VPN tunnel between Cisco and VyOS routers using VTIs
Creating VPN tunnels between different vendors is usually at the bottom of a networker’s list of desires, however sometimes it can’t be avoided. We’re connecting a Cisco router to a VyOS one, and make them exchange routing information using OSPF.
Topology
The topology is simple; the two routers are connected to a third one that represents the internet.
Layer 1 setup
Layer 3 setup
The tunnel (not shown above) has the subnet of 192.168.13.0/24, .1 is assigned to the Cisco, .3 to the VyOS side. The default route on both sides is pointing to Internet.
Cisco configuration
conf t
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 14
hash sha256
crypto isakmp key PSK_tahp_secret address 0.0.0.0 0.0.0.0
crypto ipsec transform-set VyOS_Tset esp-sha-hmac esp-aes 256
mode tunnel
crypto ipsec profile VyOS
set transform-set VyOS_Tset
exit
interface Tunnel0
ip address 192.168.13.1 255.255.255.0
ip ospf mtu-ignore
tunnel source 192.168.12.1
tunnel mode ipsec ipv4
tunnel destination 192.168.23.3
tunnel protection ipsec profile VyOS
router ospf 1
router-id 1.1.1.1
network 1.1.1.1 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0
network 192.168.13.0 0.0.0.255 area 0
end
VyOS configuration
set vpn ipsec esp-group ESP_to_Cisco lifetime 3600
set vpn ipsec esp-group ESP_to_Cisco mode tunnel
set vpn ipsec esp-group ESP_to_Cisco pfs dh-group 14
set vpn ipsec esp-group ESP_to_Cisco proposal 1 encryption aes256
set vpn ipsec esp-group ESP_to_Cisco proposal 1 hash sha1
set vpn ipsec ike-group IKE_to_Cisco key-exchange ikev1
set vpn ipsec ike-group IKE_to_Cisco lifetime 86400
set vpn ipsec ike-group IKE_to_Cisco proposal 1 dh-group 14
set vpn ipsec ike-group IKE_to_Cisco proposal 1 encryption aes256
set vpn ipsec ike-group IKE_to_Cisco proposal 1 hash sha256
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec logging log-modes all
set vpn ipsec site-to-site peer 192.168.12.1 authentication id 192.168.23.3
set vpn ipsec site-to-site peer 192.168.12.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.168.12.1 authentication pre-shared-secret PSK_tahp_secret
set vpn ipsec site-to-site peer 192.168.12.1 authentication remote-id 192.168.12.1
set vpn ipsec site-to-site peer 192.168.12.1 connection-type initiate
set vpn ipsec site-to-site peer 192.168.12.1 default-esp-group ESP_to_Cisco
set vpn ipsec site-to-site peer 192.168.12.1 ike-group IKE_to_Cisco
set vpn ipsec site-to-site peer 192.168.12.1 local-address 192.168.23.3
set vpn ipsec site-to-site peer 192.168.12.1 vti bind vti0
set vpn ipsec site-to-site peer 192.168.12.1 vti esp-group ESP_to_Cisco
set interfaces vti vti0 address 192.168.13.3/24
set interfaces vti vti0 ip ospf mtu-ignore
set protocols ospf area 0 network 3.3.3.3/32
set protocols ospf area 0 network 192.168.2.0/24
set protocols ospf area 0 network 192.168.13.0/24
Tests
Routing table on Cisco
Cisco#sh ip route
[...]
Gateway of last resort is 192.168.12.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.12.2
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/1010] via 192.168.13.3, 01:53:27, Tunnel0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Ethernet0/1
L 192.168.1.1/32 is directly connected, Ethernet0/1
O 192.168.2.0/24 [110/1010] via 192.168.13.3, 01:53:27, Tunnel0
192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.12.0/24 is directly connected, Ethernet0/0
L 192.168.12.1/32 is directly connected, Ethernet0/0
192.168.13.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.13.0/24 is directly connected, Tunnel0
L 192.168.13.1/32 is directly connected, Tunnel0
Routing table in VyOS
vyos@vyos:~$ sh ip route
[...]
S>* 0.0.0.0/0 [1/0] via 192.168.23.2, eth0
O>* 1.1.1.1/32 [110/11] via 192.168.13.1, vti0, 01:53:49
O 3.3.3.3/32 [110/10] is directly connected, lo, 01:54:05
C>* 3.3.3.3/32 is directly connected, lo
C>* 127.0.0.0/8 is directly connected, lo
O>* 192.168.1.0/24 [110/20] via 192.168.13.1, vti0, 01:53:49
O 192.168.2.0/24 [110/10] is directly connected, eth1, 01:54:05
C>* 192.168.2.0/24 is directly connected, eth1
O 192.168.13.0/24 [110/10] is directly connected, vti0, 01:54:04
C>* 192.168.13.0/24 is directly connected, vti0
C>* 192.168.23.0/24 is directly connected, eth0
Connectivity test between the PCs
PC1> ping 192.168.2.10
84 bytes from 192.168.2.10 icmp_seq=1 ttl=62 time=1.557 ms
84 bytes from 192.168.2.10 icmp_seq=2 ttl=62 time=2.394 ms
84 bytes from 192.168.2.10 icmp_seq=3 ttl=62 time=3.008 ms
84 bytes from 192.168.2.10 icmp_seq=4 ttl=62 time=5.351 ms
84 bytes from 192.168.2.10 icmp_seq=5 ttl=62 time=4.107 ms
PC1> trace 192.168.2.10
trace to 192.168.2.10, 8 hops max, press Ctrl+C to stop
1 192.168.1.1 0.316 ms 0.172 ms 0.161 ms
2 192.168.13.3 0.971 ms 0.810 ms 0.932 ms
3 *192.168.2.10 1.125 ms (ICMP type:3, code:3, Destination port unreachable)
Note: the first 1-2 pings might timeout because the tunnels are formed when the first packet hits it. Downloadable files