Solved

VMware vCloud and Cisco router ipsec VPN tunnel

Posted on 2013-06-14
5
1,530 Views
Last Modified: 2013-11-29
Hi guys,

I'm having problems trying to set up a ipsec tunnel between VMware vCloud and a Cisco router.

vCloud gives me these directions:

IKE Phase I Parameters

Mode: Main mode
Encryption: AES (128 bit)
Integrity: SHA1
Diffie-Hellman group: Group 2 (1024 bit)
Authentication Method: Pre-shared secret (32 characters in length minimum)
Security Association Lifetime: 28800 seconds

IKE Phase II Parameters

Mode: ESP tunnel mode
Encryption: AES (128 bit)
Integrity: SHA1
Perfect Forward Secrecy: ON
Diffie-Hellman group: Group 2 (1024 bit)
Time Rekeying: ON
Kbyte Rekeying: OFF
Security Association Lifetime: 3600 seconds

Open in new window


on the Cisco router I do the following config:

crypto isakmp policy 10
encr aes
authentication pre-share
group 2

crypto isakmp key xxxxxxx address x.x.x.x (vcloud ip) no-xauth
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac


access-list 100 permit ip 192.168.2.0 0.0.0.255 10.249.18.0 0.0.0.255 (lan to vcloud)
access-list 100 permit ip 10.249.18.0 0.0.0.255 192.168.2.0 0.0.0.255 (vcloud to lan)

crypto map PFSVPN 15 ipsec-isakmp
 set peer x.x.x.x (vcloud ip)
 set transform-set 3DES-SHA
 set pfs group2
 match address 100

interface FastEthernet0/0 (interface that has the WAN)
crypto map PFSVPN

Open in new window


What is wrong with my tunnel? I used this config with cisco and pfSense firewall and it worked just fine. I'm not sure about the cisco config for the VMware vCloud as I'm not familiar setting up tunnels with these devices. Could you guys please assist me?

Thanks!
0
Comment
Question by:Alex
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39247806
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

vs.

Encryption: AES (128 bit)

You need to create a new transform set on the Cisco router that uses AES-128, and assign that transform to the crypto map.
0
 

Author Comment

by:Alex
ID: 39247817
How?

If you see cisco documentation it doesn't give me AES as an option:

Examples of acceptable transform combinations are:

•ah-md5-hmac

•esp-des

•esp-3des and esp-md5-hmac

•ah-sha-hmac and esp-des and esp-sha-hmac

•comp-lzs
0
 
LVL 28

Expert Comment

by:asavener
ID: 39248026
Most of the newer Cisco IOS images support AES.  What router model and software version are you running?

I suppose your other option is to change the VMware side to 3DES.
0
 

Author Comment

by:Alex
ID: 39248056
Cisco 2801, so far I know there is no way to change many settings on vCloud side, we can't change the AES bit
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 39248083
Then you need a router that supports the AES encryption standard.

What happens if you enter crypto ipsec transform-set TEST ?

(With the question mark)
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Advanced tutorial on how to run the esxtop command to capture a batch file in csv format in order to export the file and use it for performance analysis. He demonstrates how to download the file using a vSphere web client (or vSphere client) and exp…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question