This article describes how to configure Site to Site Policy Based IPSEC VPN Between Versa Flexvnf and Cisco using Pre-Shared Key (PSK)
Use case
Customer often require that their SD-WAN sites need some communication with non-SDWAN sites. This is often the case when a customer already has existing setup and does not wish to change all the devices to SD-WAN network at a same time. Customers typically prefer to send traffic through secure tunnel. Hence, they would like to create Site-to-Site IPsec VPN from the branch/Hub to Non-SDWAN sites.
In this example, we have established Policy Based IPSec VPN between Versa FlexVNF acting as a HUB with WAN IP address 120.0.0.1 and a Cisco Router with WAN IP address 190.0.0.3
The following diagram illustrates a simple setup of SD-WAN connectivity to non-SDWAN networks.
Prerequisites
- Versa Headend is deployed and configured
- Underlay reachability from SD-WAN device to Non-SDWAN device.
Configuration
- Login to the Versa Director and navigate to the branch where you want to terminate the Site to Site IPSec tunnel
- Navigate to Services > IPsec > VPN Profiles, then Add the Site-to-Site VPN profile.
- Create VPN profile > Add the Peer IP by clicking +
- Select the Routing Instance and Local Interface from which the Peer IP is reachable.
- In this example we select “Policy Based” VPN type
- Add Policies 1 at a time under Policy Configuration with local subnet as Source and Remote subnet as destination.
- Navigate to IKE tab and configure Local Auth and Peer Auth with parameters
- Authentication Type: psk (as we are configuring it based on pre-shared key
- Shared Key: key to be configured for Local and Peer Auth
- Identity Type: We have used IP address as Identity Type
- Identity: Provide Local and Peer IP address (as we have selected Identity Type as IP address)
- Navigate to IPsec tab and configure parameters such as Transform, IPSec Rekey Time, Hello Interval etc as per requirement
This completes the configuration on Versa FlexVNF.
Validation of Versa FlexVNF Configuration using CLI
cli> show configuration| display set | match S2S-CiscoASA-PSK set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK vpn-type site-to-site set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK local-auth-info set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK local-auth-info auth-type psk set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK local-auth-info id-type ip set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK local-auth-info key versa123 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK local-auth-info id-string 120.0.0.1 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK local set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK local interface-name vni-0/0.0 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK routing-instance MPLS-Transport-VR set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK tunnel-routing-instance MPLS-Transport-VR set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK tunnel-initiate automatic set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK ipsec fragmentation pre-fragmentation set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK ipsec force-nat-t disable set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK ipsec transform esp-aes128-sha1 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK ipsec mode tunnel set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK ipsec pfs-group mod-none set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK ipsec anti-replay enable set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK ipsec life duration 28800 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK ipsec keepalive-timeout 10 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK ipsec hello-interval send-interval 10 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK ike version v1 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK ike mode main set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK ike group mod2 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK ike transform aes128-sha1 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK ike lifetime 28800 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK ike dpd-timeout 30 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK peer-auth-info set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK peer-auth-info auth-type psk set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK peer-auth-info id-type ip set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK peer-auth-info key versa123 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK peer-auth-info id-string 190.0.0.3 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK peer set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK peer address [ 190.0.0.3 ] set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK hardware-accelerator any set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK rule Non-sd protocol any set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK rule Non-sd src inet 140.0.0.0/24 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK rule Non-sd src port 0 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK rule Non-sd dst inet 99.99.99.0/24 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK rule Non-sd dst port 0 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK rule Spoke1 protocol any set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK rule Spoke1 src inet 50.0.0.0/24 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK rule Spoke1 src port 0 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK rule Spoke1 dst inet 99.99.99.0/24 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK rule Spoke1 dst port 0 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK rule WAN protocol any set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK rule WAN src inet 190.0.0.0/24 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK rule WAN src port 0 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK rule WAN dst inet 120.0.0.0/24 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK rule WAN dst port 0 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK rule spoke2 protocol any set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK rule spoke2 src inet 60.0.0.0/24 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK rule spoke2 src port 0 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK rule spoke2 dst inet 99.99.99.0/24 set orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK rule spoke2 dst port 0
Peer Side Configuration (Cisco Configuration)
Router#show access-lists 100
Extended IP access list 100
5 permit ip 190.0.0.0 0.0.0.255 120.0.0.0 0.0.0.255
10 permit ip 99.99.99.0 0.0.0.255 140.0.0.0 0.0.0.255
20 permit ip 99.99.99.0 0.0.0.255 50.0.0.0 0.0.0.255
30 permit ip 99.99.99.0 0.0.0.255 60.0.0.0 0.0.0.255
Router#show configuration | section crypto
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key versa123 address 120.0.0.1 à Preshared-key and Identity should match with versa Local Auth
crypto ipsec transform-set aesset esp-aes esp-sha-hmac
mode transport
crypto map aesmap 10 ipsec-isakmp
set peer 120.0.0.1
set security-association dummy seconds 5
set transform-set aesset
match address 100
Router#show run int g2
Building configuration...
