Guides
ProductDeveloperPartnerPersonal

Configure Tunnels with Cisco ISR

Table of Contents

Prerequisites

The following prerequisites must be met for the tunnel to work successfully.

Licensing and Hardware

  • A valid Cisco Umbrella SIG Essentials or SIG Add-On subscription or a free SIG trial.
  • A router (ISR-G2, ISR4K or CSR) with a security K9 license to establish an IPsec tunnel.

Network Access

In the sample commands, <umbrella_dc_ip> refers to this IP address. We recommend choosing the IP address based on the data center located closest to your device.

The following ports must be open before connecting to the tunnel:

  • UDP ports 500 and 4500.

Cisco router (ISR-G2, ISR4K or CSR) devices do not require public static IPv4 address(es) configured on the interface that will connect to the public internet and Cisco Umbrella SIG service. They can be behind a NAT device. This is because we can specify a text as its IKE ID. This ID in combination with the PSK is used to successfully authenticate the Cisco router (ISR-G2, ISR4K or CSR) devices with the Cisco Umbrella SIG service.

Text as an IKE ID also allows for multiple tunnels to be established from the same Cisco router device with a single IP address. This provides an opportunity to increase bandwidth by increasing the number of tunnels.

Umbrella Configuration

  1. Navigate to Deployments > Core Identities > Network Tunnels, then click Add.
  1. Give your tunnel a meaningful Tunnel Name, from the Device Type drop-down list choose ISR, and then click Save.
  1. Select your Tunnel ID from the drop-down list. Enter the Pre-Shared-Key (PSK) Passphrase and click Save.

The new tunnel appears in the Umbrella dashboard with a status of Not Established. The tunnel status is updated once it is fully configured and connected with the ISR.

Configuration for ISR (G2, 4K) or CSR

Follow these steps to connect the Cisco router to the Cisco Umbrella Cloud-Delivered Firewall. Some configurations are preliminary will not be required in the final product.

  1. Configure the IKEv2 keyring.
    ISR routers support a default proposal and policy for IKEv2, with a predefined encryption, integrity and DH group. These values change across different software versions. You can either use the default proposal or you can create your own proposal. Your proposal needs to be attached to the policy with matching parameters. Create an IKEv2 keyring profile and configure the peer address and pre-shared key, associate the keyring profile to the IKEv2 profile, set the local identity as email and configure the IKE ID (email) which you get from the Tunnel Configuration dashboard.

For example, the default IKE proposal of an ISR running 16.11.01a image:

ISR-4221#sh ver
Cisco IOS XE Software, Version 16.11.01a

ISR-4221#show crypto ikev2 proposal default
 IKEv2 proposal: default 
     Encryption : AES-CBC-256
     Integrity  : SHA512 SHA384
     PRF        : SHA512 SHA384
     DH Group   : DH_GROUP_256_ECP/Group 19 DH_GROUP_2048_MODP/Group 14 DH_GROUP_521_ECP/Group 21 DH_GROUP_1536_MODP/Group 5

Define the IKEv2 profile and policy with the following parameters. match address local would be the tunnel source IP address.

crypto ikev2 proposal umbrella
 encryption aes-gcm-256
 prf sha256
 group 19 20
!
crypto ikev2 policy umbrella
 proposal umbrella
match address local <x.x.x.x>
!

Define the IKEv2 Keyring and profile with the following parameters.

The highlighted parameters, Cisco Umbrella team will share the VPN IP address with customers, local-id and pre-shared keys can be obtained while customers provision the Network Tunnels through the Cisco Umbrella dashboard. Substitute the IP address of the Umbrella data center closest to your location for [umbrella_dc_ip]. You can find the entries marked xxxxx... from the Umbrella dashboard.

crypto ikev2 keyring Umbrella-Key
  peer umbrella
  address [umbrella_dc_ip]
  pre-shared-key [Portal_Tunnel_Passphrase]
!
crypto ikev2 profile umbrella
  match identity remote address [umbrella_dc_ip]
  identity local email [Portal_Tunnel_ID]
  authentication remote pre-share
  authentication local pre-share
  keyring local Umbrella-Key
  dpd 10 2 periodic
!

👍

In the above commands, replace [Portal_Tunnel_ID] and [Portal_Tunnel_Passphrase] with the Tunnel ID and Passphrase you configured in the previous section Umbrella Dashboard Configuration.

