Product Documentation

Configuring a CloudBridge Connector Tunnel Between a NetScaler Appliance and Cisco IOS Device

Feb 03, 2016

You can configure a CloudBridge Connector tunnel between a NetScaler appliance and a Cisco device to connect two datacenters or extend your network to a Cloud provider. The NetScaler appliance and the Cisco IOS device form the end points of the CloudBridge Connector tunnel and are called peers.

Example of CloudBridge Connector Tunnel Configuration and Data Flow

As an illustration of the traffic flow in a CloudBridge Connector tunnel, consider an example in which a CloudBridge Connector tunnel is set up between the following devices:

  • NetScaler appliance NS_Appliance-1 in a datacenter designated as Datacenter-1
  • Cisco IOS device Cisco-IOS-Device-1 in a datacenter designated as Datacenter-2

NS_Appliance-1 and Cisco-IOS-Device-1 enable communication between private networks in Datacenter-1 and Datacenter-2 through the CloudBridge Connector tunnel. In the example, NS_Appliance-1 and Cisco-IOS-Device-1 enable communication between client CL1 in Datacenter-1 and server S1 in Datacenter-2 through the CloudBridge Connector tunnel. Client CL1 and server S1 are on different private networks.

On NS_Appliance-1, the CloudBridge Connector tunnel configuration includes IPSec profile entity NS_Cisco_IPSec_Profile, CloudBridge Connector tunnel entity NS_Cisco_Tunnel, and policy based routing (PBR) entity NS_Cisco_Pbr.

localized image

The following table lists the settings used in this example.

Entity

Name

Details

Main settings of the CloudBridge Connector tunnel setup

IP address of the CloudBridge Connector tunnel end point (NS_Appliance-1) in Datacenter-1

 198.51.100.100

IP address of the CloudBridge Connector tunnel end point (Cisco-IOS-Device-1) in Datacenter-2

 203.0.113.200

Datacenter–1’s subnet whose traffic is to be protected over the CloudBridge Connector tunnel

 10.102.147.0/24

Datacenter–2’s subnet whose traffic is to be protected over the CloudBridge Connector tunnel

 10.20.20.0/24

 

Settings on NetScaler appliance NS_Appliance-1 in Datacenter-1

 

SNIP1(for reference purposes only)

 198.51.100.100

IPSec profile

  • NS_Cisco_IPSec_Profile
  • IKE version: v1
  • Encryption algorithm = 3DES
  • Hash algorithm = HMAC_SHA256
  • psk = examplepresharedkey  (Note: This is an example of a pre-share key, for illustration. Do not use this string in your CloudBridge Connector configuration)

CloudBridge Connector tunnel

NS_Cisco_Tunnel

  • Remote IP = 203.0.113.200
  • Local IP= 198.51.100.100
  • Tunnel protocol = IPSec (IPSec in tunnel mode)
  • IPSec profile= NS_Cisco_IPSec_Profile

Policy based route

NS_Cisco_Pbr

  • Source IP range = Subnet in the Datacenter-1=10.102.147.0-10.102.147.255
  • Destination IP range = Subnet in Datacenter-2 = 10.20.20.0-10.20.20.255
  • IP Tunnel = NS_Cisco_Tunnel

 

Settings on Cisco IOS device Cisco-IOS-Device-1 in Datacenter-2

IKE policy

 

 

  • Priority: 1
  • Encryption algorithm: 3des
  • Hash algorithm: sha256
  • Authentication: pre-share
  • Diffie-Hellman group identifier: 2 (1024-bit Diffie-Hellman group) 

 

Pre-share key  

 

 

  • Key string: examplepresharedkey (Note: This is an example of a pre-share key, for illustration. Do not use this string in your CloudBridge Connector configuration)
  • Peer address: 198.51.100.100 (IP address of type SNIP configured on NS_Appliance-1)

 

Crypto IPSec Transform Set

 

NS-CISCO-TS

  • ESP Authentication: esp-sha256-hmac 
  • ESP Encryption Algorithm: esp-3des
  • Mode: tunnel

 

Crypto access list

 

 

111

 

  • Source: 10.20.20.0  (Subnet in the Datacenter-1)
  • Source wildcard: 0.0.0.255
  • Destination: 10.102.147.0 (Subnet in the Datacenter-2)
  • Destination Wildcard: 0.0.0.255

