You are currently viewing Configuring D-VTI and S-VTI for Hub & Spoke Deployments
Photo by Christina Morillo on Pexels.com

Configuring D-VTI and S-VTI for Hub & Spoke Deployments

In this post, we’re going to configure D-VTI and S-VTI between two CSR1000v routers to demonstrate hub and spoke deployments. The two devices used as shown in the topology below are R9 and R10. R9 will act as the hub and R10 will act as a spoke.

Topology

Devices

  • R9 – Site one (VPN headend one)
  • R10 – Site two (VPN headend two)

R9 – Hub Configuration

Configure a Keyring for Spokes

crypto keyring KEYRING
  pre-shared-key address 30.1.2.2 key cisco123

Configure an ISAKMP Policy

crypto isakmp policy 5
 encr aes 256
 hash sha256
 authentication pre-share
 group 14

Configure an ISAKMP Profile

crypto isakmp profile ISAKMP-PROFILE
   keyring KEYRING
   match identity address 30.1.2.2 255.255.255.255
   virtual-template 1

Configure a Virtual-Template Interface

interface Virtual-Template1 type tunnel
 ip unnumbered GigabitEthernet1
 tunnel source GigabitEthernet1
 tunnel mode ipsec ipv4
 tunnel destination dynamic
 tunnel protection ipsec profile default

R10 – Spoke Configuration

Configure a Keyring for Hub Association

crypto keyring KEYRING
  pre-shared-key address 30.1.1.2 key cisco123

Configure an ISAKMP Policy

crypto isakmp policy 5
 encr aes 256
 hash sha256
 authentication pre-share
 group 14

Configure an ISAKMP Profile

crypto isakmp profile ISAKMP-PROFILE
   keyring KEYRING
   match identity address 30.1.1.2 255.255.255.255

Configure a Tunnel Interface

interface Tunnel0
 ip unnumbered GigabitEthernet1
 tunnel source GigabitEthernet1
 tunnel mode ipsec ipv4
 tunnel destination 30.1.1.2
 tunnel protection ipsec profile default

Configure a Static Route for Interesting Traffic

ip route 40.0.1.0 255.255.255.0 Tunnel0

Verify Connectivity

Ping Protected Subnet at the Hub from R10

R10#ping 40.0.2.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.0.2.1, timeout is 2 seconds:
Packet sent with a source address of 40.0.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Verify Crypto ISAKMP SA on R10

R10#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
30.1.1.2        30.1.2.2        QM_IDLE           1001 ACTIVE
IPv6 Crypto ISAKMP SA

Verify Crypto IPSec SA on R10

R10#show crypto ipsec sa
interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 30.1.2.2
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 30.1.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 177, #pkts encrypt: 177, #pkts digest: 177
    #pkts decaps: 168, #pkts decrypt: 168, #pkts verify: 168
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 30.1.2.2, remote crypto endpt.: 30.1.1.2
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0xB6C48C6F(3066334319)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0xE5E3E55A(3856917850)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80004048, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4607982/2852)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xB6C48C6F(3066334319)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80004048, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4607987/2852)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     outbound ah sas:
     outbound pcp sas:

Verify Tunnel Interface is UP

R10#show int tun0
Tunnel0 is up, line protocol is up
  Hardware is Tunnel
  Interface is unnumbered. Using address of GigabitEthernet1 (30.1.2.2)
  MTU 9938 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation up
  Tunnel source 30.1.2.2 (GigabitEthernet1), destination 30.1.1.2
   Tunnel Subblocks:
      src-track:
         Tunnel0 source tracking subblock associated with GigabitEthernet1
          Set of tunnels with source GigabitEthernet1, 1 member (includes iterators), on interface <OK>
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1438 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "default")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 00:15:43
  Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     207 packets input, 13845 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     216 packets output, 14805 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

Verify ISAKMP SA on R9

R9#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
30.1.1.2        30.1.2.2        QM_IDLE           1002 ACTIVE
IPv6 Crypto ISAKMP SA

Verify IPSec SA on R9

R9#show crypto ipsec sa
interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr 30.1.1.2
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 30.1.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 256, #pkts encrypt: 256, #pkts digest: 256
    #pkts decaps: 266, #pkts decrypt: 266, #pkts verify: 266
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 30.1.1.2, remote crypto endpt.: 30.1.2.2
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0xE5E3E55A(3856917850)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0xB6C48C6F(3066334319)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2019, flow_id: CSR:19, sibling_flags FFFFFFFF80000048, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4607972/2439)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xE5E3E55A(3856917850)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2020, flow_id: CSR:20, sibling_flags FFFFFFFF80000048, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4607983/2439)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     outbound ah sas:
     outbound pcp sas:

Verify ISAKMP SA on R9

R9#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.
43123 30.1.1.2        30.1.2.2               ACTIVE des  sha256 rsig 1  07:57:53
       Engine-id:Conn-id =  SW:1123
IPv6 Crypto ISAKMP SA
R9#show crypto isakmp peers
Peer: 30.1.2.2 Port: 500 Local: 30.1.1.2
 Phase1 id: R10.networkwizkid.com

Verify IPSec SA on R9

R9#show crypto ipsec sa
interface: GigabitEthernet1
    Crypto map tag: CRYPTO-MAP, local addr 30.1.1.2
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (40.0.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (40.0.2.1/255.255.255.255/0/0)
   current_peer 30.1.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 30.1.1.2, remote crypto endpt.: 30.1.2.2
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0xA2F4612C(2733924652)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x3ED1C05C(1053933660)
        transform: esp-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 2805, flow_id: CSR:805, sibling_flags FFFFFFFF80004048, crypto map: CRYPTO-MAP
        sa timing: remaining key lifetime (k/sec): (4607998/2272)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xA2F4612C(2733924652)
        transform: esp-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 2806, flow_id: CSR:806, sibling_flags FFFFFFFF80004048, crypto map: CRYPTO-MAP
        sa timing: remaining key lifetime (k/sec): (4607999/2272)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     outbound ah sas:
     outbound pcp sas:

Verify Virtual Access Interface on R9

R9#show int virtual-access2
Virtual-Access2 is up, line protocol is up
  Hardware is Virtual Access interface
  Interface is unnumbered. Using address of GigabitEthernet1 (30.1.1.2)
  MTU 9938 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL
  Tunnel vaccess, cloned from Virtual-Template1
  Vaccess status 0x0, loopback not set
  Keepalive not set
  Tunnel linestate evaluation up
  Tunnel source 30.1.1.2 (GigabitEthernet1), destination 30.1.2.2
   Tunnel Subblocks:
      src-track:
         Virtual-Access2 source tracking subblock associated with GigabitEthernet1
          Set of tunnels with source GigabitEthernet1, 2 members (includes iterators), on interface <OK>
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1438 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "default")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 00:21:13
  Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     289 packets input, 19185 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     279 packets output, 18165 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

Note: While testing on Cisco IOS XE Software, Version 16.06.07, I realised that when changes to the above configuration were made, the tunnel would still establish however, traffic would not pass through the tunnel. Upon restarting both devices, the interesting traffic would begin to start passing through the tunnel again.

iwiizkiid

Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he has achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

Leave a Reply