Cisco CSR1000v in AWS: IPSec tunnel configuration

Using IKEv1 w/ IPSec tunnels, the PSK address and tunnel destination should be the public IP of the remote side, even if the other router is behind NAT using Elastic IP:

crypto isakmp key XXXXXXXX address PUBLIC.IP.OF.REMOTE
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 10
crypto ipsec security-association replay window-size 1024
crypto ipsec transform-set ESP_AES128_SHA esp-aes esp-sha-hmac 
 mode tunnel
crypto ipsec profile ESP_3600_PFS-G2
 set security-association lifetime kilobytes disable
 set transform-set ESP_AES128_SHA  
 set pfs group2
interface Tunnel1
 ip address
 keepalive 10 3
 tunnel source GigabitEthernet1
 tunnel mode ipsec ipv4
 tunnel destination PUBLIC.IP.OF.REMOTE
 tunnel protection ipsec profile ESP_3600_PFS-G2
interface GigabitEthernet1
 ip address
 ip nat outside
 negotiation auto
 no mop enabled
 no mop sysid
ip route

I was surprised this worked.  Why?  Because the tunnel source is GigabitEthernet1’s private IP address of  I would expect the other side to reject the proposal because it doesn’t match the public IP address with the isakmp key configured.

But looking closer, it’s actually  using NAT-T (udp port 4500):

csr1000v-1#show crypto session 

Interface: Tunnel1
Session status: UP-ACTIVE
Peer: PUBLIC.IP.OF.REMOTE port 4500 
IPSEC FLOW: permit ip 
Active SAs: 2, origin: crypto map




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s