ManualsPro Cisco CISCO Catalyst SD-WAN Security Configuration User Guide

CISCO Catalyst SD-WAN Security Configuration User Guide

June 15, 2024
Cisco

User Guide

CISCO Catalyst SD WAN Security Configuration GRE Over IPsec Tunnels

Catalyst SD-WAN Security Configuration

Note
To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN Validator, and Cisco vSmart to Cisco Catalyst SD-WAN Controller. See the latest Release Notes for a comprehensive list of all the component brand name changes. While we transition to the new names, some inconsistencies might be present in the documentation set because of a phased approach to the user interface updates of the software product.

Table 1: Feature History

Feature Name Release Information Description

GRE Over IPsec Tunnels Between
Cisco IOS XE Devices| Cisco IOS XE Catalyst SD-WAN Release 17.7.1a
Cisco vManage Release 20.7.1| This feature allows you to set up GRE over IPsec tunnels with IKEv2 RSA-SIG authentication on
Cisco IOS XE Catalyst SD-WAN
devices in the controller mode to connect to Cisco IOS XE devices in the autonomous mode. This set up enables Cisco IOS XE Catalyst SD-WAN devices to use OSPFv3
as the dynamic routing protocol and multicast traffic across the WAN network.
You can configure GRE over IPsec tunnels using the CLI device templates in Cisco SD-WAN Manager for Cisco IOS XE Catalyst SD-WAN devices.
IPv6 GRE or IPsec Tunnels
Between Cisco IOS XE Catalyst
SD-WAN and Third-Party Devices| Cisco IOS XE Catalyst SD-WAN
Release 17.12.1a| This feature allows you to configure an IPv6 GRE or IPSEC tunnel from a Cisco IOS XE Catalyst SD-WAN device to a third-party device over a service VPN.

GRE Over IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices

You can configure Generic Routing Encapsulation (GRE) over an Internet Protocol Security (IPsec) tunnels on Cisco IOS XE devices. GRE supports multicast and dynamic routing protocol, IPsec with IKEv2 protocol offers the enhanced security. GRE over IPsec tunnels are configured using the OSPFv3(dynamic routing protocol) and multicast(in sparse-mode), using the IPsec to encrypt the packets across the tunnels, and using the IKEv2 along with RSA-SIG authentication to perform authentication, establish and maintain security associations.

Prerequisites for GRE Over IPsec Tunnels Between Cisco IOS XE Devices
 To configure GRE over IPsec tunnels, use Internet Key Exchange Version 2 (IKEv2) protocol, and RSA Signature as the authentication method.

Restrictions for GRE Over IPsec Tunnels Between Cisco IOS XE Devices

  • IPv6 addresses for IPsec tunnel source are not supported.
  • You cannot configure GRE Over IPsec tunnels between Cisco IOS XE devices using Cisco SD-WAN Manager GUI.

Benefits of GRE Over IPsec Tunnels Between Cisco IOS XE Devices

  • Enables migration. You can either migrate to a Cisco Catalyst SD-WAN network or modify a device to support Cisco Catalyst SD-WAN.
  • Provides a full mesh connection between a branch and data center, irrespective of whether the network is a Cisco Catalyst SD-WAN network or a non-SD-WAN network.
  • Supports OSPFv3 and multicast traffic from a Cisco Catalyst SD-WAN enabled branch to a non-SD-WAN data center.

Use Case for GRE Over IPsec Tunnels Between Cisco IOS XE Devices
In this sample topology, there are Cisco IOS XE devices that are located in different data centers and branches.
Two Cisco IOS XE devices in the controller mode are located in the Cisco Catalyst SD-WAN network, one in a data center and another in a branch. The other two Cisco IOS XE devices in the autonomous mode are located in a non-SD- WAN network. A GRE over IPsec tunnel is configured to connect the Cisco IOS XE devices from the branch on the Cisco Catalyst SD-WAN network to the data center located in the non-SD-WAN network.

Note
Ensure that the tunnel source is configured with the global VPN for the WAN side and the tunnel VRF configured with the service VPN for the Service side.

