Connecting to a Cisco IOS device

This article describes how to connect and configure a single Cisco IOS router with firmware version 16.12.01a or later to connect to Pureport via a Route Based BGP VPN. This allows you to grow your network without having to manage Traffic Selectors and Route Tables.


Prerequisites

Before connecting to a Cisco IOS device, you must have a Pureport Route-Based BGP VPN Connection using IKEv2. See "Connecting to a Site VPN - Route-Based with BGP" for details.  It is recommended that you confirm with Cisco that your current IOS license and feature set supports both BGP and IKEv2.


You must also gather the following information: 

  • The Encryption, Integrity, and DH Group mechanisms configured for the connection
  • Primary Pureport Gateway IP
  • Secondary Pureport Gateway IP
  • Primary Gateway Pre-shared Key
  • Secondary Gateway Pre-shared Key
  • Primary Gateway BGP password
  • Secondary Gateway BGP Password
  • The Primary Gateway Customer VTI IP in CIDR format.
  • The Primary Gateway Pureport VTI IP
  • The Secondary Gateway Customer VTI IP in CIDR format.
  • The Secondary Gateway Pureport VTI IP
  • Pureport ASN
  • Customer ASN


You can find this information in your Site IPSec VPN connections on the Pureport console, as shown here:



Example Configuration

This example builds an HA IPsec VPN between a customer-premises device and the Pureport platform. The configuration consists of two separate tunnels built on a single commercial broadband connection and single peer IP at the location. For information on connecting a second redundant ISP in an active/active scenario, refer to the Cisco support portal.


Note: These examples provide a baseline configuration only. You must adapt these examples to your specific environment.


  1. Create a Pureport compatible IKE Crypto Proposal and Policy that supports Pureport's crypto set configured on your VPN connection in the Pureport console:

    crypto ikev2 proposal Pureport_prop

     encryption aes-cbc-256

     integrity sha256

     group 14

    exit

    !

    crypto ikev2 policy Pureport_Pol_ikev2

     proposal Pureport_prop

    exit

    !



  2. Create a IKEv2 keyring to store your pre-shared key:

    crypto ikev2 keyring Pureport_key

     peer ALL

     address <Pureport Gateway ID> 255.255.255.255

     pre-shared-key local <Pureport Pre-Shared Key>

     pre-shared-key remote <Pureport Pre-Shared Key>

    exit

    !




  3. Create the IKEv2 Profile:

    crypto ikev2 profile Pureport_Profile_ikev2

     match identity remote address <Pureport Gateway IP>

     identity local address <Customer Local IP>

     authentication local pre-share

     authentication remote pre-share

     keyring local Pureport_key

     dpd 10 2 on-demand

    exit

    !



  4. Create the IPSec transform set and Profilethat defines encryption, authentication, and IPSec mode parameters:

    crypto ipsec transform-set Pureport_ts esp-aes 256 esp-sha512-hmac

     mode transport

    exit

    !

    crypto ipsec profile Pureport_ipsec_profile

     set transform-set Pureport_ts

     set pfs group14

     set ikev2-profile Pureport_Profile_ikev2

    exit

    !



  5. Configure Tunnel #1 interface:

    interface Tunnel1

     ip address <Customer VTI IP> 255.255.255.252

     tunnel source GigabitEthernet1

     tunnel mode ipsec ipv4

     tunnel destination <Pureport Gateway IP>

     tunnel protection ipsec profile Pureport_ipsec_profile

     no shutdown

    exit

    !



  6. Configure BGP on Tunnel #1, applying the route-maps we created above:

    router bgp <Customer ASN>

     bgp log-neighbor-changes

     bgp bestpath compare-routerid

     bgp graceful-restart

     address-family ipv4 unicast

      neighbor <Primary Pureport VTI IP> remote-as <Pureport ASN>

      neighbor <Primary Pureport VTI IP> timers 10 30 30

      neighbor <Primary Pureport VTI IP> password <BGP Primary password>

      neighbor <Primary Pureport VTI IP> activate

      neighbor <Primary Pureport VTI IP> next-hop-self

      no  neighbor <Primary Pureport VTI IP> default-originate

      neighbor <Primary Pureport VTI IP> route-map PRIMARY in

      network <Your local network> mask <Your network subnet mask>

      no auto-summary

      no synchronization

     exit-address-family




  7. Create the secondary connection using the above outlined process.  Be sure to update the values to the secondary connection.  A complete template has been provided below:

     crypto ikev2 proposal Pureport_prop_Secondary

     encryption aes-cbc-256

     integrity sha256

     group 14

    exit

    !

     crypto ikev2 policy Pureport_Prop_ikev2_Secondary

     proposal Pureport_prop_Secondary

    exit

    !

