Solved

VMware vCloud and Cisco router ipsec VPN tunnel

Posted on 2013-06-14
5
1,431 Views
Last Modified: 2013-11-29
Hi guys,

I'm having problems trying to set up a ipsec tunnel between VMware vCloud and a Cisco router.

vCloud gives me these directions:

IKE Phase I Parameters

Mode: Main mode
Encryption: AES (128 bit)
Integrity: SHA1
Diffie-Hellman group: Group 2 (1024 bit)
Authentication Method: Pre-shared secret (32 characters in length minimum)
Security Association Lifetime: 28800 seconds

IKE Phase II Parameters

Mode: ESP tunnel mode
Encryption: AES (128 bit)
Integrity: SHA1
Perfect Forward Secrecy: ON
Diffie-Hellman group: Group 2 (1024 bit)
Time Rekeying: ON
Kbyte Rekeying: OFF
Security Association Lifetime: 3600 seconds

Open in new window


on the Cisco router I do the following config:

crypto isakmp policy 10
encr aes
authentication pre-share
group 2

crypto isakmp key xxxxxxx address x.x.x.x (vcloud ip) no-xauth
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac


access-list 100 permit ip 192.168.2.0 0.0.0.255 10.249.18.0 0.0.0.255 (lan to vcloud)
access-list 100 permit ip 10.249.18.0 0.0.0.255 192.168.2.0 0.0.0.255 (vcloud to lan)

crypto map PFSVPN 15 ipsec-isakmp
 set peer x.x.x.x (vcloud ip)
 set transform-set 3DES-SHA
 set pfs group2
 match address 100

interface FastEthernet0/0 (interface that has the WAN)
crypto map PFSVPN

Open in new window


What is wrong with my tunnel? I used this config with cisco and pfSense firewall and it worked just fine. I'm not sure about the cisco config for the VMware vCloud as I'm not familiar setting up tunnels with these devices. Could you guys please assist me?

Thanks!
0
Comment
Question by:Alex
  • 3
  • 2
5 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39247806
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

vs.

Encryption: AES (128 bit)

You need to create a new transform set on the Cisco router that uses AES-128, and assign that transform to the crypto map.
0
 

Author Comment

by:Alex
ID: 39247817
How?

If you see cisco documentation it doesn't give me AES as an option:

Examples of acceptable transform combinations are:

•ah-md5-hmac

•esp-des

•esp-3des and esp-md5-hmac

•ah-sha-hmac and esp-des and esp-sha-hmac

•comp-lzs
0
 
LVL 28

Expert Comment

by:asavener
ID: 39248026
Most of the newer Cisco IOS images support AES.  What router model and software version are you running?

I suppose your other option is to change the VMware side to 3DES.
0
 

Author Comment

by:Alex
ID: 39248056
Cisco 2801, so far I know there is no way to change many settings on vCloud side, we can't change the AES bit
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 39248083
Then you need a router that supports the AES encryption standard.

What happens if you enter crypto ipsec transform-set TEST ?

(With the question mark)
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

HOW TO: Connect to the VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere (HTML5 Web) Host Client 6.5, and perform a simple configuration task of adding a new VMFS 6 datastore.
In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
Teach the user how to use vSphere Update Manager to update the VMware Tools and virtual machine hardware version Open vSphere Client: Review manual processes for updating VMware Tools and virtual hardware versions: Create a new baseline group in vSp…
This video shows you how easy it is to boot from ISO images for virtual machines with the ISO images stored on a local datastore on the ESXi host.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now