SD-WAN

nevermind wind, no matter rain

BGP over IPSec between VMware SD-WAN Edge and Cisco IOS

By leejoePosted on Posted in VMware SD-WAN By VelocloudNo Comments on BGP over IPSec between VMware SD-WAN Edge and Cisco IOS

IPSec Status of R-IPSec1 and R-IPSec2

R-IPSec1#show crypto ikev2 sa
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
5         98.1.2.212/4500       24.5.2.39/20001       none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/60082 sec

 IPv6 Crypto IKEv2  SA

R-IPSec1#show crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 98.1.2.212

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 24.5.2.39 port 20001
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 2644905, #pkts encrypt: 2644905, #pkts digest: 2644905
    #pkts decaps: 2702789, #pkts decrypt: 2702789, #pkts verify: 2702789
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 98.1.2.212, remote crypto endpt.: 24.5.2.39
     plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0x9083DD51(2424560977)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x7910D585(2031146373)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 148, flow_id: SW:148, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4255655/3183)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x9083DD51(2424560977)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 147, flow_id: SW:147, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4255655/3183)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
R-IPSec1#
R-IPSec2#show crypto ikev2 sa
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
5         184.1.2.212/4500      24.5.2.39/20001       none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/60137 sec

 IPv6 Crypto IKEv2  SA

R-IPSec2#show crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 184.1.2.212

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 24.5.2.39 port 20001
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 2696208, #pkts encrypt: 2696208, #pkts digest: 2696208
    #pkts decaps: 2635720, #pkts decrypt: 2635720, #pkts verify: 2635720
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 184.1.2.212, remote crypto endpt.: 24.5.2.39
     plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0xF2646860(4066666592)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xD6535A7A(3595786874)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 148, flow_id: SW:148, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4328086/2072)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xF2646860(4066666592)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 147, flow_id: SW:147, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4328086/2072)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
R-IPSec2#

BGP status of R-IPSec1 and R-IPSec2

R-IPSec1#show ip bgp summary
BGP router identifier 169.254.80.1, local AS number 65100
BGP table version is 70, main routing table version 70
5 network entries using 720 bytes of memory
5 path entries using 420 bytes of memory
3/3 BGP path/bestpath attribute entries using 480 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1668 total bytes of memory
BGP activity 16/11 prefixes, 37/32 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
169.254.80.2    4        65123  144782  152103       70    0    0 2w2d            4
R-IPSec1#show ip bgp
BGP table version is 70, local router ID is 169.254.80.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
              t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>   10.101.1.0/24    0.0.0.0                  0         32768 i
 *>   10.102.2.0/24    169.254.80.2                           0 65123 65101 i
 *>   24.17.0.53/32    169.254.80.2             0             0 65123 ?
 *>   192.168.7.0      169.254.80.2             0             0 65123 ?
 *>   192.168.7.253/32 169.254.80.2             0             0 65123 ?
R-IPSec1#
R-IPSec2#show ip bgp summary
BGP router identifier 184.1.2.212, local AS number 65101
BGP table version is 64, main routing table version 64
5 network entries using 720 bytes of memory
5 path entries using 420 bytes of memory
3/3 BGP path/bestpath attribute entries using 480 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1668 total bytes of memory
BGP activity 17/12 prefixes, 34/29 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
169.254.80.6    4        65123  195984  205878       64    0    0 3w1d            4
R-IPSec2#show ip bgp
BGP table version is 64, local router ID is 184.1.2.212
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
              t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>   10.101.1.0/24    169.254.80.6                           0 65123 65100 i
 *>   10.102.2.0/24    0.0.0.0                  0         32768 i
 *>   24.17.0.53/32    169.254.80.6             0             0 65123 ?
 *>   192.168.7.0      169.254.80.6             0             0 65123 ?
 *>   192.168.7.253/32 169.254.80.6             0             0 65123 ?
R-IPSec2#

Conclusion

This post documented how VMware SD-WAN Edge can form IPSec tunnel with Cisco IOS, and there is BGP running on top of the IPSec tunnel. This is the end of this post.

BGP over IPSec between VMware SD-WAN Edge and Cisco IOS
Post Views: 5,867
Pages: 1 2 3 4 5

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top