Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

VPN Interface IPsec

Use the VPN Interface IPsec feature template to configure IPsec tunnels on vEdge routers that are being used for Internet Key Exchange (IKE) sessions. You can configure IPsec on tunnels in the transport VPN (VPN 0) and in service VPNs (VPN 1 through 65530, except for 512).

Navigate to the Template Screen and Name the Template

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. In the Device tab, click Create Template.
  3. From the Create Template drop-down, select From Feature Template.
  4. From the Device Model drop-down, select the type of device for which you are creating the template.
  5. Click the Service VPN tab located directly beneath the Description field, or scroll to the Service VPN section.
  6. Click the Service VPN drop-down.

    G00508.png
  7. Under Additional VPN Templates, located to the right of the screen, click VPN Interface IPsec.
  8. From the VPN Interface IPsec drop-down, click Create Template. The VPN-Interface-IPsec template form is displayed. The top of the form contains fields for naming the template, and the bottom contains fields for defining VPN Interface IPsec parameters.
  9. In the Template Name field, enter a name for the template. The name can be up to 128 characters and can contain only alphanumeric characters.
  10. In the Template Description field, enter a description of the template. The description can be up to 2048 characters and can contain only alphanumeric characters.

When you first open a feature template, for each parameter that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and select one of the following:

Parameter Scope

Scope Description

Device Specific (indicated by a host icon)

Use a device-specific value for the parameter. For device-specific parameters, you cannot enter a value in the feature template. You enter the value when you attach a Viptela device to a device template.

When you click Device Specific, the Enter Key box opens. This box displays a key, which is a unique string that identifies the parameter in a CSV file that you create. This file is an Excel spreadsheet that contains one column for each key. The header row contains the key names (one key per column), and each row after that corresponds to a device and defines the values of the keys for that device. You upload the CSV file when you attach a Viptela device to a device template. For more information, see Create a Template Variables Spreadsheet.

To change the default key, type a new string and move the cursor out of the Enter Key box.

Examples of device-specific parameters are system IP address, hostname, GPS location, and site ID.

Global (indicated by a globe icon)

Enter a value for the parameter, and apply that value to all devices.

Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs.

Configure a Basic IPsec Tunnel Interface

To configure an IPsec tunnel to use for IKE sessions, select the Basic Configuration tab and configure the following parameters. Parameters marked with an asterisk are required to configure an IPsec tunnel.

Parameter Name Description
Shutdown* Click No to enable the interface.
Interface Name* Enter the name of the IPsec interface, in the format ipsecnumber. number can be from 1 through 256.
Description Enter a description of the IPsec interface.
IPv4 Address* Enter the IPv4 address of the IPsec interface, in the format ipv4-prefix/length. The address must be a /30.
Source*

Set the source of the IPsec tunnel that is being used for IKE key exchange:

  • Click IP Address—Enter the IPv4 address that is the source tunnel interface. This address must be configured in VPN 0.
  • Click Interface—Enter the name of the physical interface that is the source of the IPsec tunnel. This interface must be configured in VPN 0.
Destination: IPsec Destination IP Address/FQDN*

Set the destination of the IPsec tunnel that is being used for IKE key exchange. Enter either an IPv4 address or the fully qualified DNS name that points to the destination.

TCP MSS Specify the maximum segment size (MSS) of TPC SYN packets passing through the vEdge router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.
Range: 552 to 1460 bytes
Default: None
IP MTU Specify the maximum MTU size of packets on the interface.
Range: 576 through 1804
Default: 1500 bytes

To save the feature template, click Save.

CLI equivalent:

vpn vpn-id
  interface ipsecnumber
    ip address ipv4-prefix/length
    mtu bytes
    no shutdown
    tcp-mss-adjust bytes
    tunnel-destination ipv4-address
    (tunnel-source ip-address | tunnel-source-interface interface-name)

Configure Dead-Peer Detection

To configure IKE dead-peer detection to determine whether the connection to an IKE peer is functional and reachable, select the DPD tab and configure the following parameters:

Parameter Name Description
DPD Interval Specify the interval for IKE to send Hello packets on the connection.
Range: 0 through 65535 seconds (1 hour through 14 days)
Default: 10 seconds
DPD Retries Specify how many unacknowledged packets to accept before declaring an IKE peer to be dead and then tearing down the tunnel to the peer.
Range: 0 through 255
Default: 3

To save the feature template, click Save.

CLI equivalent:

vpn vpn-id
  interface ipsecnumber
    dead-peer-detection seconds retries number

Configure IKE

To configure IKE, select the IKE tab and configure the parameters discussed below.

