Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

IPsec for Cisco IOS XE Routers

Use the VPN Interface IPsec feature template to configure IPsec tunnels on Cisco IOS XE service VPNs that are being used for Internet Key Exchange (IKE) sessions. You can configure IPsec on tunnels for VPN 1 through 65530, except for 512.

Create and Name the Template

  1. From the vManage menu, select Configuration ► Templates.
  2. Click Feature.
  3. Click Add Template.
  4. Select a Cisco IOS XE device from the list.
  5. From the VPN section, click VPN Interface IPsec. The VPN Interface IPsec template displays. The top of the form contains fields for naming the template, and the bottom contains fields for defining IPsec parameters.

VPN_Interface_IPsec_template_top.png

  1. In the Template Name field, enter a name for the template. The name can be up to 128 characters and can contain only alphanumeric characters.
  2. In the Template Description field, enter a description of the template. The description can be up to 2048 characters and can contain only alphanumeric characters.

Changing the Scope for a Parameter Value

When you first open a feature template, for each parameter that has a default value, the scope is set to Default (a blue check), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and select one of the following:

Parameter Name

Description

template_device_icon.png  Device Specific

Use a device-specific value for the parameter. For device-specific parameters, you cannot enter a value in the feature template. You enter the value when you attach a Viptela device to a device template.

When you click Device Specific, the Enter Key box opens. This box displays a key, which is a unique string that identifies the parameter in a CSV file that you create. This file is an Excel spreadsheet that contains one column for each key. The header row contains the key names (one key per column), and each row after that corresponds to a device and defines the values of the keys for that device. You upload the CSV file when you attach a Viptela device to a device template. For more information, see Create a Template Variables Spreadsheet.

To change the default key, type a new string and move the cursor out of the Enter Key box.

Examples of device-specific parameters are system IP address, hostname, GPS location, and site ID.

template_global_icon.png  Global

Enter a value for the parameter, and apply that value to all devices.

Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs.

Once you have created and named the VPN Interface IPsec template, enter the following values for your IPsec template. Parameters marked with an asterisk are required.

Basic Configuration

To configure a basic IPsec tunnel interface select the Basic Configuration tab and configure the following parameters.

Parameter Name

Options/Format

Description

Shutdown*

Yes / No

Click No to enable the interface; click Yes to disable.

Interface Name*

ipsec number (1…255)

Enter the name of the IPsec interface. Number can be from 1 through 255.

Description

Enter a description of the IPsec interface.

IPv4 Address*

ipv4‑prefix/length

Enter the IPv4 address of the IPsec interface. The address must have a /30 subnet.

Source*

Set the source of the IPsec tunnel that is being used for IKE key exchange:

IP Address

Click and enter the IPv4 address that is the source tunnel interface. This address must be configured in VPN 0.

Interface

Click and enter the name of the physical interface that is the source of the IPsec tunnel. This interface must be configured in VPN 0.

Destination*

Set the destination of the IPsec tunnel that is being used for IKE key exchange.

IPsec Destination IP Address

Enter an IPv4 address that points to the destination.

TCP MSS

Specify the maximum segment size (MSS) of TPC SYN packets passing through the router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 552 to 1960 bytes
Default: None

IP MTU

Specify the maximum transmission unit (MTU) size of packets on the interface.

Range: 576 through 2000
Default: 1500 bytes

To save the feature template, click Save.

CLI Equivalent

crypto
   interface tunnel ifnum
      no shutdown
      vrf forwarding vrf_id
      ip address ip_address[mask]
      tunnel source wanif_ip
      tunnel mode {ipsec ipv4 | gre ip}
      tunnel destination gateway_ip
      tunnel protection ipsec profile ipsec_profile_name 

Configure Dead-Peer Detection

To configure Internet key exchange (IKE) dead-peer detection (DPD) to determine whether the connection to an IKE peer is functional and reachable, select the DPD tab and configure the following parameters:

Parameter Name

Description

DPD Interval

Specify the interval for IKE to send Hello packets on the connection.

Range: 10 through 3600 seconds
Default: Disabled

DPD Retries

Specify how many unacknowledged packets to accept before declaring an IKE peer to be dead and then tearing down the tunnel to the peer.

Range: 2 through 60
Default: 3

To save the feature template, click Save.

CLI Equivalent

crypto
   ikev2
      profile ikev2_profile_name
         dpd 10-3600 2-60 {on-demand | periodic}

Configure IKE

To configure IKE, select the IKE tab and configure the following parameters.

Note: When you create an IPsec tunnel on a Cisco IOS XE router, IKE Version 1 is enabled by default on the tunnel interface.

IKE version 1

To modify IKEv1 parameters, configure the following parameters:

Parameter Name

Options

Description

IKE Version

1 IKEv1

2 IKEv2

Enter 1 to select IKEv1.

Default: IKEv1

IKE Mode

Aggressive mode

Main mode

Specify the IKE SA establishment mode.

Default: Main mode

IPsec Rekey Interval

3600 - 1209600 seconds

Specify the interval for refreshing IKE keys.

Range:  1 hour through 14 days
Default: 14400 seconds (4 hours)

IKE Cipher Suite

AES128-CBC-SHA1

AES256-CBC-SHA1

Specify the type of authentication and encryption to use during IKE key exchange.

