Connecting to a Cisco IOS device

This article describes how to connect and configure a single Cisco IOS router with firmware version 12.4 or later to connect to Pureport via a Route Based BGP VPN. This allows you to grow your network without having to manage Traffic Selectors and Route Tables.


Prerequisites

Before connecting to a Cisco IOS device, you must have a Pureport Route-Based BGP VPN Connection using IKEv1. See "Connecting to a Site VPN - Route-Based with BGP" for details.  It is also advised that you confirm with Cisco that your current license and feature set in your running IOS version supports both IKEv1 and BGP.


You must also gather the following information: 

  • The Encryption, Integrity, and DH Group mechanisms configured for the connection
  • Primary Pureport Gateway IP
  • Secondary Pureport Gateway IP
  • Primary Gateway Pre-shared Key
  • Secondary Gateway Pre-shared Key
  • Primary Gateway BGP password
  • Secondary Gateway BGP Password
  • The Primary Gateway Customer VTI IP in CIDR format.
  • The Primary Gateway Pureport VTI IP
  • The Secondary Gateway Customer VTI IP in CIDR format.
  • The Secondary Gateway Pureport VTI IP
  • Pureport ASN
  • Customer ASN


You can find this information in your Site IPSec VPN connections on the Pureport console, as shown here:



Example Configuration

This example builds an HA IPsec VPN between a customer-premises device and the Pureport platform. The configuration consists of two separate tunnels built on a single commercial broadband connection and single peer IP at the location. For information on connecting a second redundant ISP in an active/active scenario, refer to the Cisco support portal.


Note: These examples provide a baseline configuration only. You must adapt these examples to your specific environment as well as the setting you have provisioned for security and integrity on your VPN connection.


  1. Begin by creating a keyring for your connection secrets.  This will be used to store your Pre-Shared key and used in the tunnel authentication

    crypto keyring Pureport-KeyRing

       local-address <Customer Gateway IP>

       pre-shared-key address <Pureport Gateway IP> key <Pre-Shared key - Primary>

    exit

    !



  2. Create a Pureport compatible isakmp policy and profile that supports Pureport's crypto set configured on your VPN connection in the Pureport console and calls the keyring:

    crypto isakmp policy 200

       encryption aes 256

       authentication pre-share

       group 5

       lifetime 28800

       hash sha

    exit

    !

    crypto isakmp profile Pureport-isakmp

       local-address <Customer Gateway IP>

       match identity address <Pureport Gateway IP>

       keyring Pureport-KeyRing

    exit

    !



  3. Create a IPSec Phase 2 Profile and Transform set that matches the ESP settings you chose in the Pureport Console:

    crypto ipsec transform-set Pureport-Prop esp-aes 256 esp-sha-hmac

       mode tunnel

    exit

    !

    crypto ipsec profile Pureport-VPN-Primary

       set pfs group5

       set transform-set Pureport-Prop

    exit

    !



  4. Create a Tunnel interface using the isakmp and ipsec configuration details

    interface Tunnel1

       ip address <Customer VTI IP> <Customer VTI Subnet>

       ip virtual-reassembly

       tunnel source <Customer Gateway Ip>

       tunnel destination <Pureport Gateway IP>

       tunnel mode ipsec ipv4

       tunnel protection ipsec profile Pureport-VPN-Primary

       no shutdown

    exit


  5. Create a route-map to be applied to your primary connection

    route-map PRIMARY permit 10

     set metric 100


  1. Configure BGP on Tunnel #1, applying the route-maps we created above:

    router bgp <Customer ASN>

     bgp log-neighbor-changes

     bgp bestpath compare-routerid

     bgp graceful-restart

     address-family ipv4 unicast

      neighbor <Primary Pureport VTI IP> remote-as <Pureport ASN>

      neighbor <Primary Pureport VTI IP> timers 10 30 30

      neighbor <Primary Pureport VTI IP> password <BGP Primary password>

      neighbor <Primary Pureport VTI IP> activate

      neighbor <Primary Pureport VTI IP> next-hop-self

      no  neighbor <Primary Pureport VTI IP> default-originate

      neighbor <Primary Pureport VTI IP> route-map PRIMARY out

      network <Your local network> mask <Your network subnet mask>

      no auto-summary

      no synchronization

     exit-address-family




  2. Build the second HA connection using the same process.  Be sure to update the values of the config to be inline with a secondary configuration.  A complete configuration template has been provided below.

