Sie möchten routenbasierte IPSec VPN-Tunnel zwischen einer NSX Edge und einer virtuellen Cisco-CSR 1000V-Appliance konfigurieren.

Konfiguration von NSX Edge

Die folgende CLI-Ausgabe zeigt die routenbasierte IPSec-VPN-Konfiguration auf der NSX Edge:
Edge IPsec VPN Config:
{
   "ipsec" : {
      "global" : {
         "extension" : null,
         "crlCertificates" : [],
         "pskForDynamicIp" : null,
         "id" : null,
         "caCertificates" : [],
         "serviceCertificate" : null
      },
      "logging" : {
         "logLevel" : "debug",
         "enable" : true
      },
      "disableEvent" : null,
      "enable" : true,
      "sites" : [
         {
            "name" : "VPN2 to edge-ext tun 2 192.168.14.2",
            "encryptionAlgorithm" : "3des",
            "psk" : "****",
            "tunnelInterfaceId" : 1,
            "authenticationMode" : "psk",
            "peerIp" : "111.111.111.5",
            "ipsecSessionType" : "routebasedsession",
            "pskEncryption" : null,
            "digestAlgorithm" : "sha1",
            "enabled" : true,
            "localSubnets" : [
               "0.0.0.0/0"
            ],
            "description" : "VPN to edge subnet2",
            "mtu" : null,
            "peerId" : "111.111.111.5",
            "extension" : null,
            "ikeOption" : "ikev2",
            "localIp" : "51.51.51.1",
            "peerSubnets" : [
               "0.0.0.0/0"
            ],
            "responderOnly" : false,
            "certificate" : null,
            "dhGroup" : "dh2",
            "siteId" : "ipsecsite-53",
            "localId" : "51.51.51.1",
            "tunnelInterfaceLabel" : "vti-1",
            "enablePfs" : true
         },
         {
            "peerIp" : "71.71.71.5",
            "authenticationMode" : "psk",
            "ipsecSessionType" : "routebasedsession",
            "tunnelInterfaceId" : 2,
            "psk" : "****",
            "name" : "VPN to edge-ext tun 1 192.168.13.2",
            "encryptionAlgorithm" : "3des",
            "description" : "VPN to edge subnet1",
            "localSubnets" : [
               "0.0.0.0/0"
            ],
            "enabled" : true,
            "pskEncryption" : null,
            "digestAlgorithm" : "sha1",
            "ikeOption" : "ikev2",
            "extension" : null,
            "peerSubnets" : [
               "0.0.0.0/0"
            ],
            "localIp" : "61.61.61.1",
            "peerId" : "71.71.71.5",
            "mtu" : null,
            "siteId" : "ipsecsite-54",
            "localId" : "61.61.61.1",
            "enablePfs" : true,
            "tunnelInterfaceLabel" : "vti-2",
            "responderOnly" : false,
            "certificate" : null,
            "dhGroup" : "dh2"
         }
      ]
   }
}

Die folgende CLI-Ausgabe zeigt die VTI-Konfiguration auf der NSX Edge:

Edge VTI Tunnels Config:
{
   "vtiTunnels" : [
      {
         "name" : "vti-1",
         "mtu" : 1416,
         "label" : "vti-1",
         "sourceAddress" : "51.51.51.1",
         "destinationAddress" : "111.111.111.5",
         "tunnelAddresses" : [
            "192.168.14.2/24"
         ],
         "mode" : "VTI",
         "enabled" : true
      },
      {
         "enabled" : false,
         "tunnelAddresses" : [
            "192.168.13.2/24"
         ],
         "mode" : "VTI",
         "sourceAddress" : "61.61.61.1",
         "destinationAddress" : "71.71.71.5",
         "label" : "vti-2",
         "mtu" : 1416,
         "name" : "vti-2"
      }
   ]
}

Cisco CSR 1000V-Appliance-Konfiguration

Das folgende Skript konfiguriert die beiden übereinstimmenden routenbasierten IPSec-Tunnel auf der Cisco CSR 1000V-Appliance:

crypto ikev2 proposal PH1PROPOSAL
encryption 3des
integrity sha1
group 2
crypto ikev2 proposal PH2PROPOSAL
encryption 3des
integrity sha1
group 2
crypto ikev2 policy PH1POLICY
proposal PH1PROPOSAL
crypto ikev2 policy PH2POLICY
proposal PH2PROPOSAL
crypto ikev2 keyring PH1KEY
peer SITE1
  address 61.61.61.1
  pre-shared-key sharedvalue
!
crypto ikev2 keyring PH2KEY
peer SITE2
  address 51.51.51.1
  pre-shared-key sharedvalue
!
crypto ikev2 profile PH1PROFILE
match identity remote address 61.61.61.1 255.255.255.0
identity local address 71.71.71.5
authentication remote pre-share key sharedvalue
authentication local pre-share key sharedvalue
crypto ikev2 profile PH2PROFILE
match identity remote address 51.51.51.1 255.255.255.0
identity local address 111.111.111.5
authentication remote pre-share key sharedvalue
authentication local pre-share key sharedvalue
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile IPSEC_PROF1
set transform-set TSET
set ikev2-profile PH1PROFILE
responder-only
crypto ipsec profile IPSEC_PROF2
set transform-set TSET
set ikev2-profile PH2PROFILE
responder-only


interface Tunnel1
ip address 192.168.13.1 255.255.255.0
tunnel source 71.71.71.5
tunnel mode ipsec ipv4
tunnel destination 61.61.61.1
tunnel protection ipsec profile IPSEC_PROF1
interface Tunnel2
ip address 192.168.14.1 255.255.255.0
tunnel source 111.111.111.5
tunnel mode ipsec ipv4
tunnel destination 51.51.51.1
tunnel protection ipsec profile IPSEC_PROF2
interface GigabitEthernet1
ip address dhcp
negotiation auto
interface GigabitEthernet2
no ip address
negotiation auto
interface GigabitEthernet2.2
encapsulation dot1Q 23
ip address 81.81.81.5 255.255.255.0
interface GigabitEthernet2.3
encapsulation dot1Q 19
ip address 111.111.111.5 255.255.255.0
interface GigabitEthernet2.4
encapsulation dot1Q 22
ip address 71.71.71.5 255.255.255.0