Connecting to a Cisco IOS device
This article describes how to connect and configure a single Cisco IOS router with firmware version 16.12.01a or later to connect to Pureport via a Route Based BGP VPN. This allows you to grow your network without having to manage Traffic Selectors and Route Tables.
Prerequisites
Before connecting to a Cisco IOS device, you must have a Pureport Route-Based BGP VPN Connection using IKEv2. See "Connecting to a Site VPN - Route-Based with BGP" for details. It is recommended that you confirm with Cisco that your current IOS license and feature set supports both BGP and IKEv2.
You must also gather the following information:
- The Encryption, Integrity, and DH Group mechanisms configured for the connection
- Primary Pureport Gateway IP
- Secondary Pureport Gateway IP
- Primary Gateway Pre-shared Key
- Secondary Gateway Pre-shared Key
- Primary Gateway BGP password
- Secondary Gateway BGP Password
- The Primary Gateway Customer VTI IP in CIDR format.
- The Primary Gateway Pureport VTI IP
- The Secondary Gateway Customer VTI IP in CIDR format.
- The Secondary Gateway Pureport VTI IP
- Pureport ASN
- Customer ASN
You can find this information in your Site IPSec VPN connections on the Pureport console, as shown here:
![]() | ![]() | ![]() |
Example Configuration
This example builds an HA IPsec VPN between a customer-premises device and the Pureport platform. The configuration consists of two separate tunnels built on a single commercial broadband connection and single peer IP at the location. For information on connecting a second redundant ISP in an active/active scenario, refer to the Cisco support portal.
Note: These examples provide a baseline configuration only. You must adapt these examples to your specific environment.
- Create a Pureport compatible IKE Crypto Proposal and Policy that supports Pureport's crypto set configured on your VPN connection in the Pureport console:
crypto ikev2 proposal Pureport_prop
encryption aes-cbc-256
integrity sha256
group 14
exit
!
crypto ikev2 policy Pureport_Pol_ikev2
proposal Pureport_prop
exit
!
- Create a IKEv2 keyring to store your pre-shared key:
crypto ikev2 keyring Pureport_key
peer ALL
address <Pureport Gateway ID> 255.255.255.255
pre-shared-key local <Pureport Pre-Shared Key>
pre-shared-key remote <Pureport Pre-Shared Key>
exit
!
- Create the IKEv2 Profile:
crypto ikev2 profile Pureport_Profile_ikev2
match identity remote address <Pureport Gateway IP>
identity local address <Customer Local IP>
authentication local pre-share
authentication remote pre-share
keyring local Pureport_key
dpd 10 2 on-demand
exit
!
- Create the IPSec transform set and Profile that defines encryption, authentication, and IPSec mode parameters:
crypto ipsec transform-set Pureport_ts esp-aes 256 esp-sha256-hmac
mode transport
exit
!
crypto ipsec profile Pureport_ipsec_profile
set transform-set Pureport_ts
set pfs group14
set ikev2-profile Pureport_Profile_ikev2
exit
!
- Configure Tunnel #1 interface:
interface Tunnel1
ip address <Customer VTI IP> 255.255.255.252
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination <Pureport Gateway IP>
tunnel protection ipsec profile Pureport_ipsec_profile
no shutdown
exit
!
- Create a route-map to be applied to your primary connection
route-map PRIMARY permit 10
set metric 100
- Configure BGP on Tunnel #1, applying the route-map we created above:
router bgp <Customer ASN>
bgp log-neighbor-changes
bgp bestpath compare-routerid
bgp graceful-restart
address-family ipv4 unicast
neighbor <Primary Pureport VTI IP> remote-as <Pureport ASN>
neighbor <Primary Pureport VTI IP> timers 10 30 30
neighbor <Primary Pureport VTI IP> password <BGP Primary password>
neighbor <Primary Pureport VTI IP> activate
neighbor <Primary Pureport VTI IP> next-hop-self
no neighbor <Primary Pureport VTI IP> default-originate
neighbor <Primary Pureport VTI IP> route-map PRIMARY out
network <Your local network> mask <Your network subnet mask>
no auto-summary
no synchronization
exit-address-family
- Create the secondary connection using the above outlined process. Be sure to update the values to the secondary connection. A complete template has been provided below:
crypto ikev2 proposal Pureport_prop_Secondary
encryption aes-cbc-256
integrity sha256
group 14
exit
!