 

Crypto Map

 

 

NS-CISCO-CM

 

  • Peer address: 198.51.100.100 (IP address of type SNIP configured on NS_Appliance-1)
  • Crypto access list: 111
  • Crypto transform set: NS-CISCO-TS 

 

Associated Interface for the CloudBridge Connector tunnel

Gigabit Ethernet 0/1

 

  • IP address: 203.0.113.200
  • Crypto map: NS-CISCO-CM

 


Following is the traffic flow in the CloudBridge Connector tunnel:

  1. Client C1 sends a request to server S1.
  2. The request packet is received by NS_Appliance-1. The request packet matches the condition in PBR entity NS_Cisco_Pbr, because the source IP address and the destination IP address of the request packet are in the source IP range and destination IP range specified in NS_Cisco_Pbr.
  3. Because CloudBridge Connector tunnel entity NS_Cisco_Tunnel is bound to NS_Cisco_Pbr, the appliance prepares the packet to be sent across the NS_Cisco_Tunnel.
  4. IPSec’s Encapsulating Security Payload (ESP) protocol encrypts the request packet and then attaches an ESP header and an ESP trailer to the encrypted IP packet.  The IPSec protocol encapsulates the resulting packet by adding an IP header before the ESP header. The destination address in the IP header is the IP address of Cisco-IOS-Device-1, and the source address is the SNIP1 address of NS_Appliance-1.
  5. The resulting packet is sent to Cisco-IOS-Device-1.
  6. Cisco-IOS-Device-1, upon receiving the packet from NS_Appliance-1, decapsulates the packet by removing the IPSec IP header, decrypts the packet, and then removes the ESP header and ESP trailer. The resulting packet is the same packet as the one received by NS_Appliance-1 in step 2. This packet has the destination IP address set to the IP address of server S1.
  7. Cisco-IOS-Device-1 forwards this packet to server S1.
  8. S1 processes the request packet and sends a response packet. The destination IP address in the response packet is the IP address of client CL1, and the source IP address is the IP address of server S1.
  9. The response packet reaches Cisco-IOS-Device-1. The IPSec protocol in Cisco-IOS-Device-1 encrypts and encapsulates the response packet.
  10. Cisco-IOS-Device-1 sends the resulting packet to NS_Appliance-1.
  11. NS_Appliance-1, upon receiving the packet from Cisco-IOS-Device-1, decapsulates and decrypts the packet. The resulting packet is the same packet that was received by Cisco-IOS-Device-1 in step 9. This response packet has the destination IP address set to the IP address of server CL1.
  12. NS_Appliance-1 forwards the response packet to client CL1.

Points to Consider for a CloudBridge Connector Tunnel Configuration

Before configuring a CloudBridge Connector tunnel between a NetScaler appliance and a Cisco IOS device, consider the following points:

  • The following IPSec settings are supported for a CloudBridge Connector tunnel between a NetScaler appliance and a Cisco IOS device.                  

IPSec Properties

Setting

IPSec mode

 Tunnel mode

IKE version

 Version 1

IKE authentication method

 Pre-Shared Key

IKE encryption algorithm

  • AES
  • 3DES

IKE hash algorithm

  • HMAC SHA1
  • HMAC SHA256
  • HMAC SHA384
  • HMAC SHA512
  • HMAC MD5

ESP encryption algorithm

  • AES
  • 3DES

ESP hash algorithm

  • HMAC SHA1
  • HMAC SHA256
  • HMAC SHA256
  • HMAC SHA256
  • HMAC MD5

 

  • You must specify the same IPSec settings on the NetScaler appliance and the Cisco IOS device at the two ends of the CloudBridge Connector.
  • NetScaler provides a common parameter (in IPSec profiles) for specifying an IKE hash algorithm and an ESP hash algorithm. It also provides another, and a common parameter for specifying an IKE encryption algorithm and an ESP encryption algorithm.  Therefore on the Cisco device, you must specify the same hash algorithm and same encryption algorithm for IKE (while creating IKE policy) and ESP (while creating IPSec transform set).
  • You must configure the firewall at the NetScaler end and Cisco device end to allow the following.
    • Any UDP packets for port 500
    • Any UDP packets for port 4500
    • Any ESP (IP protocol number 50) packets

Configuring Cisco IOS device for the CloudBridge Connector Tunnel

To configure a CloudBridge Connector tunnel on a Cisco IOS device, use the Cisco IOS command line interface, which is the primary user interface for configuring, monitoring, and maintaining Cisco devices. 