Current configuration : 137 bytes
!
interface GigabitEthernet2
ip address 190.0.0.3 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
crypto map aesmap
end
Verification on Versa FlexVNF CPE
admin@B4-H1-cli> show orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK ike history
Local Gateway: 120.0.0.1 Remote Gateway: 190.0.0.3
Last Known State : Active
Last State Timestamp : 2019-01-03T18:34:17.783873+05:30
Event History:
0. Event : IKE Done
Timestamp : 2019-01-03T18:34:17.783876+05:30
Role : initiator
Inbound SPI : 0x4718a45957ff0002
Outbound SPI : 0x5057a4d11c3da5e9
1. Event : IKE Done
Timestamp : 2019-01-03T18:32:11.028299+05:30
Role : responder
Inbound SPI : 0xedf7fad1423d0002
Outbound SPI : 0x91d5f48e5feb2955
admin@B4-H1-cli> show orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK ipsec history
Local Gateway: 120.0.0.1 Remote Gateway: 190.0.0.3
Last Known State : Active (Rekey)
Last State Timestamp : 2019-01-03T18:39:55.227923+05:30
Event History:
0. Event : IPsec Rekey
Timestamp : 2019-01-03T18:39:55.227926+05:30
Inbound SPI : 0x2003803
Outbound SPI : 0x47619fd0
1. Event : IPsec Done
Timestamp : 2019-01-03T18:39:50.480165+05:30
Inbound SPI : 0x2000b7f
Outbound SPI : 0x13156648
2. Event : IPsec Done
Timestamp : 2019-01-03T18:39:47.577204+05:30
Inbound SPI : 0x2002b1d
Outbound SPI : 0xe1b727eb
admin@B4-H1-cli> show orgs org-services versa ipsec vpn-profile S2S-CiscoASA-PSK security-associations detail
Local Gateway: 120.0.0.1
Auth Type: psk, ID Type: ip, ID String: 120.0.0.0
Remote Gateway: 190.0.0.3
Session Type: Control
Auth Type: psk, ID Type: ip, ID String: 190.0.0.0
Inbound SPI: 0x200290f
Mode: tunnel, Protocol: esp
Authentication: hmac-sha1, Encryption: aes-cbc, Key Len: 128, PFS DH Group: mod-none
Life Time: 3180 seconds, Remaining Life Time: 2200 seconds======================================== Rekey timers
Life Time: 4275 mbytes, Remaining Life Time: 4262 mbytes
NAT Traversal: disable
Anti-replay: enable, Window Size: 65472
Traffic Selector:
Source : 140.0.0.0/24, Proto: Any, Port: 0
Destination: 99.99.99.0/24, Proto: Any, Port: 0
Statistics:
# Packets : 209 (0 Packets/Sec)
# Bytes : 165528 (168 Bytes/Sec) ============================================== Encrypt and Decrypt packet count
# Packets decrypted : 209
# Packets dropped - Invalid : 0
# Packets dropped - Anti-replay : 0
# Packets dropped - Auth failed : 0
Outbound SPI: 0xd777d8d2
Mode: tunnel, Protocol: esp
Authentication: hmac-sha1, Encryption: aes-cbc, Key Len: 128, PFS DH Group: mod-none
Life Time: 3180 seconds, Remaining Life Time: 2200 seconds
Life Time: 4275 mbytes, Remaining Life Time: 4262 mbytes
NAT Traversal: disable
Anti-replay: enable
Traffic Selector:
Source : 140.0.0.0/24, Proto: Any, Port: 0
Destination: 99.99.99.0/24, Proto: Any, Port: 0
Statistics:
