Sunday, August 14, 2022

Cisco CSR Config. with Aviatrix S2C

  Aviatrix Site2Cloud configuration template

!

! This configuration serves as a general guideline and may have to be modified to

! be functional on your device.

!

! If the provided encryption or authentication type is configured as 'n/a', then

! there was not a known mapping from the selected type to the encryption or

! authentication type expected by the Cisco device.  Please reference the Cisco

! documentation for your device and replace 'n/a' with the expected configuration.                                                                                                 

! This connection has two IPsec tunnels between the customer gateway and 

! Aviatrix gateways in the cloud. Tunnel #1 is the primary tunnel. The 

! customer gateway should be configured in such a way that it should

! switch over to tunnel #2 when tunnel #1 fails.

! You need to populate these values throughout the config based on your setup:

! <crypto_policy_number>: the IKE crypto policy number

! <tunnel_number1>: the primary IPSec tunnel interface number

! <tunnel_number2>: the backup IPSec tunnel interface number

! <ios_wan_interface1>: the primary source interface of tunnel packets

! <ios_wan_interface2>: the backup source interface of tunnel packets

! <customer_tunnel_ip1>: any un-used IPv4 address for the primary tunnel interface

!                        when static routing is used (e.g. 1.1.1.1)

! <customer_tunnel_ip2>: any un-used IPv4 address for the backup tunnel interface

!                        when static routing is used (e.g. 1.1.1.3)

! <netmask>: netmask for customer_tunnel_ip. Please use 255.255.255.255

!

! --------------------------------------------------------------------------------

! IPSec Tunnel #1 (Primary)

! --------------------------------------------------------------------------------

! #1: Internet Key Exchange (IKE) Configuration

! A policy is established for the supported ISAKMP encryption, 

! authentication, Diffie-Hellman, lifetime, and key parameters.

!

crypto keyring xxx

  pre-shared-key address xx key xx

  exit

!

crypto isakmp policy 1

  encryption 256-aes

  authentication pre-share

  hash sha256

  group 14

  lifetime 28800

  exit

!

! DPD configuration on Aviatrix gateway for this site2cloud connection is given below:

!     status       : enabled

!     initial delay: 10 seconds seconds

!     retry        : 3 seconds seconds

!     maxfail      : 3

!

crypto isakmp keepalive 10 3 periodic

!

crypto isakmp profile xx

  keyring xx

  self-identity address

  match identity address xx

  exit

!

!---------------------------------------------------------------------------------

! #2: IPSec Configuration

! The IPSec transform set defines the encryption, authentication, and IPSec

! mode parameters.

!

crypto ipsec transform-set xx esp-256-aes esp-sha256-hmac

  mode tunnel

  exit

crypto ipsec df-bit clear

!

crypto ipsec profile xx

  set security-association lifetime seconds 3600

  set transform-set xx

  set pfs group14

  set isakmp-profile xx

  set security-association lifetime kilobytes disable

  set security-association lifetime seconds 3600

  exit

!

!---------------------------------------------------------------------------------------

! #3: Tunnel Interface Configuration

! The virtual tunnel interface is used to communicate with the remote IPSec endpoint 

! to establish the IPSec tunnel.

!

interface Tunnel 1

  ip address 169.254.8.97 255.255.255.252

  ip mtu 1436

  ip tcp adjust-mss 1387

  tunnel source xx

  tunnel mode ipsec ipv4

  tunnel destination xx

  tunnel protection ipsec profile xx

  ip virtual-reassembly

  exit

!

!

! --------------------------------------------------------------------------------

! IPSec Tunnel #2 (Backup)

! --------------------------------------------------------------------------------

! #4: Internet Key Exchange (IKE) Configuration

!

crypto keyring xx

  pre-shared-key address xx key S2CTEST

  exit

!

crypto isakmp profile xx

  keyring xx

  self-identity address

  match identity address xx 255.255.255.255

  exit

!

!---------------------------------------------------------------------------------

! #5: IPSec Configuration

! The IPSec transform set defines the encryption, authentication, and IPSec

! mode parameters.

!

crypto ipsec transform-set xx esp-256-aes esp-sha256-hmac

  mode tunnel

  exit

!

crypto ipsec profile xx

  set security-association lifetime seconds 3600

  set transform-set xx

  set pfs group14

  set isakmp-profile xx

  set security-association lifetime kilobytes disable

  set security-association lifetime seconds 3600

  exit

!

!---------------------------------------------------------------------------------------

! #6: Tunnel Interface Configuration

! The virtual tunnel interface is used to communicate with the remote IPSec endpoint

! to establish the IPSec tunnel.

!

interface Tunnel 2

  ip address 169.254.188.9 255.255.255.252

  ip mtu 1436

  ip tcp adjust-mss 1387

  tunnel source xx

  tunnel mode ipsec ipv4

  tunnel destination xx

  tunnel protection ipsec profile xx

  ip virtual-reassembly

  exit

!

!---------------------------------------------------------------------------------------

! #7: BGP Routing Configuration

! The Border Gateway Protocol (BGPv4) is used to exchange routes from the VPC to on-prem

! network. Each BGP router has an Autonomous System Number (ASN).

!

router bgp 64512

  bgp log-neighbor-changes

  neighbor 169.254.8.98 remote-as 65000

  neighbor 169.254.8.98 timers 60 180

  ! bgp md5 authentication password need to be added if configured

  ! neighbor 169.254.8.98 password 

  neighbor 169.254.188.10 remote-as 65000

  neighbor 169.254.188.10 timers 60 180

  ! bgp md5 authentication password need to be added if configured

  ! neighbor 169.254.188.10 password 

 !

 address-family ipv4

  redistribute connected

  neighbor 169.254.8.98 activate

  neighbor 169.254.8.98 soft-reconfiguration inbound

  neighbor 169.254.188.10 activate

  neighbor 169.254.188.10 soft-reconfiguration inbound

  maximum-paths 4

 exit-address-family

!

!---------------------------------------------------------------------------------------

!

!

For vendor specific instructions, please go to the following URL:

http://docs.aviatrix.com/#site2cloud

No comments:

Post a Comment

Aviatrix-Episode3: Connecting OnPrem Remote site to Aviatrix Cloud infrastructure via BGPoIPSEC (incl. BGP route approval)

  Today, we will simulate an "On Prem" Data Centre connected to our existing MultiCloud Network infrastructure . For this, we will...