Introduction
This document describes the basic set of configurations that are used to bring up Overlay Transport Virtualization (OTV) with IPSec encryption. Encryption over OTV does not require any additional configurations from the OTV end. You just need to understand how OTV and IPSEC co-exists.
In order to add encryption over OTV, you need to add an Encapsulating Security Payload (ESP) header on top of OTV PDU. You can achieve encryption on the ASR1000 Edge Devices (ED) through two ways: (i) IPSec (ii) GETVPN.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and hardware versions:
- ASR1000 routers for Edge Devices (ED)
- Core (ISP Cloud)
- Catalyst 2960 switches as the access switch on either site
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
Basic functionality and configurations of OTV are presumed to be known by the users of this document.
You can also follow these documents for the same:
Configure
Network Diagram

Configurations
Site A: ED Configurations:
Site_A_1#show run
Building configuration...
otv site bridge-domain 99
!
otv site-identifier 0000.0000.0001
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 30.0.0.1
crypto isakmp key cisco address 40.0.0.1
!
crypto ipsec transform-set tset esp-aes esp-md5-hmac
mode tunnel
!
crypto map cmap 1 ipsec-isakmp
set peer 30.0.0.1
set transform-set tset
match address cryptoacl
crypto map cmap 3 ipsec-isakmp
set peer 40.0.0.1
set transform-set tset
match address cryptoacl3
!
interface Overlay99
no ip address
otv join-interface GigabitEthernet0/0/1
otv adjacency-server unicast-only
service instance 100 ethernet
encapsulation dot1q 100
bridge-domain 100
!
service instance 101 ethernet
encapsulation dot1q 101
bridge-domain 101
!
!
interface GigabitEthernet0/0/0
no ip address
service instance 99 ethernet
encapsulation dot1q 99
bridge-domain 99
!
service instance 100 ethernet
encapsulation dot1q 100
bridge-domain 100
!
service instance 101 ethernet
encapsulation dot1q 101
bridge-domain 101
!
!
interface GigabitEthernet0/0/1
ip address 10.0.0.1 255.255.255.0
crypto map cmap
!
ip access-list extended cryptoacl
permit gre host 10.0.0.1 host 30.0.0.1
ip access-list extended cryptoacl3
permit gre host 10.0.0.1 host 40.0.0.1
|
Site_A_2#show run
Building configuration...
otv site bridge-domain 99
!
otv site-identifier 0000.0000.0001
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 30.0.0.1
crypto isakmp key cisco address 40.0.0.1
!
crypto ipsec transform-set tset esp-aes esp-md5-hmac
mode tunnel
!
crypto map cmap 2 ipsec-isakmp
set peer 30.0.0.1
set transform-set tset
match address cryptoacl2
crypto map cmap 3 ipsec-isakmp
set peer 40.0.0.1
set transform-set tset
match address cryptoacl3
!
interface Overlay99
no ip address
otv join-interface GigabitEthernet0/0/1
otv use-adjacency-server 10.0.0.1 30.0.0.1 unicast-only
service instance 100 ethernet
encapsulation dot1q 100
bridge-domain 100
!
service instance 101 ethernet
encapsulation dot1q 101
bridge-domain 101
!
!
interface GigabitEthernet0/0/0
no ip address
service instance 99 ethernet
encapsulation dot1q 99
bridge-domain 99
!
service instance 100 ethernet
encapsulation dot1q 100
bridge-domain 100
!
service instance 101 ethernet
encapsulation dot1q 101
bridge-domain 101
!
!
interface GigabitEthernet0/0/1
ip address 20.0.0.1 255.255.255.0
crypto map cmap
!
ip access-list extended cryptoacl2
permit gre host 20.0.0.1 host 30.0.0.1
ip access-list extended cryptoacl3
permit gre host 20.0.0.1 host 40.0.0.1
|
Site B: ED Configurations:
Site_B_1#sh run
Building configuration...
otv site bridge-domain 99
!
otv site-identifier 0000.0000.0002
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 10.0.0.1
crypto isakmp key cisco address 20.0.0.1
!
crypto ipsec transform-set tset esp-aes esp-md5-hmac
mode tunnel
!
crypto map cmap 1 ipsec-isakmp
set peer 10.0.0.1
set transform-set tset
match address cryptoacl
crypto map cmap 2 ipsec-isakmp
set peer 20.0.0.1
set transform-set tset
match address cryptoacl2
!
interface Overlay99
no ip address
otv join-interface GigabitEthernet1/0/2
otv use-adjacency-server 10.0.0.1 unicast-only
otv adjacency-server unicast-only
service instance 100 ethernet
encapsulation dot1q 100
bridge-domain 100
!
service instance 101 ethernet
encapsulation dot1q 101
bridge-domain 101
!