    crypto isakmp policy 300

       encryption aes 256

       authentication pre-share

       group 5

       lifetime 28800

       hash sha

    exit

    !

    crypto keyring Pureport-KeyRing-Secondary

       local-address <Customer Secondary Gateway IP>

       pre-shared-key address <Pureport Secondary Gateway IP> key <Pre-Shared key - Secondary >

    exit

    !

    crypto isakmp profile Pureport-isakmp-Secondary

       local-address <Customer Secondary  Gateway IP>

       match identity address <Pureport Secondary Gateway IP>

       keyring Pureport-KeyRing-Secondary

    exit

    !

    crypto ipsec transform-set Pureport-ts-secondary esp-aes 256 esp-sha-hmac

       mode tunnel

    exit

    !

    crypto ipsec profile Pureport-VPN-Secondary

       set pfs group5

       set transform-set Pureport-ts-secondary

    exit

    !

    interface Tunnel2

       ip address <Customer Secondary VTI IP> <Customer VTI Subnet>

       tunnel source <Customer Gateway Ip>

       tunnel destination <Pureport Secondary Gateway IP>

       tunnel mode ipsec ipv4

       tunnel protection ipsec profile Pureport-VPN-Secondary

       no shutdown

    exit




  3. Because the Cisco IOS is not capable of automatically failing over VTI tunnels, we will use the route-map functionality to prefer the Primary VTI. Return traffic is also preferred down the Primary VTI by pre-pending the local Customer ASN to the Secondary VTI AS path, creating a longer (less preferred) AS path and setting the route metric to a less preferred value. This is done both inbound and outbound BGP.

    route-map BACKUP permit 10

     set metric 200

     set as-path prepend last-as 1



  4. Configure BGP on Tunnel #2:

    router bgp <Customer ASN>

      bgp log-neighbor-changes

      bgp bestpath compare-routerid

      bgp graceful-restart

      address-family ipv4 unicast

      neighbor <Secondary Pureport VTI IP> remote-as <Pureport ASN>

      neighbor <Secondary Pureport VTI IP>  timers 10 30 30

      neighbor <Secondary Pureport VTI IP>  password <BGP Secondary password>

      neighbor <Secondary Pureport VTI IP>  activate

      neighbor <Secondary Pureport VTI IP>  next-hop-self

      no  neighbor <Secondary Pureport VTI IP>  default-originate

      neighbor <Secondary Pureport VTI IP>  route-map BACKUP out

      neighbor <Secondary Pureport VTI IP>  route-map BACKUP out

      network <Your local network> mask <Your network subnet mask>

      no auto-summary

      no synchronization

     exit-address-family





Testing IPSEC VPN Tunnel Connectivity

When using BGP, the routing table will automatically update if one of the tunnels disconnect. 


  1. To verify BGP peering is established, check the route table from  or via the CLI with this command:
    show route bgp

    The system displays the current BGP routes in the IOS route table. Note that the Primary VTI is preferred.

  2. To see all BGP routes, use:
    show bgp


  3. To confirm that your tunnels have successfully established connection to your Pureport Gateways, from a system in your local network, ping the Primary Pureport VTI IP address. A successful ping will transmit all packets with no losses.
    For example, in the previous sample, the Pureport VTI IPs are:
    • 169.254.1.2
    • 169.254.2.2

    To ping the the Primary Gateway Pureport VTI, use:
    ping 169.254.1.2


Troubleshooting commands for VPN Connections on IOS

When configuring ISAKMP and IPsec configurations in IOS there are a few commands available to help you troubleshoot should the tunnel not function as expected.  These commands are listed below.


  • show crypto isakmp sa
    • The output of this command will show the state of the isakmp Phase 1 of the connection.  You will see details pertaining to the configured endpoints, and the connection status if an SA has successfully been established
  • show crypto ipsec sa
    • The output of this command will show the state of the IPsec Phase2 portion of the connection.  You will see details pertaining to the configured endpoints and status of the SA connection if it has been successfully established
  • show ip int brief
    • This commend will show you the status of all interfaces on your device.  When troubleshooting, you will want to reference the tunnel interface experiencing the issues.  Ensure that the interface is both administratively up and line protocol is showing up.
  • debug crypto isakmp
    • This command will enable isakmp debugging information on your device.  Events, errors, and details pertaining to the isakmp process will be displayed on your console as the device is processing the connection.
  • debug crypto ipsec
    • This command will enable ipsec debugging information on your device.  Events, errors, and details pertaining to the isakmp process will be displayed on your console as the device is processing the connection.