If...
-
you are running Cisco SD-WAN Manager releases from SD-WAN Manager 20.15.1 to SD-WAN Manager 20.15.3, and
-
you are using the IPSEC feature to configure an edge device using Cisco IOS XE Catalyst SD-WAN Release 17.12.x or earlier,
then you must also configure a command using a CLI add-on profile. This command provides backward compatibility for edge devices using Cisco IOS XE Catalyst SD-WAN Release 17.12.x or earlier. Without this, the tunnel does not operate correctly.
To do this, create the CLI add-on profile and add it to the configuration group that you are using the configure the device. In the profile, include the tunnel mode ipsec ipv4-old command.
Using the CLI add-on profile with the tunnel mode ipsec ipv4-old command is not necessary in these releases:
Before you begin
On the page, choose SD-WAN as the solution type.
Procedure
|
1. |
From the Cisco SD-WAN Manager menu, choose . |
|
2. |
Create and configure the basic IPSEC.
-
Configure a basic IPsec tunnel interface.
Table 1.
Basic Configuration
| Field |
Description |
| Interface Name |
Enter the name of the IPsec interface. |
| Description |
Enter a description of the IPsec interface. |
| Tunnel Mode |
Choose from one of the following IPsec tunnel modes:
-
ipv4: IPsec tunnel with IPv4 overlay and IPv4 underlay. IPv4 underlay is the default value.
-
ipv6: IPsec tunnel with IPv6 overlay and IPv6 underlay.
-
ipv4-v6overlay: IPsec tunnel with IPv6 overlay and IPv4 underlay.
|
| Multiplexing |
Choose Yes to enable multiplexing, if there is a tunnel in the transport VPN. Default: No |
| Interface Address |
Enter the IPv4 or IPv6 address of the IPsec interface, based on your choice from the Tunnel Mode drop-down list. |
| Mask |
Enter the subnet mask. |
| Preshared Key for IKE |
Enter the preshared key (PSK) for authentication. |
| Associated Tracker / Tracker Group |
Choose a tracker or a tracker group from the drop-down list to associate with the IPsec tunnel. |
| Tunnel Source |
Enter the source of the IPsec interface:
-
IP Address: Enter the source IP address of the IPsec tunnel interface. Enter an IPv4 or IPv6 address that is based on your selection in the Tunnel Mode option. This address is on the local router.
-
Interface: Enter the physical interface in the IPsec Source Interface field, which is the source of the IPsec tunnel.
|
| Tunnel Destination |
Enter the destination IP address of the IPsec tunnel interface. This address is on a remote device.
-
Address: Enter the destination IP address of the IPsec tunnel interface. Enter an IPv4 or IPv6 address based on your selection in the Tunnel Mode option.
-
Application: Choose an application from the drop-down list.
|
-
Configure Internet Key Exchange fields.
Table 2.
Internet Key Exchange
| Field |
Description |
| IKE Version |
Enter 1 to choose IKEv1. Enter 2 to choose IKEv2. Default: IKEv1 |
| IKE Integrity Protocol |
Choose one of the following modes for the exchange of keying information and setting up IKE security associations:
-
Main: Establishes an IKE SA session before starting IPsec negotiations.
-
Aggressive: Negotiation is quicker, and the initiator and responder ID pass in the clear. Aggressive mode does not provide identity protection for communicating parties.
Default: Main mode |
| IPsec Rekey Interval |
Specify the interval for refreshing IKE keys. Range: 3600 through 1209600 seconds (1 hour through 14 days) Default: 14400 seconds (4 hours) |
| IKE Cipher Suite |
Specify the type of authentication and encryption to use during IKE key exchange. Values: aes128-cbc-sha1, aes128-cbc-sha2, aes256-cbc-sha1, aes256-cbc-sha2 Default: aes256-cbc-sha1 |
| IKE Diffie-Hellman Group |
Specify the Diffie-Hellman group to use in IKE key exchanges. Values: 2, 14, 15, 16, 19, 20, 21, 24 Default: 16 |
| IKE ID for Local End Point |
If the remote IKE peer requires a local endpoint identifier, specify it. Range: 1 through 64 characters Default: Source IP address of the tunnel |
| IKE ID for Remote End Point |
If the remote IKE peer requires a remote endpoint identifier, specify it. Range: 1 through 64 characters Default: Destination IP address of the tunnel There is no default option if you choose IKEv2. |
-
Configure IPSEC fields.
Table 3.
IPSEC
| Field |
Description |
| IPsec Rekey Interval |
Specify the interval for refreshing IKE keys. Range: 3600 through 1209600 seconds (1 hour through 14 days) Default: 3600 seconds (1 hour) |
| IPsec Replay Window |
Specify the replay window size for the IPsec tunnel. Values: 64, 128, 256, 512, 1024, 2048, 4096, 8192 bytes Default: 512 bytes |
| IPsec Cipher Suite |
Specify the authentication and encryption to use on the IPsec tunnel. Values: aes256-cbc-sha1, aes256-gcm, null-sha1 Default: aes256-gcm |
| Perfect Forward Secrecy |
Specify the PFS settings to use on the IPsec tunnel by choosing one of the following values:
-
group-2: Use the 1024 bit Diffie-Hellman prime modulus group
-
group-14: Use the 2048 bit Diffie-Hellman prime modulus group
-
group-15: Use the 3072 bit Diffie-Hellman prime modulus group
-
group-16: Use the 4096 bit Diffie-Hellman prime modulus group
-
none: Disable PFS
Default: group-16 |
-
Configure advanced IPsec fields.
Table 4.
Advanced
| Field |
Description |
| Associated VPN |
Select a VPN from the drop-down list to associate with the IPsec tunnel. |
| Tunnel Route Via |
Specify the tunnel route details to steer the application traffic through.
Note
You cannot use the tunnel route via option to configure IPSec tunnels on a cellular interface because cellular interfaces do not include a next hop IP address for the default route.
|
| DPD Interval |
Specify the interval for IKE to send Hello packets on the connection. Range: 10 through 3600 seconds (1 hour) Default: 10 seconds |
| DPD Retries |
Specify how many unacknowledged packets to accept before declaring an IKE peer to be dead and then removing the tunnel to the peer. Range: 2 through 60 Default: 3 |
| TCP MSS |
Specify the maximum segment size (MSS) of TPC SYN packets passing through the Cisco IOS XE Catalyst SD-WAN device. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented. Range: 552 through 1460 bytes Default: None |
| Clear-Dont-Fragment |
Click On to clear the Don't Fragment bit in the IPv4 packet header for packets being transmitted out the interface. |
| IP MTU |
Based on your choice in the Tunnel Mode option, specify the maximum MTU size of the IPv4 or IPv4 packets on the interface. Range: 576 through 9216 Default: 1500 bytes |
| Shutdown |
Click Off to enable the interface. |
|