IPsec/IKEv2 between Cisco CSR 1000v and OpenIKED

Recently, I have setup as part of an important lab, an IPsec site-to-site tunnel between a Cisco CSR 1000v router and an OpenBSD gateway running OpenIKED. The latter not only terminates a GRE/IP tunnel, but also provides a global internet connectivity through NAT/PAT. The intend is to secure the GRE traffic between the two devices which are located in two different sites and who are reachable across the internet. The Cisco CSR 1000v instance is also behind NAT, therefore the configuration is slightly more complex than what we may be used to and require the use of the IPsec Tunnel mode and the NAT-T capability. To establish the secure IPsec sessions I decided to use the latest iteration of the Internet Key Exchange protocol, namely IKEv2.

Read More