ms
84 bytes from 192.168.20.10 icmp_seq=5 ttl=62 time=40.508 ms


This traffic created NAT translation table entries as below.


dc-gw1#sh ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
---  ---                   ---                   172.17.10.10          192.168.10.10
icmp 172.16.10.10:31455    100.0.10.10:31455     172.17.10.10:31455    192.168.10.10:31455
icmp 172.16.10.10:31967    100.0.10.10:31967     172.17.10.10:31967    192.168.10.10:31967
icmp 172.16.10.10:30943    100.0.10.10:30943     172.17.10.10:30943    192.168.10.10:30943
Total number of translations: 4


These ping results and NAT translation entries show connections between app server in DC and user computer in branch sites. Please note that,

1) When a packet generated by app server it does have a source IP  10.0.10.10, when this packet reaches DC router, it gets changed into 172.16.10.10.

2) The same packet generated by app server it does have destination IP  172.17.10.10, when this packet reaches DC router, it gets changed into 192.168.10.10.

3) After both inside (source IP) and outside (destination IP) this packet enters VPN tunnel.


This is the end of Part 1 of this series, we have seen basic policy-based VPN setup and its sample configuration. Anyone who is working on VPN setup using Cisco routers with IOS XE may use this configuration. In next article will be about configuring VRF aware VPN tunnels in IOS XE.


Link to the next article in this series = Part 2 - VRF-Aware Policy Based VPN


I hope you find this helpful.

0
6,348 Views

Comments (2)

Isaivani VenkatNetwork Engineer

Commented:
ip nat outside source static 192.168.10.10 172.17.10.10 this NAT statement really required ???
Santosh SalunkeNetwork Security Lead
Distinguished Expert 2018

Author

Commented:
Hi Isaivani Venkat

ip nat outside source static 192.168.10.10 172.17.10.10

This NAT is to change branch user IP from 172.17.10.10 to 192.168.10.10. I had used this to demonstrate how to do 'Destination IP NAT'.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.