crypto ikev2 policy Pureport_Prop_ikev2_Secondary
proposal Pureport_prop_Secondary
exit
!
crypto ikev2 keyring Pureport_key_Secondary
peer ALL
address <Pureport Secondary Gateway ID> 255.255.255.255
pre-shared-key local <Pureport Secondary Pre-Shared Key>
pre-shared-key remote <Pureport Secondary Pre-Shared Key>
exit
!
crypto ikev2 profile Pureport_Profile_Secondary
match identity remote address <Pureport Secondary Gateway IP>
identity local address <Customer Local IP>
authentication local pre-share
authentication remote pre-share
keyring local Pureport_key_Secondary
dpd 10 2 on-demand
exit
!
crypto ipsec transform-set Pureport_ts_Sec esp-aes 256 esp-sha256-hmac
mode transport
exit
!
crypto ipsec profile Pureport_ipsec_profile_Sec
set transform-set Pureport_ts_Sec
set pfs group14
set ikev2-profile Pureport_Profile_Secondary
exit
!
interface Tunnel2
ip address <Customer Secondary VTI IP> 255.255.255.252
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination <Pureport Secondary Gateway IP>
tunnel protection ipsec profile Pureport_ipsec_profile_Sec
no shutdown
exit
! - Because the Cisco IOS is not capable of automatically failing over VTI tunnels, we will use the route-map functionality to prefer the Primary VTI. Return traffic is also preferred down the Primary VTI by pre-pending the local Customer ASN to the Secondary VTI AS path, creating a longer (less preferred) AS path and setting the route metric to a less preferred value. This is done both inbound and outbound BGP.
route-map BACKUP permit 10
set metric 200
set as-path prepend last-as 1
- Configure BGP on Tunnel #2:
router bgp <Customer ASN>
bgp log-neighbor-changes
bgp bestpath compare-routerid
bgp graceful-restart
address-family ipv4 unicast
neighbor <Secondary Pureport VTI IP> remote-as <Pureport ASN>
neighbor <Secondary Pureport VTI IP> timers 10 30 30
neighbor <Secondary Pureport VTI IP> password <BGP Secondary password>
neighbor <Secondary Pureport VTI IP> activate
neighbor <Secondary Pureport VTI IP> next-hop-self
no neighbor <Secondary Pureport VTI IP> default-originate
neighbor <Secondary Pureport VTI IP> route-map BACKUP out
neighbor <Secondary Pureport VTI IP> route-map BACKUP out
network <Your local network> mask <Your network subnet mask>
no auto-summary
no synchronization
exit-address-family
Testing IPSEC VPN Tunnel Connectivity
When using BGP, the routing table will automatically update if one of the tunnels disconnect.
- To verify BGP peering is established, check the route table from or via the CLI with this command:
show route bgp
The system displays the current BGP routes in the IOS route table. Note that the Primary VTI is preferred. - To see all BGP routes, use:
show bgp - To confirm that your tunnels have successfully established connection to your Pureport Gateways, from a system in your local network, ping the Primary Pureport VTI IP address. A successful ping will transmit all packets with no losses.For example, in the previous sample, the Pureport VTI IPs are:
- 169.254.1.2
- 169.254.2.2
To ping the the Primary Gateway Pureport VTI, use:ping 169.254.1.2
Troubleshooting commands for VPN Connections on IOS
When configuring IKEv2 and IPsec configurations in IOS there are a few commands available to help you troubleshoot should the tunnel not function as expected. These commands are listed below.
- show crypto ikev2 sa
- The output of this command will show the state of the ikev2 Phase 1 portion of the connection. You will see details pertaining to the configured endpoints, and the connection status if an SA has successfully been established
- show crypto ipsec sa
- The output of this command will show the state of the IPsec Phase2 portion of the connection. You will see details pertaining to the configured endpoints and status of the SA connection if it has been successfully established
- show ip int brief
- This commend will show you the status of all interfaces on your device. When troubleshooting, you will want to reference the tunnel interface experiencing the issues. Ensure that the interface is both administratively up and line protocol is showing up.
- debug crypto ikev2
- This command will enable isakmp debugging information on your device. Events, errors, and details pertaining to the isakmp process will be displayed on your console as the device is processing the connection.
- debug crypto ipsec
- This command will enable ipsec debugging information on your device. Events, errors, and details pertaining to the isakmp process will be displayed on your console as the device is processing the connection.