Connecting to a Cisco IOS device
This article describes how to connect and configure a single Cisco IOS router with firmware version 12.4 or later to connect to Pureport via a Route Based BGP VPN. This allows you to grow your network without having to manage Traffic Selectors and Route Tables.
Prerequisites
Before connecting to a Cisco IOS device, you must have a Pureport Route-Based BGP VPN Connection using IKEv1. See "Connecting to a Site VPN - Route-Based with BGP" for details. It is also advised that you confirm with Cisco that your current license and feature set in your running IOS version supports both IKEv1 and BGP.
You must also gather the following information:
- The Encryption, Integrity, and DH Group mechanisms configured for the connection
- Primary Pureport Gateway IP
- Secondary Pureport Gateway IP
- Primary Gateway Pre-shared Key
- Secondary Gateway Pre-shared Key
- Primary Gateway BGP password
- Secondary Gateway BGP Password
- The Primary Gateway Customer VTI IP in CIDR format.
- The Primary Gateway Pureport VTI IP
- The Secondary Gateway Customer VTI IP in CIDR format.
- The Secondary Gateway Pureport VTI IP
- Pureport ASN
- Customer ASN
You can find this information in your Site IPSec VPN connections on the Pureport console, as shown here:
![]() | ![]() | ![]() |
Example Configuration
This example builds an HA IPsec VPN between a customer-premises device and the Pureport platform. The configuration consists of two separate tunnels built on a single commercial broadband connection and single peer IP at the location. For information on connecting a second redundant ISP in an active/active scenario, refer to the Cisco support portal.
Note: These examples provide a baseline configuration only. You must adapt these examples to your specific environment as well as the setting you have provisioned for security and integrity on your VPN connection.
- Begin by creating a keyring for your connection secrets. This will be used to store your Pre-Shared key and used in the tunnel authentication
crypto keyring Pureport-KeyRing
local-address <Customer Gateway IP>
pre-shared-key address <Pureport Gateway IP> key <Pre-Shared key - Primary>
exit
!
- Create a Pureport compatible isakmp policy and profile that supports Pureport's crypto set configured on your VPN connection in the Pureport console and calls the keyring:
crypto isakmp policy 200
encryption aes 256
authentication pre-share
group 5
lifetime 28800
hash sha
exit
!
crypto isakmp profile Pureport-isakmp
local-address <Customer Gateway IP>
match identity address <Pureport Gateway IP>
keyring Pureport-KeyRing
exit
!
- Create a IPSec Phase 2 Profile and Transform set that matches the ESP settings you chose in the Pureport Console:
crypto ipsec transform-set Pureport-Prop esp-aes 256 esp-sha-hmac
mode tunnel
exit
!
crypto ipsec profile Pureport-VPN-Primary
set pfs group5
set transform-set Pureport-Prop
exit
!
- Create a Tunnel interface using the isakmp and ipsec configuration details
interface Tunnel1
ip address <Customer VTI IP> <Customer VTI Subnet>
ip virtual-reassembly
tunnel source <Customer Gateway Ip>
tunnel destination <Pureport Gateway IP>
tunnel mode ipsec ipv4
tunnel protection ipsec profile Pureport-VPN-Primary
no shutdown
exit
- Create a route-map to be applied to your primary connection
route-map PRIMARY permit 10
set metric 100
- Configure BGP on Tunnel #1, applying the route-maps we created above:
router bgp <Customer ASN>
bgp log-neighbor-changes
bgp bestpath compare-routerid
bgp graceful-restart
address-family ipv4 unicast
neighbor <Primary Pureport VTI IP> remote-as <Pureport ASN>
neighbor <Primary Pureport VTI IP> timers 10 30 30
neighbor <Primary Pureport VTI IP> password <BGP Primary password>
neighbor <Primary Pureport VTI IP> activate
neighbor <Primary Pureport VTI IP> next-hop-self
no neighbor <Primary Pureport VTI IP> default-originate
neighbor <Primary Pureport VTI IP> route-map PRIMARY out
network <Your local network> mask <Your network subnet mask>
no auto-summary
no synchronization
exit-address-family
- Build the second HA connection using the same process. Be sure to update the values of the config to be inline with a secondary configuration. A complete configuration template has been provided below.
