AWS / Cisco / NAT and Firewalling / VPNs

Cisco CSR1000v in AWS: IPSec tunnel configuration

J5Leave a comment

Using IKEv1 w/ IPSec tunnels, the PSK address and tunnel destination should be the public IP of the remote side, even if the other router is behind NAT using Elastic IP:

crypto isakmp key XXXXXXXX address PUBLIC.IP.OF.REMOTE
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 10
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set ESP_AES128_SHA esp-aes esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile ESP_3600_PFS-G2
 set security-association lifetime kilobytes disable
 set transform-set ESP_AES128_SHA  
 set pfs group2
!
interface Tunnel1
 ip address 169.254.1.1 255.255.255.252
 keepalive 10 3
 tunnel source GigabitEthernet1
 tunnel mode ipsec ipv4
 tunnel destination PUBLIC.IP.OF.REMOTE
 tunnel protection ipsec profile ESP_3600_PFS-G2
!
interface GigabitEthernet1
 ip address 10.10.10.10 255.255.255.0
 ip nat outside
 negotiation auto
 no mop enabled
 no mop sysid
!
ip route 0.0.0.0 0.0.0.0 10.10.10.1

I was surprised this worked.  Why?  Because the tunnel source is GigabitEthernet1’s private IP address of 10.10.10.10.  I would expect the other side to reject the proposal because it doesn’t match the public IP address with the isakmp key configured.

But looking closer, it’s actually  using NAT-T (udp port 4500):

csr1000v-1#show crypto session 

Interface: Tunnel1
Session status: UP-ACTIVE
Peer: PUBLIC.IP.OF.REMOTE port 4500 
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 
Active SAs: 2, origin: crypto map

 

 

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s