     crypto ikev2 keyring Pureport_key_Secondary

     peer ALL

     address <Pureport Secondary Gateway ID> 255.255.255.255

     pre-shared-key local <Pureport Secondary Pre-Shared Key>

     pre-shared-key remote <Pureport Secondary Pre-Shared Key>

    exit

    !

     crypto ikev2 profile Pureport_Profile_Secondary

     match identity remote address <Pureport Secondary Gateway IP>

     identity local address <Customer Local IP>

     authentication local pre-share

     authentication remote pre-share

     keyring local Pureport_key_Secondary

     dpd 10 2 on-demand

    exit

    !

     crypto ipsec transform-set Pureport_ts_Sec esp-aes 256 esp-sha-hmac

     mode transport

    exit

    !

    crypto ipsec profile Pureport_ipsec_profile_Sec

     set transform-set Pureport_ts_Sec

     set pfs group14

     set ikev2-profile Pureport_Profile_Secondary

    exit

    !

    interface Tunnel2

     ip address <Customer Secondary VTI IP> 255.255.255.252

     tunnel source GigabitEthernet1

     tunnel mode ipsec ipv4

     tunnel destination <Pureport Secondary Gateway IP>

     tunnel protection ipsec profile Pureport_ipsec_profile_Sec

     no shutdown

    exit
    !


  8. Because the Cisco IOS is not capable of automatically failing over VTI tunnels, we will use the route-map functionality to prefer the Primary VTI. Return traffic is also preferred down the Primary VTI by pre-pending the local Customer ASN to the Secondary VTI AS path, creating a longer (less preferred) AS path and setting the route metric to a less preferred value. This is done both inbound and outbound BGP.

    route-map BACKUP permit 10

     set metric 200

     set as-path prepend last-as 1



  9. Configure BGP on Tunnel #2:

    router bgp <Customer ASN>

      bgp log-neighbor-changes

      bgp bestpath compare-routerid

      bgp graceful-restart

      address-family ipv4 unicast

      neighbor <Secondary Pureport VTI IP> remote-as <Pureport ASN>

      neighbor <Secondary Pureport VTI IP>  timers 10 30 30

      neighbor <Secondary Pureport VTI IP>  password <BGP Secondary password>

      neighbor <Secondary Pureport VTI IP>  activate

      neighbor <Secondary Pureport VTI IP>  next-hop-self

      no  neighbor <Secondary Pureport VTI IP>  default-originate

      neighbor <Secondary Pureport VTI IP>  route-map BACKUP out

      neighbor <Secondary Pureport VTI IP>  route-map BACKUP out

      network <Your local network> mask <Your network subnet mask>

      no auto-summary

      no synchronization

     exit-address-family





Testing IPSEC VPN Tunnel Connectivity

When using BGP, the routing table will automatically update if one of the tunnels disconnect. 


  1. To verify BGP peering is established, check the route table from  or via the CLI with this command:
    show route bgp

    The system displays the current BGP routes in the IOS route table. Note that the Primary VTI is preferred.

  2. To see all BGP routes, use:
    show bgp


  3. To confirm that your tunnels have successfully established connection to your Pureport Gateways, from a system in your local network, ping the Primary Pureport VTI IP address. A successful ping will transmit all packets with no losses.
    For example, in the previous sample, the Pureport VTI IPs are:
    • 169.254.1.2
    • 169.254.2.2

    To ping the the Primary Gateway Pureport VTI, use:
    ping 169.254.1.2


Troubleshooting commands for VPN Connections on IOS

When configuring IKEv2 and IPsec configurations in IOS there are a few commands available to help you troubleshoot should the tunnel not function as expected.  These commands are listed below.


  • show crypto ikev2 sa
    • The output of this command will show the state of the ikev2 Phase 1 portion of the connection.  You will see details pertaining to the configured endpoints, and the connection status if an SA has successfully been established
  • show crypto ipsec sa
    • The output of this command will show the state of the IPsec Phase2 portion of the connection.  You will see details pertaining to the configured endpoints and status of the SA connection if it has been successfully established
  • show ip int brief
    • This commend will show you the status of all interfaces on your device.  When troubleshooting, you will want to reference the tunnel interface experiencing the issues.  Ensure that the interface is both administratively up and line protocol is showing up.
  • debug crypto ikev2
    • This command will enable isakmp debugging information on your device.  Events, errors, and details pertaining to the isakmp process will be displayed on your console as the device is processing the connection.
  • debug crypto ipsec
    • This command will enable ipsec debugging information on your device.  Events, errors, and details pertaining to the isakmp process will be displayed on your console as the device is processing the connection.