Before you begin the CloudBridge Connector tunnel configuration on a Cisco IOS device, make sure that:

  • You have a user account with administrator credentials on the Cisco IOS device.
  • You are familiar with the Cisco IOS command line interface.
  • The Cisco IOS device is UP and running, is connected to the Internet, and is also connected to the private subnets whose traffic is to be protected over the CloudBridge Connector tunnel.

Note: The procedures for configuring CloudBridge Connector tunnel on a Cisco IOS device might change over time, depending on the Cisco release cycle. Citrix recommends that you follow the official Cisco product documention for Configuring IPSec VPN tunnels, at:

To configure a CloudBridge connector tunnel between a NetScaler appliance and a Cisco IOS device, perform the following tasks on the Cisco device’s IOS command line:

  • Create an IKE Policy. An IKE policy defines a combination of security parameters to be used during the IKE negotiation. For example, parameters such as hash algorithm, encryption algorithm, Diffie-Hellman group, and authentication method to be used in the IKE negotiation are set in this task.
  • Configure a Pre-shared key for IKE authentication. A pre-shared key is a text string, which the peers of a CloudBridge Connector tunnel use to mutually authenticate with each other.  The pre-shared keys are matched against each other for IKE authentication. Therefore, for the authentication to be successful, you must configure the same pre-shared key on the Cisco device and the NetScaler appliance.
  • Define a transform set and configure IPSec in tunnel mode. A transform set defines a combination of security parameters to be used in the exchange of data over the CloudBridge Connector tunnel after the IKE negotiation is successful.  Parameters such as hash algorithm and encryption algorithm are set in this task. This task also specifies that IPSec in tunnel mode be used for the CloudBridge tunnel.
  • Create a crypto access List. Crypto access lists are used to define the subnets whose IP traffic will be protected over the CloudBridge tunnel. The source and destination parameters in the access list specify the Cisco device side and NetScaler side subnets that are to be protected over the CloudBridge Connector Tunnel. The access list must be set to permit. Any request packet that originates from a device in the Cisco device side subnet and is destined to a device in the NetScaler side subnet, and that matches the source and destination parameters of the access list, is sent across the CloudBridge Connector tunnel.
  • Create a crypto map. Crypto maps define the IPSec parameters to be negotiated with peer. They include the following: Crypto access list to identify the subnets whose traffic is to be protected over the CloudBridge tunnel, peer (NetScaler) identification by IP address, and transform set to match the peer security settings.
  • Apply the crypto Map to an interface. In this task, you apply a crypto map to an interface through which CloudBridge Connector tunnel traffic will flow. Applying the crypto map to an interface instructs the Cisco IOS device to evaluate all the interface traffic against the crypto map set, and to use the specified policy during connection or SA negotiation on behalf of subnet’s traffic to be protected.
The examples in the following procedures create settings of Cisco IOS device Cisco-IOS-Device-1 used in "Example of CloudBridge Connector Configuration and Data Flow."
 

To create an IKE policy by using the Cisco IOS command line

At the Cisco IOS device’s command prompt, type the following commands, starting in global configuration mode, in the order shown:

Command

Example

Command Description

crypto isakmp policy priority

 

Cisco-ios-device-1(config)# crypto isakmp policy 1

Enter config-isakmp command mode and identify the policy to create. (Each policy is uniquely identified by the priority number you assign.) This example configures policy 1.

 

encryption (3des| aes)

 

 

Cisco-ios-device-1 (config-isakmp)# encryption 3des

Specify the encryption algorithm. This example configures the 3DES algorithm.

hash (sha| sha256| sha384| md5)

 

Cisco-ios-device-1 (config-isakmp)# hash sha256

Specify the hash algorithm. This example configures SHA256.

authentication  pre-share

Cisco-ios-device-1 (config-isakmp)# authentication  pre-share

Specify the pre-share authentication method.