CISCO Catalyst SD WAN Security Configuration - Ensure that the tunnel

Configure GRE Over IPsec Tunnels Between Cisco IOS XE Devices
Configuring GRE over IPsec tunnels using Cisco SD-WAN Manager is a two-step process:

  1. Install Certification Authentication.
    Import the pkcs12 file on the Cisco IOS XE Catalyst SD-WAN device using the pki import command.
    For information, see the Install Certification Authentication section in Configure GRE Over IPsec Tunnels Between Cisco IOS XE Devices Using the CLI .

  2. Prepare the GRE over IPsec tunnel configurations (GRE, IPsec, IKEv2, PKI, OSPFv3 and Multicast) via the Cisco SD-WAN Manager CLI Template, and push it to the Cisco IOS XE Catalyst SD-WAN device.
    For information about using a device template, see Device Configuration-Based CLI Templates for Cisco IOS XE Catalyst SD-WAN devices.
    See the Configure GRE Over IPsec Tunnel section in Configure GRE Over IPsec Tunnels Between Cisco IOS XE Devices Using the CLI for a sample configuration for use in the CLI template.

Note
Note: Add the crypto pki trustpoint configuration command explicitly in the Cisco SD-WAN Manager CLI template.

Configure GRE Over IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices Using the CLI
 This section provides example CLI configurations to configure GRE over IPsec tunnels for Cisco IOS XE
Catalyst SD-WAN devices in the controller mode.

Install Certification Authentication
Import the pkcs12 file on the Cisco IOS XE Catalyst SD-WAN device using the pki import command.
Device# crypto pki import trustpoint_name pkcs12 bootflash:certificate_name password cisco
Execute the crypto pki trustpoint command to reconfigure the Cisco IOS XE Catalyst SD-WAN device.
Device(config)# crypto pki trustpoint trustpoint_name
Device(ca-trustpoint)# enrollment pkcs12
Device(ca-trustpoint)# revocation-check none
Device(ca-trustpoint)# rsakeypair trustpoint_name

Configure GRE over IPsec Tunnel
The following is a sample configuration example for configuring GRE over IPsec tunnel.

CISCO Catalyst SD WAN Security Configuration - Figure 1CISCO Catalyst SD WAN Security Configuration - Figure 2

Note
The configurations for GRE over IPsec tunnels for Cisco IOS XE devices in the autonomous mode are the same as in the controller mode shown above.
Furthermore, the steps to install certification authentication for Cisco IOS XE devices in the autonomous mode is the same as in Cisco IOS XE Catalyst SD- WAN devices, and there is no requirement for you to reconfigure crypto pki trustpoint explicitly on the Cisco IOS XE devices in the autonomous mode.

Monitor GRE Over IPsec Tunnels Between Cisco IOS XE Devices Using the CLI

Example 1
The following is sample output from the show crypto pki certificates command using the optional trustpoint-name argument and verbose keyword. The output shows the certificate of a device and the certificate of the CA. In this example, general-purpose RSA key pairs are previously generated, and a certificate is requested and received for the key pair.

CISCO Catalyst SD WAN Security Configuration - Figure 3CISCO Catalyst SD WAN Security Configuration - Figure 4

Example 2
The following is sample output from the show crypto ipsec sa command to display the settings used by IPsec security associations.

CISCO Catalyst SD WAN Security Configuration - Figure 5CISCO Catalyst SD WAN Security Configuration - Figure 6

Example 3
The following example shows the show crypto session detail command output that displays the status information for active crypto sessions.

CISCO Catalyst SD WAN Security Configuration - Figure 7CISCO Catalyst SD WAN Security Configuration - Figure 8

Example 4
The following is sample output from the show crypto key mypubkey rsa command that displays the RSA public keys of your device.

CISCO Catalyst SD WAN Security Configuration - Figure 9

IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices

and Third-Party Devices

Minimum supported release: Cisco IOS XE Catalyst SD-WAN Release 17.12.1a
This feature allows you to configure an IPv6 GRE or IPSEC tunnel from Cisco IOS XE Catalyst SD-WAN devices to a third-party device over a service VPN. The following types are supported:

  • IPv6 GRE tunnel over IPv4 Underlay
  • IPv6 GRE tunnel over IPv6 Underlay
  • IPsec IPv6 tunnel over IPv4 Underlay
  • IPsec IPv6 tunnel over IPv6 Underlay

Restrictions for IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices and Third-Party Devices

  • This feature is configurable only through the device CLI template. Feature templates are not supported.
  • Feature parcel is not supported.
  • Dual stack is not supported for IPsec SVTI tunnels but supported for GRE tunnels.
  • The interface name as loopback for tunnel source is not supported. When you use a loopback interface as a tunnel source, you must provide either an IPv4 or IPv6 address as the tunnel source field. You can provide an interface name as tunnel source field for the physical interface and sub-interface.

