IPsec/IKEv2 between Cisco CSR 1000v and OpenIKED

Recently, I have setup as part of an important lab, an IPsec site-to-site tunnel between a Cisco CSR 1000v router and an OpenBSD gateway running OpenIKED. The latter not only terminates a GRE/IP tunnel, but also provides a global internet connectivity through NAT/PAT. The intend is to secure the GRE traffic between the two devices which are located in two different sites and who are reachable across the internet. The Cisco CSR 1000v instance is also behind NAT, therefore the configuration is slightly more complex than what we may be used to and require the use of the IPsec Tunnel mode and the NAT-T capability. To establish the secure IPsec sessions I decided to use the latest iteration of the Internet Key Exchange protocol, namely IKEv2.

Read More

Did you know? IS-IS Minimum MTU

I recently came across the fact that my favorite IGP, the Intermediate System To Intermediate System (IS-IS) Routing Protocol has strict requirements regarding the minimum MTU of a link. In fact, for your adjacency to come up, the IS-IS link's maximum transmission unit (MTU) must be at least of 1492 bytes.

Read More

QoS: Differentiated Services Model

I cannot cover Diffserv without ever mentioning his predecessor, the Integrated Services model or Intserv. The latter never seen global deployment because of scalability issues inherent of its architectural design. The idea behind Intserv was to provide end-to-end QoS guarantees to applications like voice, video and conferencing.

Read More