Interface and Hardware Component Configuration Guide for Cisco NCS 6000 Series Routers, IOS XR Release 7.4.x - Configuring Tunnel Interfaces [Cisco IOS XR Software Release 7.4] (2024)

Tunneling provides a way to encapsulate arbitrary packets inside of a transport protocol. This feature is implemented as a virtual interface to provide a simple interface for configuration. The tunnel interfaces are not tied to specific “passenger” or “transport” protocols, but, rather, they represent an architecture that is designed to provide the services necessary to implement any standard point-to-point encapsulation scheme. Because supported tunnels are point-to-point links, you must configure a separate tunnel for each link.

There are three necessary steps in configuring a tunnel interface:

1. Specify the tunnel interface—interface tunnel-ipsec identifier
2. Configure the tunnel source—tunnel source {ip-address | interface-id }
3. Configure the tunnel destination—tunnel destination {ip-address | tunnel-id }

Virtual interface names never use the physical interface naming notation rack/slot/module/port for identifying an interface’s rack, slot, module, and port, because they are not tied to any physical interface or subinterface.

Virtual interfaces use a globally unique numerical identifier (per virtual interface type).

Examples of naming notation for virtual interfaces:

Interface IP-Address Status ProtocolLoopback0 10.9.0.0 Up UpLoopback10 10.7.0.0 Up UpTunnel-TE5000 172.18.189.38 Down DownNull10 10.8.0.0 Up Up

IPSec (IP security) is a framework of open standards for ensuring secure private communications over the Internet. It can be used to support Virtual Private Network (VPN), firewalls, and other applications that must transfer data across a public or insecure network. The router IPSec protocol suite provides a set of standards that are used to provide privacy, integrity, and authentication service at the IP layer. The IPSec protocol suite also includes cryptographic techniques to support the key management requirements of the network-layer security.

When IPSec is used, there is no need to use Secure Shell (SSH) or Secure Socket Layer (SSL). Their use causes the same data to be encrypted or decrypted twice, which creates unnecessary overhead. The IPSec daemon is running on both the RPs and the DRPs. IPSec is an optional feature on the router. IPSec is a good choice for a user who has multiple applications that require secure transport. On the client side, customers can use “Cisco VPN 3000 Client” or any other third-party IPSec client software to build IPSec VPN.

Note

IPSec tunnel exists in the control plane, so you do not have to bring up or bring down the tunnel. Entry into the IPSec tunnel is only for locally sourced traffic from the RP or DRP, and is dictated by the access control lists (ACL) configured as a part of the profile that is applied to the Tunnel-IPSec.

A profile is entered from interface configuration submode for interface tunnel-ipsec. For example:

interface tunnel-ipsec 30 profile <profile name>

Crypto profile sets must be configured and applied to tunnel interfaces (or to the crypto IPSec transport). For IPSec to succeed between two IPSec peers, the crypto profile entries of both peers must contain compatible configuration statements.

Two peers that try to establish a security association must each have at least one crypto profile entry that is compatible with one of the other peer's crypto profile entries. For two crypto profile entries to be compatible, they must at least meet the following criteria:

• They must contain compatible crypto access lists. In the case where the responding peer is using dynamic crypto profiles, the entries in the local crypto access list must be “permitted” by the peer's crypto access list.
• They must each identify the other peer (unless the responding peer is using dynamic crypto profiles).
• They must have at least one transform set in common.

Note	Crypto profiles cannot be shared; that is, the same profile cannot be attached to multiple interfaces.

SUMMARY STEPS

1. configure
2. interface tunnel-ipsec identifier
3. profile profile-name
4. tunnel source {ip-address | interface-id }
5. tunnel destination {ip-address | tunnel-id }
6. Do one of the following:

• end
• commit

DETAILED STEPS

RP/0/RP0/CPU0:router# configure

RP/0/RP0/CPU0:router(config)# interface tunnel-ipsec 30

RP/0/RP0/CPU0:router(config-if)# profile user1

RP/0/RP0/CPU0:router(config-if)# tunnel source Ethernet0/1/1/2

RP/0/RP0/CPU0:router(config-if)# tunnel destination 192.168.164.19

RP/0/RP0/CPU0:router(config-if)# end

RP/0/RP0/CPU0:router(config-if)# commit

Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]:

RP/0/RP0/CPU0:router# show ip route

This example shows the process of creating and applying a profile to an IPSec tunnel. The necessary preliminary steps are also shown. You must first define a transform set and then create a profile before configuring the IPSec tunnel.

RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto ipsec transform-set tset1RP/0/RP0/CPU0:router(configtransform-set tset1)# transform esp-sha-hmacRP/0/RP0/CPU0:router(config-transform-set tset1)# endUncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: yes

RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto ipsec profile user1RP/0/RP0/CPU0:router(config-user1)# match sampleac1 transform-set tset1RP/0/RP0/CPU0:router(config-user1)# set pfs group5RP/0/RP0/CPU0:router(config-user1)# set type dynamicRP/0/RP0/CPU0:router(config-user1)# exit

RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# interface tunnel-ipsec 30RP/0/RP0/CPU0:router(config-if)# profile user1RP/0/RP0/CPU0:router(config-if)# tunnel source MgmtEth 0/RP0/CPU0/0RP/0/RP0/CPU0:router(config-if)# tunnel destination 192.168.164.19RP/0/RP0/CPU0:router(config-if)# endUncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: yes