SD-WAN

nevermind wind, no matter rain

BGP over IPSec between VMware SD-WAN Edge and Cisco IOS

By leejoePosted on Posted in VMware SD-WAN By VelocloudNo Comments on BGP over IPSec between VMware SD-WAN Edge and Cisco IOS

Configuration of the two Cisco routers R-IPSec1 and R-IPsec2

Since the focus is on the VMware SD-WAN Edge, not the Cisco routers, the Cisco configurations will be pasted below for your reference

R-IPSec1 Configuration:

R-IPSec1#sh run
Building configuration...

Current configuration : 2192 bytes
!
! Last configuration change at 09:54:21 HKT Wed Sep 1 2021
!
version 15.7
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R-IPSec1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
clock timezone HKT 8 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!


!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
crypto ikev2 proposal velo_prop
 encryption aes-cbc-256
 integrity sha256
 group 14
!
crypto ikev2 policy velo_pol_ikev2
 proposal velo_prop
!
crypto ikev2 keyring velo_key
 peer ALL
  address 24.5.2.39
  pre-shared-key local vmware1234
  pre-shared-key remote vmware1234
 !
!
!
crypto ikev2 profile velo_profile_ikev2
 match identity remote address 24.5.2.39 255.255.255.255
 identity local address 98.1.2.212
 authentication remote pre-share
 authentication local pre-share
 keyring local velo_key
 dpd 20 3 on-demand
!
!
!
crypto ipsec transform-set velo_ts esp-aes 256 esp-sha256-hmac
 mode transport
!
!
crypto ipsec profile velo_ipsec_profile
 set transform-set velo_ts
 set ikev2-profile velo_profile_ikev2
!
!
!
!
!
!
interface Tunnel1
 ip address 169.254.80.1 255.255.255.252
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 24.5.2.39
 tunnel protection ipsec profile velo_ipsec_profile
!
interface Ethernet0/0
 ip address 98.1.2.212 255.255.255.0
 duplex auto
!
interface Ethernet0/1
 ip address 10.101.1.1 255.255.255.0
 duplex auto
!
interface Ethernet0/2
 no ip address
 shutdown
 duplex auto
!
interface Ethernet0/3
 no ip address
 shutdown
 duplex auto
!
router bgp 65100
 bgp log-neighbor-changes
 network 10.101.1.0 mask 255.255.255.0
 neighbor 169.254.80.2 remote-as 65123
 neighbor 169.254.80.2 send-community both
 neighbor 169.254.80.2 soft-reconfiguration inbound
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 98.1.2.1
!
ipv6 ioam timestamp
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input none
!
!
end

R-IPSec2 Configuration: 

R-IPSec2#sh run
Building configuration...

Current configuration : 2289 bytes
!
! Last configuration change at 09:58:52 HKT Wed Sep 1 2021
! NVRAM config last updated at 09:58:53 HKT Wed Sep 1 2021
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R-IPSec2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
clock timezone HKT 8 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!


!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
crypto ikev2 proposal velo_prop
 encryption aes-cbc-256
 integrity sha256
 group 14
!
crypto ikev2 policy velo_pol_ikev2
 proposal velo_prop
!
crypto ikev2 keyring velo_key
 peer ALL
  address 24.5.2.39
  pre-shared-key local vmware1234
  pre-shared-key remote vmware1234
 !
!
!
crypto ikev2 profile velo_profile_ikev2
 match identity remote address 24.5.2.39 255.255.255.255
 identity local address 184.1.2.212
 authentication remote pre-share
 authentication local pre-share
 keyring local velo_key
 dpd 20 3 on-demand
!
!
!
crypto ipsec transform-set velo_ts esp-aes 256 esp-sha256-hmac
 mode transport
!
!
crypto ipsec profile velo_ipsec_profile
 set transform-set velo_ts
 set ikev2-profile velo_profile_ikev2
!
!
!
!
!
!
interface Tunnel1
 ip address 169.254.80.5 255.255.255.252
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 24.5.2.39
 tunnel protection ipsec profile velo_ipsec_profile
!
interface Ethernet0/0
 ip address 184.1.2.212 255.255.255.0
 duplex auto
!
interface Ethernet0/1
 ip address 10.102.2.1 255.255.255.0
 duplex auto
!
interface Ethernet0/2
 no ip address
 shutdown
 duplex auto
!
interface Ethernet0/3
 no ip address
 shutdown
 duplex auto
!
router bgp 65101
 bgp log-neighbor-changes
 network 10.102.2.0 mask 255.255.255.0
 neighbor 169.254.80.6 remote-as 65123
 neighbor 169.254.80.6 send-community both
 neighbor 169.254.80.6 soft-reconfiguration inbound
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 184.1.2.1
!
ipv6 ioam timestamp
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input none
!
ntp server 34.202.215.187
ntp server pool.ntp.org
!
end
BGP over IPSec between VMware SD-WAN Edge and Cisco IOS
Post Views: 6,791
Pages: 1 2 3 4 5

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top