Solved

VMware vCloud and Cisco router ipsec VPN tunnel

Posted on 2013-06-14
5
1,469 Views
Last Modified: 2013-11-29
Hi guys,

I'm having problems trying to set up a ipsec tunnel between VMware vCloud and a Cisco router.

vCloud gives me these directions:

IKE Phase I Parameters

Mode: Main mode
Encryption: AES (128 bit)
Integrity: SHA1
Diffie-Hellman group: Group 2 (1024 bit)
Authentication Method: Pre-shared secret (32 characters in length minimum)
Security Association Lifetime: 28800 seconds

IKE Phase II Parameters

Mode: ESP tunnel mode
Encryption: AES (128 bit)
Integrity: SHA1
Perfect Forward Secrecy: ON
Diffie-Hellman group: Group 2 (1024 bit)
Time Rekeying: ON
Kbyte Rekeying: OFF
Security Association Lifetime: 3600 seconds

Open in new window


on the Cisco router I do the following config:

crypto isakmp policy 10
encr aes
authentication pre-share
group 2

crypto isakmp key xxxxxxx address x.x.x.x (vcloud ip) no-xauth
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac


access-list 100 permit ip 192.168.2.0 0.0.0.255 10.249.18.0 0.0.0.255 (lan to vcloud)
access-list 100 permit ip 10.249.18.0 0.0.0.255 192.168.2.0 0.0.0.255 (vcloud to lan)

crypto map PFSVPN 15 ipsec-isakmp
 set peer x.x.x.x (vcloud ip)
 set transform-set 3DES-SHA
 set pfs group2
 match address 100

interface FastEthernet0/0 (interface that has the WAN)
crypto map PFSVPN

Open in new window


What is wrong with my tunnel? I used this config with cisco and pfSense firewall and it worked just fine. I'm not sure about the cisco config for the VMware vCloud as I'm not familiar setting up tunnels with these devices. Could you guys please assist me?

Thanks!
0
Comment
Question by:Alex
  • 3
  • 2
5 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39247806
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

vs.

Encryption: AES (128 bit)

You need to create a new transform set on the Cisco router that uses AES-128, and assign that transform to the crypto map.
0
 

Author Comment

by:Alex
ID: 39247817
How?

If you see cisco documentation it doesn't give me AES as an option:

Examples of acceptable transform combinations are:

•ah-md5-hmac

•esp-des

•esp-3des and esp-md5-hmac

•ah-sha-hmac and esp-des and esp-sha-hmac

•comp-lzs
0
 
LVL 28

Expert Comment

by:asavener
ID: 39248026
Most of the newer Cisco IOS images support AES.  What router model and software version are you running?

I suppose your other option is to change the VMware side to 3DES.
0
 

Author Comment

by:Alex
ID: 39248056
Cisco 2801, so far I know there is no way to change many settings on vCloud side, we can't change the AES bit
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 39248083
Then you need a router that supports the AES encryption standard.

What happens if you enter crypto ipsec transform-set TEST ?

(With the question mark)
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

HOW TO: Upload an ISO image to a VMware datastore for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere Host Client, and checking its MD5 checksum signature is correct.  It's a good idea to compare checksums, because many installat…
Veeam Backup & Replication has added a new integration – Veeam Backup for Microsoft Office 365.  In this blog, we will discuss how you can benefit from Office 365 email backup with the Veeam’s new product and try to shed some light on the needs and …
This Micro Tutorial walks you through using a remote console to access a server and install ESXi 5.1. This example is showing remote access and installation using a Dell server. The hypervisor is the very first component of your virtual infrastructu…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now