Note: RSA encrypted nonces (rsa-encr), RSA signatures (rsa-slg), and digital certificate authentication methods are not supported.

group 2

Cisco-ios-device-1 (config-isakmp)# group 1

Specify 1024-bit Diffie-Hellman group identifier (2).

lifetime seconds

Cisco-ios-device-1 (config-isakmp)# lifetime 86400

Specify the security association's lifetime in seconds. This example configures 86400 seconds (one day).

exit

Cisco-ios-device-1 (config-isakmp)# exit

Cisco-ios-device-1 (config)#

Exit back to global configuration mode.

 

To configure a pre-shared key by using the Cisco IOS command line

At the Cisco IOS device’s command prompt, type the following commands, starting in global configuration mode, in the order shown:

Command

Example

Command Description

crypto isakmp identity address

Cisco-ios-device-1(config)# crypto isakmp identity address

 

Specify the ISAKMP identity (address) for the Cisco IOS device to use when communicating with the peer (NetScaler appliance) during IKE negotiations.

This example specifies the address keyword, which uses IP address 203.0.113.200 (Gigabit Ethernet interface 0/1 of Cisco-IOS-Device-1) as the identity for the device.

 

crypto isakmp key keystring address peer-address

 

Cisco-ios-device-1 (config)# crypto isakmp key examplepresharedkey address 198.51.100.100

 

Specify a pre-shared key for the IKE authentication. This example configures shared key examplepresharedkey to be used with the NetScaler appliance NS_Appliance-1 (198.51.100.100).

The same pre-shared key must be configured on the NetScaler appliance for IKE authentication to be successful between the Cisco IOS device and the NetScaler appliance.

To create a crypto access list by using the Cisco IOS command line

At the Cisco IOS device’s command prompt, type the following command in global configuration mode, in the order shown:

Command

Example

Command Description

access-list access-list-number permit IP source source-wildcard destination destination-wildcard

 

Cisco-ios-device-1(config)# access-list 111 permit ip 10.20.20.0 0.0.0.255 10.102.147.0 0.0.0.255

 

Specify conditions to determine the subnets whose IP traffic is to be protected over the CloudBridge Connector tunnel.

This example configures access list 111 to protect traffic from subnets 10.20.20.0/24 (at the Cisco-IOS-Device-1 side) and 10.102.147.0/24 (at the NS_Appliance-1 side).

 

To define a transform and configure IPSec tunnel mode by using the Cisco IOS command line

At the Cisco IOS device’s command prompt, type the following commands, starting in global configuration mode, in the order shown:

Command

Example

Command Description

crypto ipsec transform-set name ESP_Authentication _Transform ESP_Encryption_Transform

Note: ESP_Authentication _Transform can take the following values:

  • esp-sha-hmac
  • esp-sha256-hmac
  • esp-sha384-hmac
  • esp-sha512-hmac
  • esp-md5-hmac

ESP_Encryption_Transform can take the following values:

  • esp-aes
  • esp-3des

 

Cisco-ios-device-1(config)# crypto ipsec transform-set NS-CISCO-TS esp-sha256-hmac  esp-3des

 

 

Define a transform set and specify the ESP hash algorithm (for authentication) and the ESP encryption algorithm to be used during exchange of data between the CloudBridge Connector tunnel peers.

This example defines transform set NS-CISCO-TS and specifies ESP authentication algorithm as esp-sha256-hmac, and ESP encryption algorithm as esp-3des.

 

mode tunnel

Cisco-ios-device-1 (config-crypto-trans)# mode tunnel

 

Set IPSec in tunnel mode.

exit

Cisco-ios-device-1 (config-crypto-trans)# exit

Cisco-ios-device-1 (config)#

Exit back to global configuration mode.

 

To create a crypto map by using the Cisco IOS command line

At the Cisco IOS device’s command prompt, type the following commands starting in global configuration mode, in the order shown:

Command

Example

Command Description

crypto map map-name seq-num ipsec-isakmp

Cisco-ios-device-1 (config)# crypto map NS-CISCO-CM 2  ipsec-isakmp

 

 

 

Enter crypto map configuration mode, specify a sequence number for the crypto map, and configure the crypto map to use IKE to establish security associations (SAs). This example configures sequence number 2 and IKE for crypto map NS-CISCO-CM.