When you create an IPsec tunnel on a vEdge router, IKE Version 1 is enabled by default on the tunnel interface. The following properties are also enabled by default for IKEv1:

  • Authentication and encryption—AES-256 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for integrity
  • Diffie-Hellman group number—16
  • Rekeying time interval—4 hours
  • SA establishment mode—Main

To modify IKEv1 parameters, configure the following:

Parameter Name Description
IKE Version

Enter 1 to select IKEv1.

IKE Mode Specify the IKE SA establishment mode.
Values: Aggressive mode, Main mode
Default: Main mode
IPsec Rekey Interval Specify the interval for refreshing IKE keys.
Range: 3600 through 1209600 seconds (1 hour through 14 days)
Default: 14400 seconds (4 hours)
IKE Cipher Suite Specify the type of authentication and encryption to use during IKE key exchange.
Values: aes128-cbc-sha1, aes256-cbc-sha1
Default: aes256-cbc-sha1
IKE Diffie-Hellman Group Specify the Diffie-Hellman group to use in IKE key exchange.
Values: 1024-bit modulus, 2048-bit modulus, 3072-bit modulus, 4096-bit modulus
Default: 4096-bit modulus
IKE Authentication: Preshared Key To use preshared key (PSK) authentication, enter the password to use with the preshared key.
IKE ID for Local End Point If the remote IKE peer requires a local end point identifier, specify it.
Range: Default: Tunnel's source IP address
IKE ID for Remote End Point If the remote IKE peer requires a remote end point identifier, specify it.
Range: 1 through 64 characters
Default: Tunnel's destination IP address

To save the feature template, click Save.

CLI equivalent:

vpn vpn-id
  interface ipsecnumber
    ike
      authentication-type type
        local-id id
        pre-shared-secret password 
        remote-id id
      cipher-suite suite
      group number
      mode mode
      rekey-interval seconds
      version 1

To configure IKEv2, configure the following parameters:

Parameter Name Description
IKE Version

Enter 2 to select IKEv2.

IPsec Rekey Interval Specify the interval for refreshing IKE keys.
Range: 3600 through 1209600 seconds (1 hour through 14 days)
Default: 14400 seconds (4 hours)
IKE Cipher Suite Specify the type of authentication and encryption to use during IKE key exchange.
Values: aes128-cbc-sha1, aes256-cbc-sha1
Default: aes256-cbc-sha1
IKE Diffie-Hellman Group Specify the Diffie-Hellman group to use in IKE key exchange.
Values: 1024-bit modulus, 2048-bit modulus, 3072-bit modulus, 4096-bit modulus
Default: 4096-bit modulus
IKE Authentication: Preshared Key To use preshared key (PSK) authentication, enter the password to use with the preshared key.
IKE ID for Local End Point If the remote IKE peer requires a local end point identifier, specify it.
Range: Default: Tunnel's source IP address
IKE ID for Remote End Point If the remote IKE peer requires a remote end point identifier, specify it.
Range: 1 through 64 characters
Default: Tunnel's destination IP address

To save the feature template, click Save.

CLI equivalent:

vpn vpn-id
  interface ipsecnumber
    ike
      authentication-type type
        local-id id
        pre-shared-secret password 
        remote-id id
      cipher-suite suite
      group number
      rekey-interval seconds
      version 2

Configure IPsec Tunnel Parameters

To configure the IPsec tunnel that carries IKE traffic, select the IPsec tab and configure the following parameters:

Parameter Name Description
IPsec Rekey Interval Specify the interval for refreshing IKE keys.
Range: 3600 through 1209600 seconds (1 hour through 14 days)
Default: 14400 seconds (4 hours)
IKE Replay Window Specify the replay window size for the IPsec tunnel.
Values: 64, 128, 256, 512, 1024, 2048, 4096, 8192 bytes
Default: 32 bytes
IPsec Cipher Suite Specify the authentication and encryption to use on the IPsec tunnel.
Values: aes256-cbc-sha1, aes256-gcm, null-sha1
Default: aes256-gcm
Perfect Forward Secrecy Specify the PFS settings to use on the IPsec tunnel.
Values:
group-2—Use the 1024-bit Diffie-Hellman prime modulus group.
group-14—Use the 2048-bit Diffie-Hellman prime modulus group.
group-15—Use the 3072-bit Diffie-Hellman prime modulus group.
group-16—Use the 4096-bit Diffie-Hellman prime modulus group.
none—Disable PFS.
Default: group-16

To save the feature template, click Save.

CLI equivalent:

vpn vpn-id
  interface ipsecnumber
    ipsec 
      cipher-suite suite
      perfect-forward-secrecy pfs-setting
      rekey-interval seconds
      replay-window number

Release Information

Introduced in vManage NMS in Release 17.2.
In Release 17.2.3, add support for PFS.
In Release 18.2, support support for IPsec tunnels in VPN 0.

  • Was this article helpful?