VPN Config Guide: Cisco IOS XE - Route Based BGP VPN

Connecting to a Cisco IOS device

This article describes how to connect and configure a single Cisco IOS firewall with firmware version 9.8.1 or later to connect to Pureport via a Route Based BGP VPN. This allows you to grow your network without having to manage Traffic Selectors and Route Tables.


Prerequisites

Before connecting to a Cisco IOS, you must have a Pureport Route-Based BGP VPN Connection using IKEv2. See "Connecting to a Site VPN - Route-Based with BGP" for details.


You must also gather the following information: 

  • The Encryption, Integrity, and DH Group mechanisms from the Pureport Console.
  • Primary Pureport Gateway IP
  • Secondary Pureport Gateway IP
  • Primary Gateway Pre-shared Key
  • Secondary Gateway Pre-shared Key
  • Primary Gateway BGP password
  • Secondary Gateway BGP Password
  • The Primary Gateway Customer VTI IP in CIDR format.
  • The Primary Gateway Pureport VTI IP
  • The Secondary Gateway Customer VTI IP in CIDR format.
  • The Secondary Gateway Pureport VTI IP
  • Pureport ASN
  • Customer ASN


You can find this information in your Site IPSec VPN connections, as shown here:



Example Configuration

This example builds an HA IPSEC VPN between a customer-premises device and the Pureport platform. The configuration consists of two separate tunnels built on a single commercial broadband connection and single peer IP at the location. For information on connecting a second redundant ISP in an active/active scenario, refer to the Cisco support portal.


Note: These examples provide a baseline configuration only. You must adapt these examples to your specific environment.


  1. Create a Pureport compatible IKE Crypto Proposal and Policy that supports Pureport's crypto set:

    crypto ikev2 proposal IKE-PROP-PUREPORT

     encryption aes-cbc-256 aes-cbc-128 aes-cbc-192

     integrity sha256 sha384 sha512

     group 14 15 16 19 20 21

     exit

    !

    crypto ikev2 policy IKE-POLICY-PUREPORT

     proposal IKE-PROP-PUREPORT

     exit

    !




  2. Create a IPSec Phase 2 Profile and Transform set that match the ESP settings you chose in the Pureport Console:

    crypto ipsec transform-set TRANSFORM-PUREPORT esp-aes esp-sha256-hmac

     mode tunnel

     exit

    !

    crypto ipsec profile PROFILE-PH2-PUREPORT1

     set transform-set TRANSFORM-PUREPORT

     set ikev2-profile PROFILE-PUREPORT1

     exit

    !




  3. Create the Primary Tunnel Group and Pre-shared Key:

    tunnel-group <Pureport Primary Gateway IP> type ipsec-l2l

    tunnel-group <Pureport Primary Gateway IP> general-attributes

      default-group-policy Pureport

    tunnel-group <Pureport Primary Gateway IP> ipsec-attributes

      ikev2 local-authentication pre-shared-key <Primary pre-shared key>

      ikev2 remote-authentication pre-shared-key <Primary pre-shared key>

      isakmp keepalive threshold 10 retry 2



  4. Create the IPSec transform set that defines encryption, authentication, and IPSec mode parameters:

    crypto ipsec ikev2 ipsec-proposal Pureport

      protocol esp encryption aes-192 aes aes-256

      protocol esp integrity sha-512 sha-256 sha-384

    crypto ipsec profile PureportProfile

      set ikev2 ipsec-proposal Pureport

      set pfs group14

    exit



  5. Configure Tunnel #1 interface:

    interface Tunnel1

      nameif Tunnel-int-pureport-0

      ip address 169.254.1.1 255.255.255.252

      tunnel source interface 'outside'