 

set peer ip-address

 

Cisco-ios-device-1 (config-crypto-map)# set peer  172.23.2.7

 

 

Specify the peer (NetScaler appliance) by its IP address. This example specifies 198.51.100.100, which is the CloudBridge Connector endpoint IP address on the NetScaler appliance.

 

match address access-list-id

Cisco-ios-device-1 (config-crypto-map)# match address 111

 

Specify an extended access list. This access list specifies conditions to determine the subnets whose IP traffic is to be protected over the CloudBridge Connector tunnel. This example specifies access list 111.

 

set transform-set transform-set-name

 

Cisco-ios-device-1 (config-crypto-map)# set transform-set NS-CISCO-TS

 

Specify which transform sets are allowed for this crypto map entry. This example specifies transform set NS-CISCO-TS.

 

 

exit

Cisco-ios-device-1 (config-crypto-map)# exit

Cisco-ios-device-1 (config)#

Exit back to global configuration mode.

 

To apply a crypto map to an interface by using the Cisco IOS command line

At the Cisco IOS device’s command prompt, type the following commands starting in global configuration mode, in the order shown:

Command

Example

Command Description

interface interface-ID

Cisco-ios-device-1(config)# interface GigabitEthernet 0/1

 

 

Specify a physical interface to which to apply the crypto map and enter interface configuration mode.

This example specifies Gigabit Ethernet interface 0/1 of the Cisco device Cisco-IOS-Device-1. IP address 203.0.113.200 is already set to this interface.

 

crypto map map-name

Cisco-ios-device-1 (config-if)# crypto map NS-CISCO-CM

 

 

Apply the crypto map to the physical interface. This example applies crypto map NS-CISCO-CM.

exit

Cisco-ios-device-1 (config-if)# exit

Cisco-ios-device-1 (config)#

Exit back to global configuration mode.

 

Configuring the NetScaler Appliance for the CloudBridge Connector Tunnel

To configure a CloudBridge Connector tunnel between a NetScaler appliance and a Cisco IOS device, perform the following tasks on the NetScaler appliance. You can use either the NetScaler command line or the NetScaler graphical user interface (GUI):

  • Create an IPSec profile. An IPSec profile entity specifies the IPSec protocol parameters, such as IKE version, encryption algorithm, hash algorithm, and authentication method (Pre-Shared key) to be used by the IPSec protocol in the CloudBridge Connector tunnel.
  • Create an IP tunnel that uses IPSec protocol, and associate the IPSec profile with it. An IP tunnel specifies the local IP address (CloudBridge Connector tunnel end point IP address (of type SNIP) configured on the NetScaler appliance), remote IP address (CloudBridge Connector tunnel endpoint IP address configured on the Cisco IOS device), protocol (IPSec) used to set up the CloudBridge Connector tunnel, and an IPSec profile entity. The created IP tunnel entity is also called the CloudBridge Connector tunnel entity.
  • Create a PBR rule and associate it with the IP tunnel. A PBR entity specifies a set of rules and an IP tunnel (CloudBridge Connector tunnel) entity. The source IP address range and the destination IP address range are the conditions for the PBR entity. Set the source IP address range to specify the NetScaler-side subnet whose traffic is to be protected over the tunnel, and set the destination IP address range to specify the Cisco IOS device side subnet whose traffic is to be protected over the tunnel. Any request packet that originates from a client in the subnet on the NetScaler side and is destined to a server in the Cisco IOS device side subnet, and matches the source and destination IP range of the PBR entity, is sent across the CloudBridge Connector tunnel associated with the PBR entity. Apply the PBR rule to make it functional.

To create an IPSEC profile by using the NetScaler command line

At the Command prompt, type:

  • add ipsec profile <name> -psk <string> -ikeVersion v1

To create an IPSEC tunnel and bind the IPSEC profile to it by using the NetScaler command line

At the Command prompt, type:

  • add ipTunnel <name> <remote> <remoteSubnetMask> <local> -protocol IPSEC –ipsecProfileName <string>

To create a PBR rule and bind the IPSEC tunnel to it by using the NetScaler command line

At the Command prompt, type:

  • add pbr <pbrName> ALLOW –srcIP <subnet-range> -destIP <subnet-range> -ipTunnel <tunnelName>
  • apply pbrs
Sample Configuration 複製

The following commands create settings of NetScaler appliance NS_Appliance-1 in "Example of CloudBridge Connector Configuration and Data Flow."