# Packets : 0 (0 Packets/Sec)
# Bytes : 0 (0 Bytes/Sec)
# Packets encrypted : 0
# Packets dropped - No SA info : 0
# Packets dropped - No mbuf : 0
# Packets dropped - Coalesce failed : 0
Local Gateway: 120.0.0.1
Auth Type: psk, ID Type: ip, ID String: 120.0.0.0
Remote Gateway: 190.0.0.3
Session Type: Control
Auth Type: psk, ID Type: ip, ID String: 190.0.0.0
Inbound SPI: 0x2004a7f
Mode: tunnel, Protocol: esp
Authentication: hmac-sha1, Encryption: aes-cbc, Key Len: 128, PFS DH Group: mod-none
Life Time: 3300 seconds, Remaining Life Time: 2320 seconds
Life Time: 4125 mbytes, Remaining Life Time: 4112 mbytes
NAT Traversal: disable
Anti-replay: enable, Window Size: 65472
Traffic Selector:
Source : 50.0.0.0/24, Proto: Any, Port: 0
Destination: 99.99.99.0/24, Proto: Any, Port: 0
Statistics:
# Packets : 192 (0 Packets/Sec)
# Bytes : 152064 (155 Bytes/Sec)
# Packets decrypted : 192
# Packets dropped - Invalid : 0
# Packets dropped - Anti-replay : 0
# Packets dropped - Auth failed : 0
Outbound SPI: 0xdff50388
Mode: tunnel, Protocol: esp
Authentication: hmac-sha1, Encryption: aes-cbc, Key Len: 128, PFS DH Group: mod-none
Life Time: 3300 seconds, Remaining Life Time: 2320 seconds
Life Time: 4125 mbytes, Remaining Life Time: 4112 mbytes
NAT Traversal: disable
Anti-replay: enable
Traffic Selector:
Source : 50.0.0.0/24, Proto: Any, Port: 0
Destination: 99.99.99.0/24, Proto: Any, Port: 0
Statistics:
# Packets : 0 (0 Packets/Sec)
# Bytes : 0 (0 Bytes/Sec)
# Packets encrypted : 0
# Packets dropped - No SA info : 0
# Packets dropped - No mbuf : 0
# Packets dropped - Coalesce failed : 0
Local Gateway: 120.0.0.1
Auth Type: psk, ID Type: ip, ID String: 120.0.0.0
Remote Gateway: 190.0.0.3
Session Type: Control
Auth Type: psk, ID Type: ip, ID String: 190.0.0.0
Inbound SPI: 0x200290f
Mode: tunnel, Protocol: esp
Authentication: hmac-sha1, Encryption: aes-cbc, Key Len: 128, PFS DH Group: mod-none
Life Time: 3180 seconds, Remaining Life Time: 2200 seconds
Life Time: 4275 mbytes, Remaining Life Time: 4262 mbytes
NAT Traversal: disable
Anti-replay: enable, Window Size: 65472
Traffic Selector:
Source : 140.0.0.0/24, Proto: Any, Port: 0
Destination: 99.99.99.0/24, Proto: Any, Port: 0
Statistics:
# Packets : 209 (0 Packets/Sec)
# Bytes : 165528 (168 Bytes/Sec)
# Packets decrypted : 209
# Packets dropped - Invalid : 0
# Packets dropped - Anti-replay : 0
# Packets dropped - Auth failed : 0
Outbound SPI: 0xd777d8d2
Mode: tunnel, Protocol: esp
Authentication: hmac-sha1, Encryption: aes-cbc, Key Len: 128, PFS DH Group: mod-none
Life Time: 3180 seconds, Remaining Life Time: 2200 seconds
Life Time: 4275 mbytes, Remaining Life Time: 4262 mbytes
NAT Traversal: disable
Anti-replay: enable
Traffic Selector:
Source : 140.0.0.0/24, Proto: Any, Port: 0
Destination: 99.99.99.0/24, Proto: Any, Port: 0
Statistics:
# Packets : 0 (0 Packets/Sec)
# Bytes : 0 (0 Bytes/Sec)
# Packets encrypted : 0
# Packets dropped - No SA info : 0
# Packets dropped - No mbuf : 0
# Packets dropped - Coalesce failed : 0
Local Gateway: 120.0.0.1