Supported Devices for IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices and Third-Party Devices

Table 2: Supported Devices and Releases

Release Supported Devices
Cisco IOS XE Catalyst SD-WAN Release 17.12.1a and later • Cisco Catalyst 8300

Series Edge Platforms
• Cisco Catalyst 8500 Series Edge Platforms
• Cisco Catalyst 8500L Edge Platforms
• Cisco Catalyst 8000V Edge Software
• Cisco ASR 1001-HX Router
• Cisco ASR 1002-HX Router
• Cisco ISR1100 Series Routers
• Cisco 4461 Integrated Services Router

Configure IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices and Third-Party Devices Using a CLI Template

Configure a Common Source Interface
This section provides an example CLI configuration to configure a common source interface.

  1. Enter the global configuration mode.
    configure terminal

  2. Enter interface configuration mode.
    interface GigabitEthernet1

  3. Enable the interface.
    no shutdown

  4. Set an IP address for the interface.
    ip address 209.165.200.225 255.255.255.0

  5. Configure an IPv6 address.
    ipv6 address 2001:DB8:200::225/64

  6. Exit the interface configuration mode.
    exit

This section provides an example CLI configuration to configure a loopback interface.

  1. Configure a loopback interface.
    interface Loopback 0

  2. Set an IP address for the interface.
    ip address 209.165.201.1 255.255.255.0

  3. Configure an IPv6 address.
    ipv6 address 2001:DB8:201::1/64

  4. Exit the interface configuration mode.
    exit

Here’s the complete configuration example for configuring a common source interface.

Configure an IPv6 GRE Tunnel Over IPv4 Underlay
This section provides an example CLI configuration to configure an IPv6 GRE tunnel over IPv4 underlay.

  1. Enter the global configuration mode.
    configure terminal

  2. Create an interface tunnel.
    interface Tunnel64

  3. Enable the interface.
    no shutdown

  4. Associate a VRF instance or a virtual network with an interface or subinterface in interface configuration mode.
    vrf forwarding 1

  5. Configure the IPv6 address and enable IPv6 processing on an interface in interface configuration mode.
    ipv6 address 2001:DB8:64::1/64

  6. Set the source address for the tunnel interface in interface configuration mode.
    tunnel source 209.165.202.129

  7. Set the destination address for the GRE tunnel interface in interface configuration mode.
    tunnel destination 209.165.202.158

  8. Specify the outgoing interface of the tunnel transport in interface configuration mode. If you use the mandatory keyword and if the route is not available, the traffic drops.
    tunnel route-via GigabitEthernet5 mandatory

Here’s the complete configuration example for configuring an IPv6 GRE tunnel over IPv4 underlay.

CISCO Catalyst SD WAN Security Configuration - Figure 11

Configure an IPv6 GRE Tunnel Over IPv6 Underlay
This section provides an example CLI configuration to configure a IPv6 GRE tunnel over IPv6 underlay.

  1. Enter the global configuration mode.
    configure terminal

  2. Enter the tunnel interface mode.
    interface Tunnel66

  3. Enable the interface.
    no shutdown

  4. Associate a VRF instance or a virtual network with an interface or subinterface in interface configuration mode.
    vrf forwarding 1

  5. Configure the IPv6 address and enable IPv6 processing on an interface in interface configuration mode.
    ipv6 address 2001:DB8:166::1/64

  6. Set the source address for the tunnel interface in interface configuration mode.
    tunnel source 2001:DB8:15::15

  7. Set the destination address for the GRE tunnel interface in interface configuration mode.
    tunnel destination 2001:DB8:15::16

