This article will examine IPSec VPN implementation techniques over an IOS XR platform. Implementing IPSec VPN over an IOS XR involves some new set of rules and commands compared to a traditional Cisco IOS.

This article assumes that you have basic access level knowledge of Cisco IOS XR platform (if not then you can use my previous posts on IOS XR as reference). We will use the following network topology (Fig. 1) for implementing IPSec site-to-site VPN.

Cisco IOS XR supports two types of IPSec deployments:

Software-based IPSec, which uses tunnel-ipsec or a transport entity for local source traffic.

Hardware-based IPSec, which uses service-ipsec and service-gre interfaces for transit traffic.

Before starting the technical discussion on IPSec VPN implementations, let’s review some essential IPSec and ISAKMP protocols and algorithms.

Internet Key Exchange (IKE) is mainly used with IPSec protocol to negotiate security associations and authentication of IPSec peers.

IP Security Protocol (IPSec) is an open standard mechanism that offers layer 3 security services by using the negotiation of IKE protocols and algorithms to regulate data confidentiality and integrity of participating peers to protect one or more data flows between them.

Internet Security Association and Key Management Protocol (ISAKMP) manages the methodology of implementing a key exchange protocol along with security association negotiation.

ISAKMP/IPSec Components

Data Encryption Standard (DES) is a packet data encryption algorithm. Cisco IOS XR supports DES as well as Triple DES (168-bit) encryption techniques (as shown in Fig. 2 below). Triple DES (3DES) is a robust encryption mechanism to normalise sensitive information over insecure networks.

Advanced Encryption Standard (AES) is a standard for packet data encryption. Cisco IOS XR supports 128-bit, 192-bit, and 256-bit AES encryption (as shown in Fig. 2 below).

Diffie-Hellman is used to share session keys using cryptography and allows two sites to establish a shared secret key communication within IKE. Cisco IOS XR supports 768-bit, 1024-bit, and 1536-bit Diffie-Hellman groups.

Message Digest (MD5) is a hash algorithm used to verify authentication of packet data. MD5 HMAC offers an additional level of hashing to IPSec data integrity.

Secure Hash Algorithm (SHA) is also a hash algorithm for packet data authentication. SHA HMAC provides an additional level of hashing to IPSec data integrity.

RSA signatures and RSA encrypted or Rivest Shamir Adelman (RSA) is used for public key cryptography using signatures.

As you can see in Fig. 3, ESP supports both hash and encryption algorithms while AH supports hash algorithms only.

Steps to Implement IPSec VPN on IOS XR

Step 1. Enable ISAKMP and configure ISAKMP policy

Multiple IKE policies can be designed on an IOS XR device and each policy can have different combinations of parameter values; however, encryption, hash, authentication, and Diffie-Hellman values must be the same on the remote peer.

ISAKMP activation and policy design on router XR1,:

RP/0/0/CPU0:xr1(config)# crypto isakmp    /* To enable ISAKMP in IOS XR device.
RP/0/0/CPU0:xr1(config)# crypto isakmp policy 12
RP/0/0/CPU0:xr1(config-isakmp)# authentication pre-share
RP/0/0/CPU0:xr1(config-isakmp)# group 2
RP/0/0/CPU0:xr1(config-isakmp)# encryption 3des
RP/0/0/CPU0:xr1(config-isakmp)# exit

On XR2,:

RP/0/0/CPU0:xr2(config)# crypto isakmp
RP/0/0/CPU0:xr2(config)# crypto isakmp policy 12
RP/0/0/CPU0:xr2(config-isakmp)# authentication pre-share
RP/0/0/CPU0:xr2(config-isakmp)# group 2
RP/0/0/CPU0:xr2(config-isakmp)# encryption 3des
RP/0/0/CPU0:xr2(config-isakmp)# exit

To verify ISAKMP activation on an IOS XR device, use “show crypto isakmp” and you will get the following output as shown in Fig. 4:

Configure key-ring to authenticate remote site IKE negotiation with a pre-shared key.

Key configuration on XR1:

RP/0/0/CPU0:xr1(config)#crypto keyring AB 
RP/0/0/CPU0:xr1(config-keyring)# pre-shared-key address key infosec
RP/0/0/CPU0:xr1(config-keyring)# exit

Key configuration on XR2:

RP/0/0/CPU0:xr2(config)#crypto keyring AB 
RP/0/0/CPU0:xr2(config-keyring)# pre-shared-key address key infosec
RP/0/0/CPU0:xr2(config-keyring)# exit

To verify ISAKMP pre shared key configuration on an IOS XR device, use “show crypto isakmp key”.

Step 2. Create IPSec Transform-set and profile

IPSec transform-set is used to implement encryption and hash algorithms for data protection and IOS XR crypto profiles are replaced with a legacy crypto map.

IPSec transform-set on XR1:

RP/0/0/CPU0:xr1(config)# crypto ipsec transform-set myts1
RP/0/0/CPU0:xr1(config-transform-set myts1)# transform esp-aes esp-sha-hmac
RP/0/0/CPU0:xr1(config-transform-set myts1)# mode tunnel
RP/0/0/CPU0:xr1(config-transform-set myts1)# exit

IPSec transform-set on XR2:

RP/0/0/CPU0:xr2(config)# crypto ipsec transform-set myts1
RP/0/0/CPU0:xr2(config-transform-set myts1)# transform esp-aes esp-sha-hmac
RP/0/0/CPU0:xr2(config-transform-set myts1)# mode tunnel
RP/0/0/CPU0:xr2(config-transform-set myts1)# exit

Design an access control List (ACL) to define which traffic should be encrypted for IPSec VPN.