crypto isakmp policy 300
encryption aes 256
authentication pre-share
group 5
lifetime 28800
hash sha
exit
!
crypto keyring Pureport-KeyRing-Secondary
local-address <Customer Secondary Gateway IP>
pre-shared-key address <Pureport Secondary Gateway IP> key <Pre-Shared key - Secondary >
exit
!
crypto isakmp profile Pureport-isakmp-Secondary
local-address <Customer Secondary Gateway IP>
match identity address <Pureport Secondary Gateway IP>
keyring Pureport-KeyRing-Secondary
exit
!
crypto ipsec transform-set Pureport-ts-secondary esp-aes 256 esp-sha-hmac
mode tunnel
exit
!
crypto ipsec profile Pureport-VPN-Secondary
set pfs group5
set transform-set Pureport-ts-secondary
exit
!
interface Tunnel2
ip address <Customer Secondary VTI IP> <Customer VTI Subnet>
tunnel source <Customer Gateway Ip>
tunnel destination <Pureport Secondary Gateway IP>
tunnel mode ipsec ipv4
tunnel protection ipsec profile Pureport-VPN-Secondary
no shutdown
exit
- Because the Cisco IOS is not capable of automatically failing over VTI tunnels, we will use the route-map functionality to prefer the Primary VTI. Return traffic is also preferred down the Primary VTI by pre-pending the local Customer ASN to the Secondary VTI AS path, creating a longer (less preferred) AS path and setting the route metric to a less preferred value. This is done both inbound and outbound BGP.
route-map BACKUP permit 10
set metric 200
set as-path prepend last-as 1
- Configure BGP on Tunnel #2:
router bgp <Customer ASN>
bgp log-neighbor-changes
bgp bestpath compare-routerid
bgp graceful-restart
address-family ipv4 unicast
neighbor <Secondary Pureport VTI IP> remote-as <Pureport ASN>
neighbor <Secondary Pureport VTI IP> timers 10 30 30
neighbor <Secondary Pureport VTI IP> password <BGP Secondary password>
neighbor <Secondary Pureport VTI IP> activate
neighbor <Secondary Pureport VTI IP> next-hop-self
no neighbor <Secondary Pureport VTI IP> default-originate
neighbor <Secondary Pureport VTI IP> route-map BACKUP out
neighbor <Secondary Pureport VTI IP> route-map BACKUP out
network <Your local network> mask <Your network subnet mask>
no auto-summary
no synchronization
exit-address-family
Testing IPSEC VPN Tunnel Connectivity
When using BGP, the routing table will automatically update if one of the tunnels disconnect.
- To verify BGP peering is established, check the route table from or via the CLI with this command:
show route bgp
The system displays the current BGP routes in the IOS route table. Note that the Primary VTI is preferred. - To see all BGP routes, use:
show bgp - To confirm that your tunnels have successfully established connection to your Pureport Gateways, from a system in your local network, ping the Primary Pureport VTI IP address. A successful ping will transmit all packets with no losses.For example, in the previous sample, the Pureport VTI IPs are:
- 169.254.1.2
- 169.254.2.2
To ping the the Primary Gateway Pureport VTI, use:ping 169.254.1.2
Troubleshooting commands for VPN Connections on IOS
When configuring ISAKMP and IPsec configurations in IOS there are a few commands available to help you troubleshoot should the tunnel not function as expected. These commands are listed below.
- show crypto isakmp sa
- The output of this command will show the state of the isakmp Phase 1 of the connection. You will see details pertaining to the configured endpoints, and the connection status if an SA has successfully been established
- show crypto ipsec sa
- The output of this command will show the state of the IPsec Phase2 portion of the connection. You will see details pertaining to the configured endpoints and status of the SA connection if it has been successfully established
- show ip int brief
- This commend will show you the status of all interfaces on your device. When troubleshooting, you will want to reference the tunnel interface experiencing the issues. Ensure that the interface is both administratively up and line protocol is showing up.
- debug crypto isakmp
- This command will enable isakmp debugging information on your device. Events, errors, and details pertaining to the isakmp process will be displayed on your console as the device is processing the connection.
- debug crypto ipsec
- This command will enable ipsec debugging information on your device. Events, errors, and details pertaining to the isakmp process will be displayed on your console as the device is processing the connection.