  8. Set the encapsulation mode for the tunnel interface, in interface configuration mode.
    tunnel mode gre ipv6

  9. Specify the outgoing interface of the tunnel transport in interface configuration mode. If you use the mandatory keyword and if the route is not available, the traffic drops.
    tunnel route-via GigabitEthernet5 mandatory

Here’s the complete configuration example for configuring an IPv6 GRE tunnel over IPv6 underlay.

interface Tunnel66
no shutdown
vrf forwarding 1
ipv6 address 2001:DB8:66::1/64
tunnel source 2001:DB8:15::15
tunnel destination 2001:DB8:15::16
tunnel mode gre ipv6
tunnel route-via GigabitEthernet5 mandatory

Configure an IPsec IPv6 Tunnel Over IPv4 Underlay
This section provides an example CLI configuration to configure an IPsec IPv6 tunnel over IPv4 underlay.

  1. Enter the global configuration mode.
    configure terminal

  2. Enter the tunnel interface mode.
    interface Tunnel164

  3. Enable the interface.
    no shutdown

  4. Associate a VRF instance or a virtual network with an interface or subinterface in interface configuration mode.
    vrf forwarding 1

  5. Configure the IPv6 address and enable IPv6 processing on an interface in interface configuration mode.
    ipv6 address 2001:DB8:164::1/64

  6. Set the source address for the tunnel interface in interface configuration mode.
    tunnel source 209.165.202.129

  7. Set the destination address for the IPsec tunnel interface in interface configuration mode.
    tunnel destination 209.165.202.158

  8. Set the encapsulation mode for the tunnel interface, in interface configuration mode.
    tunnel mode ipsec ipv4 v6-overlay

  9. Associate the tunnel interface with an IPsec profile.
    tunnel protection ipsec profile if-ipsec1-ipsec-profile164

  10. Specify the outgoing interface of the tunnel transport in interface configuration mode. If you use the mandatory keyword and if the route is not available, the traffic drops.
    tunnel route-via GigabitEthernet5 mandatory

Here’s the complete configuration example for configuring an IPsec IPv6 tunnel over IPv4 underlay.

CISCO Catalyst SD WAN Security Configuration - Figure 13.

Configure an IPsec IPv6 Tunnel Over IPv6 Underlay
This section provides an example CLI configuration to configure an IPsec IPv6 tunnel over IPv6 underlay.

  1. Enter the global configuration mode.
    configure terminal

  2. Enter the tunnel interface mode.
    interface Tunnel166

  3. Enable the interface.
    no shutdown

  4. Associate a VRF instance or a virtual network with an interface or subinterface in interface configuration mode.
    vrf forwarding 1

  5. Configure the IPv6 address and enable IPv6 processing on an interface in interface configuration mode.
    ipv6 address 2001:DB8:166::1/64

  6. Set the source address for the tunnel interface in interface configuration mode.
    tunnel source 2001:DB8:15::15

  7. Set the destination address for the IPsec tunnel interface in interface configuration mode.
    tunnel destination 2001:DB8:15::16

  8. Set the encapsulation mode for the tunnel interface, in interface configuration mode.
    tunnel mode ipsec ipv6

  9. Associate the tunnel interface with an IPsec profile.
    tunnel protection ipsec profile if-ipsec1-ipsec-profile166

  10. Specify the outgoing interface of the tunnel transport in interface configuration mode. If you use the mandatory keyword and if the route is not available, the traffic drops.
    tunnel route-via GigabitEthernet5 mandatory

Here’s the complete configuration example for configuring an IPsec IPv6 tunnel over IPv6 underlay.

CISCO Catalyst SD WAN Security Configuration - Figure 14

Verify IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Device Devices and Third-Party Devices
The following is a sample output from the show run interface type/number command.