ACL configuration on XR1:

RP/0/0/CPU0:xr1(config)#ipv4 access-list ipsec-s2s
RP/0/0/CPU0:xr1(config-ipv4-acl)# 10 permit ipv4

ACL configuration on XR2:

RP/0/0/CPU0:xr2(config)#ipv4 access-list ipsec-s2s
RP/0/0/CPU0:xr2(config-ipv4-acl)# 10 permit ipv4

Design a crypto profile to call ACL and Transform-set. Transform-set defines how traffic matched in ACL will be encrypted. As we have created a transform set with “esp-aes esp-sha-hmac” encryption and hashing algorithms, all matched traffic will be encrypted according to these algorithms. If the defined destination address in ACL is configured as a static route pointing to the SVI, the “reverse-route” must be configured within the crypto profile. This command is optional in site-to-site configurations.

IPSec profile on XR1:

RP/0/0/CPU0:xr1(config)# crypto ipsec profile SiteAB
RP/0/0/CPU0:xr1(config-SiteAB)# set pfs group2
RP/0/0/CPU0:xr1(config-SiteAB)# match ipsec-s2s transform-set myts1
RP/0/0/CPU0:xr1(config-SiteAB)# exit

IPSec profile on XR2:

RP/0/0/CPU0:xr2(config)# crypto ipsec profile SiteAB
RP/0/0/CPU0:xr2(config-SiteAB)# set pfs group2
RP/0/0/CPU0:xr2(config-SiteAB)# match ipsec-s2s transform-set myts1
RP/0/0/CPU0:xr2(config-SiteAB)# exit

Step 3. Configure IPSec virtual interface (SVI)

IPSec virtual interface can be configured as either “service-ipsec” or “service-gre”. If mode (in IPSec transformation set) is configured as tunnel then “interface service-ipsec” will be used and if “transport” mode is configured then “interface service-gre” will be configured.

Interface service-ipsec configuration on router XR1:

RP/0/0/CPU0:xr1(config)# interface service-ipsec 12  /* here Here “12” is the interface idID.
RP/0/0/CPU0:xr1(config-if)# ipv4 address
RP/0/0/CPU0:xr1(config-if)# profile SiteAB
RP/0/0/CPU0:xr1(config-if)# tunnel source
RP/0/0/CPU0:xr1(config-if)# tunnel destination
RP/0/0/CPU0:xr1(config-if)# service-location preferred-active 0/0/0  /* to To provide the physical location (rack/slot/module) of the IPSec where this SVI should reside.
RP/0/0/CPU0:xr1(config-if)# exit

Interface service-ipsec configuration on router XR2,

RP/0/0/CPU0:xr2(config)# interface service-ipsec 12  /* here Here “12” is the interface idID.
RP/0/0/CPU0:xr2(config-if)# ipv4 address
RP/0/0/CPU0:xr2(config-if)# profile SiteAB
RP/0/0/CPU0:xr2(config-if)# tunnel source
RP/0/0/CPU0:xr2(config-if)# tunnel destination
RP/0/0/CPU0:xr2(config-if)# service-location preferred-active 0/0/0  
RP/0/0/CPU0:xr2(config-if)# exit

Step 4. Configure crypto ISAKMP profile

This provides modularity of phase-1 ISAKMP negotiations and maps different ISAKMP parameters to different IPSec tunnels, and different IPSec tunnels to different VPN forwarding and routing (VRF) instances.

ISAKMP profile on XR1:

RP/0/0/CPU0:xr1(config)# crypto isakmp profile ikmp12  /* here Here ikmp12 is a ISAKMP profile name.
RP/0/0/CPU0:xr1(config-isa-prof)# keyring AB  /* here Here AB is the name of key-ring defined at stepStep- 1.
RP/0/0/CPU0:xr1(config-isa-prof)# match identity address vrf default
RP/0/0/CPU0:xr1(config-isa-prof)# set interface service-IPSec12
RP/0/0/CPU0:xr1(config-isa-prof)# exit

ISAKMP profile on XR2,

RP/0/0/CPU0:xr2(config)# crypto isakmp profile ikmp12  /* here Here ikmp12 is a ISAKMP profile name.
RP/0/0/CPU0:xr2(config-isa-prof)# keyring AB  /* here Here AB is the name of key-ring defined at stepStep- 1.
RP/0/0/CPU0:xr2(config-isa-prof)# match identity address vrf default
RP/0/0/CPU0:xr2(config-isa-prof)# set interface service-IPSec12
RP/0/0/CPU0:xr2(config-isa-prof)# exit

After configuring the above steps, you will be able to get secure communication between remote sites. Once you are able to implement IPSec site to site VPN in the IOS XR platform, it would be quite easy for you to implement DMVPN and other VPNs on an IOS XR environment.

I hope this article will bring you closer to the ocean of IOS XR implementations. I will continue to explore the edges of IOS XR technologies but I also want to read your feedback and your experience at the comments section.

And don’t forget to share this article on Facebook, Twitter and LinkedIn so that more people can use this exclusive piece of information. Keep reading @ and like our Facebook page to get updates on new posts.


Apart from my work experience and knowledge, the following resources helped me a lot to write this exclusive content.

Cisco IOS XR Fundamentals, by Mobeen Tahir, Mark Ghattas, Dawit Birhanu and Syed Natif Nawaz.