 Default: AES256-CBC-SHA1

IKE Diffie-Hellman Group

1024-bit modulus

2048-bit modulus

3072-bit modulus

4096-bit modulus

Specify the Diffie-Hellman group to use in IKE key exchange.

Default: 4096-bit modulus

IKE Authentication

Configure IKE authentication.

Preshared Key

Enter the password to use with the preshared key.

IKE ID for Local End Point

If the remote IKE peer requires a local end point identifier, specify it.

Range: 1 through 64 characters
Default: Tunnel's source IP address

IKE ID for Remote End Point

If the remote IKE peer requires a remote end point identifier, specify it.

Range: 1 through 64 characters
Default: Tunnel's destination IP address

To save the feature template, click Save.

CLI Equivalent

crypto
   isakmp
      keepalive 60-86400 2-60 {on-demand | periodic}
      policy policy_num
         encryption {AES128-CBC-SHA1 | AES256-CBC-SHA1}
         hash {sha384 | sha256 | sha}
         authentication pre-share
         group {2 | 14 | 16 | 19 | 20 | 21}
         lifetime 60-86400
      profile ikev1_profile_name
         match identity address ip_address [mask]
         keyring keyring_name
      profile ipsec_profile_name
         set transform-set transform_set_name
         set isakmp-profile ikev1_profile_name
         set security-association
            lifetime {kilobytes disable | seconds 120-2592000}
            replay {disable | window-size [64 | 128 | 256 | 512 | 1024]}
         set pfs group {14 | 16 | 19 | 20 | 21}
   keyring keyring_name
      pre-shared-key address ip_address [mask] key key_string
   ipsec transform-set transform_set_name {esp-gcm 256 | esp-aes 256 [esp-sha384-hmac | esp-sha256-hmac] mode tunnel

IKE version 2

To configure the IPsec tunnel that carries IKEv2 traffic, select the IPsec tab and configure the following parameters:

Parameter Name

Options

Description

IKE Version

1 IKEv1

2 IKEv2

Enter 2 to select IKEv2.

Default: IKEv1

IKE Mode

Aggressive

Main

Aggressive mode --  Negotiation is quicker, and the initiator and responder ID pass in the clear.

Main mode -- Establishes an IKE SA session before starting IPSec negotiations.

Default: Main

IPsec Rekey Interval

3600 - 1209600 seconds

Specify the interval for refreshing IKE keys.

Range:  1 hour through 14 days
Default: 14400 seconds (4 hours)

IKE Cipher Suite

AES128-CBC-SHA1

AES256-CBC-SHA1

Specify the type of authentication and encryption to use during IKE key exchange.

 Default: AES256-CBC-SHA1

IKE Diffie-Hellman Group

2 1024-bit modulus

14 2048-bit modulus

15 3072-bit modulus

16 4096-bit modulus

Specify the Diffie-Hellman group to use in IKE key exchange.

Default: 16 4096-bit modulus

IKE Authentication

Configure IKE authentication.

Preshared Key

Enter the password to use with the preshared key.

IKE ID for Local End Point

If the remote IKE peer requires a local end point identifier, specify it.

Range: 1 through 64 characters
Default: Tunnel's source IP address

IKE ID for Remote End Point

If the remote IKE peer requires a remote end point identifier, specify it.

Range: 1 through 64 characters
Default: Tunnel's destination IP address

To save the feature template, click Save.

CLI Equivalent

crypto
   ikev2
      proposal proposal_name
         encryption {3des | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des}
         integrity {sha256 | sha384 | sha512}
         group {2 | 14 | 15 | 16}
      keyring idev2_keyring_name
         peer peer_name
         address tunnel_dest_ip [mask]
         pre-shared-key key_string
      profile ikev2_profile_name
         match identity remote address ip_address
         authentication {remote | local} pre-share
         keyring local ikev2_keyring_name
         lifetime 120-86400   

Configure IPsec Tunnel Parameters

To configure the IPsec tunnel that carries IKE traffic, select the IPsec tab and configure the following parameters:

Parameter Name

Options

Description

IPsec Rekey Interval

3600 - 1209600 seconds

Specify the interval for refreshing IKE keys.

Range:  1 hour through 14 days
Default: 3600 seconds

IKE Replay Window

64, 128, 256, 512, 1024, 2048, 4096, 8192

Specify the replay window size for the IPsec tunnel.

Default: 512

IPsec Cipher Suite

aes256-cbc-sha1

aes256-gcm

null-sha1

Specify the authentication and encryption to use on the IPsec tunnel

Default: aes256-gcm

Perfect Forward Secrecy

2 1024-bit modulus

14 2048-bit modulus

15 3072-bit modulus

16 4096-bit modulus

none

Specify the PFS settings to use on the IPsec tunnel.

Select one of the following Diffie-Hellman prime modulus groups:

1024-bit – group-2
2048-bit – group-14
3072-bit – group-15
4096-bit – group-16
none –disable PFS.
Default: group-16

To save the feature template, click Save.

CLI Equivalent

crypto
   ipsec
      profile ipsec_profile_name
         set ikev2-profile ikev2_profile_name
         set security-association
            lifetime {seconds 120-2592000 | kilobytes disable}  
            replay {disable | window-size {64 | 128 | 256 | 512 | 1024 | 4096 | 8192}
         set pfs group {2 | 14 | 15 | 16 | none}
         set transform-set transform_set_name

Release Information

Introduced in vManage NMS for Cisco IOS XE routers in release 19.1.

  • Was this article helpful?