VMware vCloud and Cisco router ipsec VPN tunnel

Hi guys,

I'm having problems trying to set up a ipsec tunnel between VMware vCloud and a Cisco router.

vCloud gives me these directions:

IKE Phase I Parameters

Mode: Main mode
Encryption: AES (128 bit)
Integrity: SHA1
Diffie-Hellman group: Group 2 (1024 bit)
Authentication Method: Pre-shared secret (32 characters in length minimum)
Security Association Lifetime: 28800 seconds

IKE Phase II Parameters

Mode: ESP tunnel mode
Encryption: AES (128 bit)
Integrity: SHA1
Perfect Forward Secrecy: ON
Diffie-Hellman group: Group 2 (1024 bit)
Time Rekeying: ON
Kbyte Rekeying: OFF
Security Association Lifetime: 3600 seconds

Open in new window


on the Cisco router I do the following config:

crypto isakmp policy 10
encr aes
authentication pre-share
group 2

crypto isakmp key xxxxxxx address x.x.x.x (vcloud ip) no-xauth
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac


access-list 100 permit ip 192.168.2.0 0.0.0.255 10.249.18.0 0.0.0.255 (lan to vcloud)
access-list 100 permit ip 10.249.18.0 0.0.0.255 192.168.2.0 0.0.0.255 (vcloud to lan)

crypto map PFSVPN 15 ipsec-isakmp
 set peer x.x.x.x (vcloud ip)
 set transform-set 3DES-SHA
 set pfs group2
 match address 100

interface FastEthernet0/0 (interface that has the WAN)
crypto map PFSVPN

Open in new window


What is wrong with my tunnel? I used this config with cisco and pfSense firewall and it worked just fine. I'm not sure about the cisco config for the VMware vCloud as I'm not familiar setting up tunnels with these devices. Could you guys please assist me?

Thanks!
AlexAsked:
Who is Participating?
 
asavenerConnect With a Mentor Commented:
Then you need a router that supports the AES encryption standard.

What happens if you enter crypto ipsec transform-set TEST ?

(With the question mark)
0
 
asavenerCommented:
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

vs.

Encryption: AES (128 bit)

You need to create a new transform set on the Cisco router that uses AES-128, and assign that transform to the crypto map.
0
 
AlexAuthor Commented:
How?

If you see cisco documentation it doesn't give me AES as an option:

Examples of acceptable transform combinations are:

•ah-md5-hmac

•esp-des

•esp-3des and esp-md5-hmac

•ah-sha-hmac and esp-des and esp-sha-hmac

•comp-lzs
0
 
asavenerCommented:
Most of the newer Cisco IOS images support AES.  What router model and software version are you running?

I suppose your other option is to change the VMware side to 3DES.
0
 
AlexAuthor Commented:
Cisco 2801, so far I know there is no way to change many settings on vCloud side, we can't change the AES bit
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.