CISCO Catalyst SD WAN Security Configuration - Figure 16

The following is a sample output from the show adjacency tunnel164 internal command.
show adjacency tunnel164 internal

CISCO Catalyst SD WAN Security Configuration - Figure 17

References

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>

Cisco User Manuals

cisco Configuring Console Access Instructions
Cisco
cisco HyperFlex HX-Series Data Platform for HCI Instructions
Cisco
CISCO Meraki Cloud Monitoring for Catalyst User Guide
Cisco
CISCO Cloud-Delivered Catalyst SD-WAN Platform User Guide
Cisco
CISCO 60079011 Wi Fi 6 E Access Point User Manual
Cisco
CISCO IP Phone o Through the Normal Startup Process User Guide
Cisco
CISCO Install Enterprise NFVIS Using USB User Guide
Cisco
CISCO NCS 1014 Network Convergence System 1014 Instruction Manual
Cisco
CISCO Set Up Webex User Guide
Cisco
CISCO Webex App User Guide
Cisco
CISCO DNA Center Configure Telemetry User Guide
Cisco
802.11 Parameters for Cisco Access Points User Guide
Cisco
CISCO Nexus 3000 Series NX-OS Verified Scalability Guide Release 9.3 Instruction Manual Product Information
Cisco
CISCO P-LTE-450 Cellular Pluggable Interface Module Configuration User Guide
Cisco
CISCO Nexus 3600 Series NX-OS Verified Scalability Guide Release 9.3 User Guide
Cisco
CISCO Nexus 3000 SeriesNX-OS Verified Scalability Guide Release 9.3 User Guide
Cisco
CISCO Nexus 3000 Series NX-OS Verified Scalability Guide User Guide
Cisco
CISCO Nexus 9804 NX-OS Mode Switch Hardware Installation Guide
Cisco
CISCO Nexus 3548 Series NX-OS Verified Scalability Instructions
Cisco
CISCO 9.0SU Emergency Responder User Guide
Cisco

Related Manuals

NUOPAIPLUS SK500 Professional Audio Mixer User Manual
NUOPAIPLUS
Cobra 19MINI Ultra Compact Recreational CB Radio User Guide
Cobra
VASCO T21S Flatline Panel Radiator Instruction Manual
Vasco
BN-LINK BND-60 7 Day In Wall Timer Switch Instruction Manual
BN-LINK
Soquali SQ9-MF2P Handheld Milk Frother Instruction Manual
Soquali
Zigbee RCS3 Contact Sensor User Manual
zigbee
MOUNTUP TPMMA02112W Dual Monitor Wall Mount Instruction Manual
MOUNTUP
HAKON Wardrobe User Guide
HAKON
CRAFTSMAN 358.796920 Gas Power Blower Instruction Manual
Craftsman
ECM 81084 Classika PID Coffee Machine User Manual
ECM
Reer 80300 IP BabyCam App User Guide
Reer
USHA OFR 3211F PTC Oil Filled Radiator Instruction Manual
USHA
DYNAMICS K19-1000-0 Zbroz Winch UTV Installation Guide
DYNAMICS
Sevylor 4010015481 Adventure Plus Kayak Owner’s Manual
sevylor
Cardinal Waterproof Digital Portion Scale WPS12 Owner’s Manual
Cardinal
BEA IS40XL Motion and Presence Sensor for Automatic Industrial Doors User Guide
BEA
Galanz GLHBBERE026 2-Speed Retro Blue Immersion Blender User Manual
Galanz
innova SW-20 Smart Watch Fitness Twister User Manual
InnOVA
aperture PET AND LIFE Orbit Smart Cross-Flow Pump Wave Maker User Guide
aperture PET AND LIFE
Top Race TR-122 Remote Control Dump Truck User Guide
Top Race
makita FS2200 Drywall Screwdriver Instruction Manual
Makita
CJ INDUSTRIES DAF-llkE7Uc USB Dash Camera Instructions
CJ INDUSTRIES
CARTER-HOFFMANN BB64 Heated Banquet Cart Owner’s Manual
CARTER-HOFFMANN
ROBERT JULIAT 653SX 4C Colour LED Profile Spot User Guide
ROBERT JULIAT
DAKOTA LITHIUM Marine-4 Bank OnBoard Battery Charger Instruction Manual
Dakota Lithium
Midea MB-10YJ Electric Rice Cooker Instruction Manual
Midea
SJYDQ DM 202 Wired Microphone User Manual
SJYDQ
KMINA K40037 Reusable Bed Underseat User Manual
KMINA
inELS RFTI-10B Wireless Temperature Sensor Instruction Manual
inELS
BOSE DM2C-LP In Ceiling Loudspeaker Installation Guide
Bose
Contact Us   Privacy Policy   5.388ms