>  add ipsec profile NS_Cisco_IPSec_Profile -psk  examplepresharedkey -ikeVersion v1 –lifetime 315360 –encAlgo 3DES

Done 

>  add iptunnel NS_Cisco_Tunnel 203.0.113.200 255.255.255.255 198.51.100.100 –protocol IPSEC –ipsecProfileName NS_Cisco_IPSec_Profile  
Done 

> add pbr NS_Cisco_Pbr -srcIP 10.102.147.0-10.102.147.255 –destIP 10.20.0.0-10.20.255.255 –ipTunnel NS_Cisco_Tunnel  
Done 

> apply pbrs 
Done 

To create an IPSEC profile by using the configuration utility

  1. Navigate to System > CloudBridge Connector > IPSec Profile.
  2. In the details pane, click Add.
  3. In the Add IPSec Profile dialog box, set the following parameters:

    • Name
    • Encryption Algorithm
    • Hash Algorithm
    • IKE Protocol Version
  4. Configure the IPSec authentication method to be used by the two CloudBridge Connector tunnel peers to mutually authenticate: Select the Pre-shared key authentication method and set the Pre-Shared Key Exists parameter.
  5. Click Create, and then click Close.

To create an IP tunnel and bind the IPSEC profile to it by using the NetScaler GUI

  1. Navigate to System > CloudBridge Connector > IP Tunnels.
  2. On the IPv4 Tunnels tab, click Add.
  3. In the Add IP Tunnel dialog box, set the following parameters:

    • Name
    • Remote IP
    • Remote Mask
    • Local IP Type (In the Local IP Type drop down list, select Subnet IP).
    • Local IP (All the configured IPs of the selected IP type are in the Local IP drop down list. Select the desired IP from the list.)
    • Protocol
    • IPSec Profile
  4. Click Create, and then click Close.

To create a PBR rule and bind the IPSEC tunnel to it by using the NetScaler GUI

  1. Navigate to System > Network > PBR.
  2. On the PBR tab, click Add.
  3. In the Create PBR dialog box, set the following parameters:
    • Name
    • Action
    • Next Hop Type (Select IP Tunnel)
    • IP Tunnel Name
    • Source IP Low
    • Source IP High
    • Destination IP Low
    • Destination IP High

4.  Click Create, and then click Close.

To apply a PBR by using the NetScaler GUI

  1. Navigate to System > Network > PBRs.
  2. On the PBRs tab, select the PBR, in the Action list, select Apply.
The corresponding new CloudBridge Connector tunnel configuration on the NetScaler appliance appears in the configuration utility. The current status of the CloudBridge connector tunnel is shown in the Configured CloudBridge Connector pane. A green dot indicates that the tunnel is up. A red dot indicates that the tunnel is down.

 

Monitoring the CloudBridge Connector Tunnel

You can view statistics for monitoring the performance of a CloudBridge Connector tunnel between a NetScaler appliance and a Cisco IOS device. To view CloudBridge Connector tunnel statistics on the NetScaler appliance, use the NetScaler command line.

The following table lists the statistical counters available for monitoring CloudBridge Connector tunnels on a NetScaler appliance.

Statistical counter

Specifies

Bytes Received

Total number of bytes received by the NetScaler appliance through all the configured CloudBridge Connector tunnels since the appliance was last started.

Bytes Sent

Total number of bytes sent by the NetScaler appliance through all the configured CloudBridge Connector tunnels since the appliance was last started.

Packets Received

Total number of packets received by the NetScaler appliance through all the configured CloudBridge Connector tunnels since the appliance was last started.

Packets Sent

Total number of packets sent by the NetScaler appliance through all the configured CloudBridge Connector tunnels since the appliance was last started.

All these counters are reset to 0 when the NetScaler appliance is restarted. They do not increment during the following phases:

  • Internet Key Exchange (IKE) authentication (pre-shared key) phase on any configured CloudBridge Connector tunnel.
  • IKE Security Association (SA) establishment phase on any configured CloudBridge Connector tunnel.

To display CloudBridge Connector tunnel statistics by using the command line

At the command prompt, type:                                                                                      

  • stat ipsec counters