!
interface GigabitEthernet1/0/3
no ip address
service instance 99 ethernet
encapsulation dot1q 99
bridge-domain 99
!
service instance 100 ethernet
encapsulation dot1q 100
bridge-domain 100
!
service instance 101 ethernet
encapsulation dot1q 101
bridge-domain 101
!
!
interface GigabitEthernet1/0/2
ip address 30.0.0.1 255.255.255.0
crypto map cmap
!
ip access-list extended cryptoacl
permit gre host 30.0.0.1 host 10.0.0.1
ip access-list extended cryptoacl2
permit gre host 30.0.0.1 host 20.0.0.1
|
Site_B_2#sh run
Building configuration...
otv site bridge-domain 99
!
otv site-identifier 0000.0000.0002
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 10.0.0.1
crypto isakmp key cisco address 20.0.0.1
!
crypto ipsec transform-set tset esp-aes esp-md5-hmac
mode tunnel
!
crypto map cmap 1 ipsec-isakmp
set peer 10.0.0.1
set transform-set tset
match address cryptoacl
crypto map cmap 2 ipsec-isakmp
set peer 20.0.0.1
set transform-set tset
match address cryptoacl2
!
interface Overlay99
no ip address
otv join-interface GigabitEthernet2/2/0
otv use-adjacency-server 10.0.0.1 30.0.0.1 unicast-only
service instance 100 ethernet
encapsulation dot1q 100
bridge-domain 100
!
service instance 101 ethernet
encapsulation dot1q 101
bridge-domain 101
!
!
interface GigabitEthernet2/2/1
no ip address
service instance 99 ethernet
encapsulation dot1q 99
bridge-domain 99
!
service instance 100 ethernet
encapsulation dot1q 100
bridge-domain 100
!
service instance 101 ethernet
encapsulation dot1q 101
bridge-domain 101
!
!
interface GigabitEthernet2/2/0
ip address 40.0.0.1 255.255.255.0
crypto map cmap
!
ip access-list extended cryptoacl
permit gre host 40.0.0.1 host 10.0.0.1
ip access-list extended cryptoacl2
permit gre host 40.0.0.1 host 20.0.0.1
|
Verify
Use this section in order to confirm that your configuration works properly.
- Check if the MAC address of the internal VLAN host (in this case the SVI on the 2960 catalyst switch’s) have been learnt on the OTV route tables.
- Check if the crypto encap’s and decap’s are performed for the Overlay (OTV traffic) traffic.
Once the OTV comes up after you configure the crypto map on the join interface, check the active forwarder for the local VLAN’s (in this case VLAN 100 and 101). This shows that Site_A_1 and Site_B_2 are the active forwarders for the even VLAN’s since you will test the traffic encryption for pings initiated from VLAN 100 on Site A to VLAN 100 on Site B:
Site_A_1#show otv vlan
Key: SI - Service Instance, NA - Non AED, NFC - Not Forward Capable.
Overlay 99 VLAN Configuration Information
Inst VLAN BD Auth ED State Site If(s)
0 100 100 *Site_A_1 active Gi0/0/0:SI100
0 101 101 Site_A_2 inactive(NA) Gi0/0/0:SI101
0 200 200 *Site_A_1 active Gi0/0/0:SI200
0 201 201 Site_A_2 inactive(NA) Gi0/0/0:SI201
Total VLAN(s): 4
Site_B_2#show otv vlan
Key: SI - Service Instance, NA - Non AED, NFC - Not Forward Capable.