      tunnel destination <Pureport Primary Gateway IP>

      tunnel mode ipsec ipv4

      tunnel protection ipsec profile PureportProfile

      no shutdown

    exit



  6. Configure BGP on Tunnel #1, applying the route-maps we created above:

    router bgp <Customer ASN>

     bgp log-neighbor-changes

     bgp bestpath compare-routerid

     bgp graceful-restart

     address-family ipv4 unicast

      neighbor <Primary Pureport VTI IP> remote-as <Pureport ASN>

      neighbor <Primary Pureport VTI IP> timers 10 30 30

      neighbor <Primary Pureport VTI IP> password <BGP Primary password>

      neighbor <Primary Pureport VTI IP> activate

      neighbor <Primary Pureport VTI IP> next-hop-self

      no  neighbor <Primary Pureport VTI IP> default-originate

      neighbor <Primary Pureport VTI IP> route-map PRIMARY in

      network <Your local network> mask <Your network subnet mask>

      no auto-summary

      no synchronization

     exit-address-family




  7. Create the Secondary Tunnel Group and Pre-shared Key:

    tunnel-group <Pureport Secondary Gateway IP> type ipsec-l2l

    tunnel-group <Pureport Secondary Gateway IP> general-attributes

      default-group-policy Pureport

    tunnel-group <Pureport Secondary Gateway IP> ipsec-attributes

      ikev2 local-authentication pre-shared-key <Secondary pre-shared key>

      ikev2 remote-authentication pre-shared-key <Secondary pre-shared key>

      isakmp keepalive threshold 10 retry 2




  8. If you didn't do this in Step 3, create an IPSec transform set that defines encryption, authentication, and IPSec mode parameters for Tunnel#2:

    crypto ipsec ikev2 ipsec-proposal Pureport

      protocol esp encryption aes-192 aes aes-256

      protocol esp integrity sha-512 sha-256 sha-384

      crypto ipsec profile PureportProfile

      set ikev2 ipsec-proposal Pureport

      set pfs group14

    exit




  9. Configure Tunnel #2 interface:

    interface Tunnel2

      nameif Tunnel-int-pureport-1

      ip address 169.254.2.1 255.255.255.252

      tunnel source interface 'outside'

      tunnel destination <Secondary Pureport Gateway IP>

      tunnel mode ipsec ipv4

      tunnel protection ipsec profile PureportProfile

      no shutdown

    exit



  10. Because the Cisco IOS is not capable of automatically failing over VTI tunnels, we will use the route-map functionality to prefer the Primary VTI. Return traffic is also preferred down the Primary VTI by pre-pending the local Customer ASN to the Secondary VTI AS path, creating a longer (less preferred) AS path and setting the route metric to a less preferred value. This is done both inbound and outbound BGP.

    route-map BACKUP permit 10

     set metric 200

     set as-path prepend last-as 1



  11. Configure BGP on Tunnel #2:

    router bgp 65000

      bgp log-neighbor-changes

      bgp bestpath compare-routerid

      bgp graceful-restart

      address-family ipv4 unicast

      neighbor <Secondary Pureport VTI IP> remote-as <Pureport ASN>

      neighbor <Secondary Pureport VTI IP>  timers 10 30 30

      neighbor <Secondary Pureport VTI IP>  password <BGP Secondary password>

      neighbor <Secondary Pureport VTI IP>  activate

      neighbor <Secondary Pureport VTI IP>  next-hop-self

      no  neighbor <Secondary Pureport VTI IP>  default-originate

      neighbor <Secondary Pureport VTI IP>  route-map BACKUP out

      neighbor <Secondary Pureport VTI IP>  route-map BACKUP out

      network <Your local network> mask <Your network subnet mask>

      no auto-summary

      no synchronization

     exit-address-family





Testing IPSEC VPN Tunnel Connectivity

When using BGP, the routing table will automatically update if one of the tunnels disconnect. 


  1. To verify BGP peering is established, check the route table from  or via the CLI with this command:
    show route bgp

    The system displays the current BGP routes in the IOS route table. Note that the Primary VTI is preferred.

  2. To see all BGP routes, use:
    show bgp


  3. To confirm that your tunnels have successfully established connection to your Pureport Gateways, from a system in your local network, ping the Primary Pureport VTI IP address. A successful ping will transmit all packets with no losses.
    For example, in the previous sample, the Pureport VTI IPs are:
    • 169.254.1.2
    • 169.254.2.2

    To ping the the Primary Gateway Pureport VTI, use:
    ping 169.254.1.2