Auth Type: psk, ID Type: ip, ID String: 120.0.0.0
Remote Gateway: 190.0.0.3
Session Type: Control
Auth Type: psk, ID Type: ip, ID String: 190.0.0.0
Inbound SPI: 0x2004a7f
Mode: tunnel, Protocol: esp
Authentication: hmac-sha1, Encryption: aes-cbc, Key Len: 128, PFS DH Group: mod-none
Life Time: 3300 seconds, Remaining Life Time: 2320 seconds
Life Time: 4125 mbytes, Remaining Life Time: 4112 mbytes
NAT Traversal: disable
Anti-replay: enable, Window Size: 65472
Traffic Selector:
Source : 50.0.0.0/24, Proto: Any, Port: 0
Destination: 99.99.99.0/24, Proto: Any, Port: 0
Statistics:
# Packets : 192 (0 Packets/Sec)
# Bytes : 152064 (155 Bytes/Sec)
# Packets decrypted : 192
# Packets dropped - Invalid : 0
# Packets dropped - Anti-replay : 0
# Packets dropped - Auth failed : 0
Outbound SPI: 0xdff50388
Mode: tunnel, Protocol: esp
Authentication: hmac-sha1, Encryption: aes-cbc, Key Len: 128, PFS DH Group: mod-none
Life Time: 3300 seconds, Remaining Life Time: 2320 seconds
Life Time: 4125 mbytes, Remaining Life Time: 4112 mbytes
NAT Traversal: disable
Anti-replay: enable
Traffic Selector:
Source : 50.0.0.0/24, Proto: Any, Port: 0
Destination: 99.99.99.0/24, Proto: Any, Port: 0
Statistics:
# Packets : 0 (0 Packets/Sec)
# Bytes : 0 (0 Bytes/Sec)
# Packets encrypted : 0
# Packets dropped - No SA info : 0
# Packets dropped - No mbuf : 0
# Packets dropped - Coalesce failed : 0
Local Gateway: 120.0.0.1
Auth Type: psk, ID Type: ip, ID String: 120.0.0.0
Remote Gateway: 190.0.0.3
Session Type: Control
Auth Type: psk, ID Type: ip, ID String: 190.0.0.0
Inbound SPI: 0x2002ad8
Mode: tunnel, Protocol: esp
Authentication: hmac-sha1, Encryption: aes-cbc, Key Len: 128, PFS DH Group: mod-none
Life Time: 3420 seconds, Remaining Life Time: 2195 seconds
Life Time: 4125 mbytes, Remaining Life Time: 4112 mbytes
NAT Traversal: disable
Anti-replay: enable, Window Size: 65472
Traffic Selector:
Source : 60.0.0.0/24, Proto: Any, Port: 0
Destination: 99.99.99.0/24, Proto: Any, Port: 0
Statistics:
# Packets : 269 (0 Packets/Sec)
# Bytes : 213048 (333 Bytes/Sec)
# Packets decrypted : 269
# Packets dropped - Invalid : 0
# Packets dropped - Anti-replay : 0
# Packets dropped - Auth failed : 0
Outbound SPI: 0xc02017c4
Mode: tunnel, Protocol: esp
Authentication: hmac-sha1, Encryption: aes-cbc, Key Len: 128, PFS DH Group: mod-none
Life Time: 3420 seconds, Remaining Life Time: 2195 seconds
Life Time: 4125 mbytes, Remaining Life Time: 4112 mbytes
NAT Traversal: disable
Anti-replay: enable
Traffic Selector:
Source : 60.0.0.0/24, Proto: Any, Port: 0
Destination: 99.99.99.0/24, Proto: Any, Port: 0
Statistics:
# Packets : 0 (0 Packets/Sec)
# Bytes : 0 (0 Bytes/Sec)
# Packets encrypted : 0
# Packets dropped - No SA info : 0
# Packets dropped - No mbuf : 0
# Packets dropped - Coalesce fail