Overlay 99 VLAN Configuration Information
Inst VLAN BD Auth ED State Site If(s)
0 100 100 *Site_B_2 active Gi2/2/1:SI100
0 101 101 Site_B_1 inactive(NA) Gi2/2/1:SI101
0 200 200 *Site_B_2 active Gi2/2/1:SI200
0 201 201 Site_B_1 inactive(NA) Gi2/2/1:SI201
Total VLAN(s): 4
In order to check if the packets indeed get encapsulated and decapsulated on either ED, you should check if the IPSec session is active and the counter values in the crypto sessions in order to confirm that the packets are indeed getting encrypted and decrypted. In order to check if the IPSec session is active, since it becomes active only if any traffic flows through, check the output of show crypto isakmp sa. Here, only the outputs for the active forwarders are checked, but this should show the active status on all the ED’s for OTV over encryption to work.
Site_A_1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.0.0.1 30.0.0.1 QM_IDLE 1008 ACTIVE
10.0.0.1 40.0.0.1 QM_IDLE 1007 ACTIVE
Site_B_2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
20.0.0.1 40.0.0.1 QM_IDLE 1007 ACTIVE
10.0.0.1 40.0.0.1 QM_IDLE 1006 ACTIVE
Now, in order to confirm if the packets get encrypted and decrypted, you first need to know what to expect in the outputs of show crypto session detail. So, when you initiate the ICMP echo packet from the Sw_A switch towards the Sw_B, this is expected:
- While the ICMP echo leaves from the Site_A_1 ED which is the active forwarder for the VLAN 100, it will have to encapsulate the OTV payload (ICMP Echo + MPLS + GRE)
- Then once the ICMP echo reaches the Site_B_2 ED which is the active forwarder for VLAN 100, it would have to decapsulate the OTV payload (ICMP Echo + MPLS + GRE)
- Now, once the Site_B_2 ED receives the ICMP Echo Reply from Sw_B, it would have to again encapsulate the OTV payload (ICMP Echo + MPLS + GRE)
- And once the ICMP Echo Reply reaches the Site_A_1 ED, I would again have to again decapsulate the OTV payload (ICMP Echo + MPLS + GRE)
After the successful pings from Sw_A to Sw_B, expect to see an increment of 5 counters under "enc” and “dec” section of the show crypto session detail output on both the active forwarder ED’s.
Now, check the same from the ED's:
Site_A_1(config-if)#do show crypto session detail | section enc
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4608000/3345
Outbound: #pkts enc'ed 10 drop 0 life (KB/Sec) 4607998/3291 <<<< 10 counter before ping
Site_A_1(config-if)#do show crypto session detail | section dec
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4608000/3343
Inbound: #pkts dec'ed 18 drop 0 life (KB/Sec) 4607997/3289 <<<< 18 counter before ping
Site_B_2(config-if)#do show crypto session detail | section enc
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
Outbound: #pkts enc'ed 18 drop 0 life (KB/Sec) 4607997/3295 <<<< 18 counter before ping
Outbound: #pkts enc'ed 9 drop 0 life (KB/Sec) 4607999/3295
Site_B_2(config-if)#do show crypto session detail | section dec
Inbound: #pkts dec'ed 10 drop 0 life (KB/Sec) 4607998/3293 <<<< 10 counter before ping
Inbound: #pkts dec'ed 1 drop 0 life (KB/Sec) 4607999/3293
Sw_A(config)#do ping 192.168.10.1 source vlan 100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/10 ms
Sw_A(config)#
Site_A_1(config-if)#do show crypto session detail | section enc
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4608000/3339
Outbound: #pkts enc'ed 15 drop 0 life (KB/Sec) 4607997/3284 <<<< 15 counter after ping (After ICMP Echo)
Site_A_1(config-if)#do show crypto session detail | section dec
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4608000/3338
Inbound: #pkts dec'ed 23 drop 0 life (KB/Sec) 4607997/3283 <<<< 23 counter after ping (After ICMP Echo Reply)
Site_B_2(config-if)#do show crypto session detail | section enc
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
Outbound: #pkts enc'ed 23 drop 0 life (KB/Sec) 4607997/3282 <<<< 23 counter after ping (After ICMP Echo Reply)
Outbound: #pkts enc'ed 9 drop 0 life (KB/Sec) 4607999/3282
Site_B_2(config-if)#do show crypto session detail | section dec
Inbound: #pkts dec'ed 15 drop 0 life (KB/Sec) 4607997/3281 <<<< 15 counter after ping (After ICMP Echo)
Inbound: #pkts dec'ed 1 drop 0 life (KB/Sec) 4607999/3281
This configuration guide is able to convey the required configuration details with the use of IPSec for the Unicast core dual homed setup.
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.