  1. Define the IPSec profile and transform-set.
    Create the transform-set and IPsec profile. Then associate the transform-set and IKEv2 Profile with the IPSec profile. Refer to Supported IPsec Parameters for the recommended algorithms.
crypto ipsec transform-set Umb-Transform esp-aes 256 esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile umbrella
 set transform-set Umb-Transform
 set ikev2-profile umbrella
  1. Create the tunnel interface.
    Define the static tunnel interface with the peer IP as the Umbrella VPN headend IP and associate the IPsec profile under the tunnel. Make sure the tunnel interface does not contain NAT related commands; traffic sent to Umbrella should not have NAT applied.
interface Tunnel1
 ip unnumbered GigabitEthernet <WAN Interface of the router >
 tunnel source GigabitEthernet <WAN Interface of the router >
 tunnel mode ipsec ipv4
 tunnel destination [umb_dc_ip]
 tunnel protection ipsec profile umbrella
  1. Configure routing rules.
    Define the traffic which needs to be tunneled to the CDFW. Based on the requirements, these ACL rules can be modified.

The route-map needs to be associated with the LAN interface of the router where the device receives the traffic.

In the following examples, 192.168.20.0/24 is the LAN subnet, and GigabitEthernet is the LAN interface.

ip access-list extended To_Umbrella
  permit ip 192.168.20.0 0.0.0.255 any
!
route-map Umbrella-PBR permit 10
  match ip address To_Umbrella
  set interface Tunnel1
!
interface GigabitEthernet           < LAN Interface >
 ip policy route-map Umbrella-PBR   <Associate the Route-map to the LAN Interface>

Test Your Configuration

Check Tunnel Status

Use the following command to verify the tunnel status on your ISR.

show crypto session detail and the output must show the tunnel status as UP-ACTIVE.

Substitute the IP address of the Umbrella data center nearest your location for [umbrella_dc_ip].

ISR#show crypto session detail 
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection     
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update

Interface: Tunnel1
Profile: umbrella
Uptime: 14:53:47
Session status: UP-ACTIVE     
Peer: [umbrella_dc_ip] port 4500 fvrf: (none) ivrf: (none)
      Phase1_id: [umbrella_dc_ip]
      Desc: (none)
  Session ID: 1  
  IKEv2 SA: local 10.10.10.201/4500 remote [umbrella_dc_ip]/4500 Active 
          Capabilities:DFNXU connid:4 lifetime:09:06:13
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 4608000/2499
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4608000/2499

Manually Trigger the Tunnel

Should the tunnel not come up immediately, or should it need to be manually triggered for any reason, select the tunnel interface, and issue the shutdown and no shutdown commands.

ISR(config)#int T1
ISR(config-if)#shutdown
ISR(config-if)#no shutdown

Verify Tunnel Status

Verify the tunnel status with show crypto session remote <Headend IP> detail. See the example output.

ISR#show crypto session remote 146.112.66.2 detail 
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection     
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
S - SIP VPN

Interface: Tunnel1
Profile: Umbrella
Uptime: 00:39:11
Session status: UP-ACTIVE     
Peer: 192.0.2.0 port 4500 fvrf: (none) ivrf: (none)
      Phase1_id: 192.0.2.0
      Desc: (none)
  Session ID: 1  
  IKEv2 SA: local 192.0.2.0/4500 remote 146.112.66.2/4500 Active 
          Capabilities:DN connid:3 lifetime:23:20:49
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 4607996/1248
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4607997/1248

Validate the Data Path Through the Tunnel Using a Client

Once the tunnel is up, we can validate a single host, in the case the IP address of the host is 192.168.50.1 which is behind the tunnel, by making the following changes on the router, after successful validation we can add the entire subnet.

!
ip access-list extended testip
permit ip host 192.0.2.0 any
! 
route-map To_Umbrella permit 10
match ip address testip
set interface Tunnel1
!

Validate the Data Path Through the Tunnel Using a Router

Validate the data-path through the tunnel, in case if we don’t have the client behind the routers. In that case, leverage local policy-based routing for router generated traffic and associate to the route-map.

Once the local PBR is configured, use the ping command with local LAN subnet as source IP address (LAN subnet), and verify that the encryption/decryption counters in the show crypto session command.

ISR(config)#ip local policy route-map To_Umbrella

ISR#ping 8.8.8.8 source 192.168.10.1               
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.0.2.0 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 79/79/80 ms
ip-10-10-10-50#show crypto session remote 146.112.66.2 detail 
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection     
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
S - SIP VPN

Interface: Tunnel1
Profile: Umbrella
Uptime: 00:39:21
Session status: UP-ACTIVE     
Peer: 192.0.2.0 port 4500 fvrf: (none) ivrf: (none)
      Phase1_id: 146.112.66.2
      Desc: (none)
  Session ID: 1  
  IKEv2 SA: local 192.0.2.0/4500 remote 192.0.2.0/4500 Active 
          Capabilities:DN connid:3 lifetime:23:20:39
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 5 drop 0 life (KB/Sec) 4607995/1238
        Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4607997/1238

Configure Tunnels with Cisco ASA < Configure tunnels with Cisco ISR > Configure Tunnels with Cisco Firepower Threat Defense (FTD)