Aviatrix solution can take care of networking, security and network segmentation for workloads deployed in public clouds by deploying transit networking solution using Aviatrix transit and spoke gateways. It is a standard and stamp-out (copy/paste and repeat) design that is applicable to any public cloud (e.g AWS, GCP, Azure and OCI).

There are situation when there is a need to connect to 3rd party devices or services to exchange routes or to provide additional connectivity. These services and devices could be in the Public Cloud or On-Premise. In those situation the Aviatrix transit can also connect to those devices and services in secure and encrypted fashion (e.g using L3 IPSec).

Customer Scenario

Following topology demonstrate a scenario where a business is using Cisco CSR (could be any service or instance from any vendor that supports IPSec) in the Cloud to terminate LISP. By virtue of using LISP, the business is forced into a sub-optimal design where an additional hop is necessary.

Aviatrix Setup

For this setup we are assuming that you have already deployed Cisco CSR from AWS marketplace

  • Created Transit VPC and Spoke VPC directly from Aviatrix Controller UI (no need to login to AWS console)
  • Deployed AVX Transit GW and AVX Spoke GW in their respective VPCs using the Aviatrix Controller UI
  • Follow the Aviatrix Transit Networking workflow to connect to external 3rd party device (e.g Cisco CSR)
    • For external connectivity eBGP is the preferred option and this is what we are using here
    • If you want to connect via static route to external device, it is also possible but then you have to enable “ActiveMesh” on Aviatrix Transit and Spoke Gateways first
  • Attached Spoke-VPC to Transit-VPC

Build the IPSec Tunnel From Aviatrix Transit Gateway to Cisco CSR

Configure Aviatrix Controller as shown below

Notice we are using the default IPSec Algorithms. My recommendation is to start with the default and change after if needed

After you have done the setup as above, you will notice an entry in the Site2Cloud (S2C) section of AVX-Controller automatically (The screenshot shows tunnel UP which is not correct. The tunnel will be in the down state at this time)

Click on the Name above and download the IPSec config.

Use Generic as vendor.
Aviatrix Site2Cloud configuration. 
 This connection has a single IPsec tunnel between customer  gateway and Aviatrix gateway in the cloud.
 Tunnel #1
1: Internet Key Exchange Configuration
 Configure the IKE SA as follows
 Version                  : 1
 Authentication Method    : Pre-Shared Key 
 Pre-Shared Key           : Aviatrix1!
 Encryption Algorithm     : AES-256-CBC
 Authentication Algorithm : SHA-1
 Lifetime                 : 28800 seconds
 Phase 1 Negotiation Mode : main
 Perfect Forward Secrecy  : Diffie-Hellman Group 2
 DPD threshold            : 10 seconds
 DPD retry interval       : 3 seconds
 DPD retry count          : 3 
2: IPSec Configuration
 Configure the IPSec SA as follows:
 Protocol                 : esp
 Authentication Algorithm : hmac-sha1
 Encryption Algorithm     : AES-256-CBC
 Authentication Algorithm : HMAC-SHA-1
 Lifetime                 : 28800 seconds
 Mode                     : tunnel
 Perfect Forward Secrecy  : Diffie-Hellman Group 2 
IPSec ESP (Encapsulating Security Payload) inserts additional
 headers to transmit packets. These headers require additional space, which reduces the amount of space available to transmit application data.To limit the impact of this behavior, we recommend the following configuration on your Customer Gateway:

 TCP MSS Adjustment       : 1387 bytes
 Clear Don't Fragment Bit : enabled
 Fragmentation            : Before encryption 
3: Tunnel Interface Configuration
 Your Customer Gateway must be configured with a tunnel interface that is associated with the IPSec tunnel. Traffic that should go through the tunnel should be specified by following your gateway's configuration guide, using the information below.
Gateway IP addresses:
 Customer Gateway                :
 Aviatrix Gateway Public IP      :
 Aviatrix Gateway Private IP     : 
 Customer Network(s)             : N/A for transit network
 Cloud Networks(s)               : N/A for transit network 
Tunnel Inside IP addresses:
 Customer Gateway                :
 Aviatrix Gateway                : 
Configure your tunnel to fragment at the optimal size:
 Tunnel interface MTU     : 1436 bytes 
4. Border Gateway Protocol (BGP) Configuration:
 The Border Gateway Protocol (BGPv4) is used to exchange routes from the VPC to on-prem network. Each BGP router has an Autonomous System Number (ASN).
BGP Configuration:
 BGP Mode                        : true
 Customer Gateway ASN            : 65002
 Aviatrix Gateway ASN            : 65003 
Configure BGP to receive routes from on-prem network. Aviatrix Transit gateway will announce prefixes to your on-prem  gateway based upon the spokes you have attached. For vendor specific instructions, please go to the following URL:

Cisco CSR Configuration

This is how the above template translates into a Cisco CSR Config.

ip-10-60-0-89#sh run 
Building configuration...

Current configuration : 7936 bytes
! Last configuration change at 16:30:21 UTC Fri Oct 4 2019 by ec2-user
version 16.12
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform console virtual
hostname ip-10-60-0-89
vrf definition GS
 rd 100:100
 address-family ipv4
logging persistent size 1000000 filesize 8192 immediate
no aaa new-model
login on-success log
subscriber templating
multilink bundle-name authenticated
license udi pid CSR1000V sn 91V3AHTVAJ1
diagnostic bootup level minimal
memory free low-watermark processor 72406
spanning-tree extend system-id
username ec2-user privilege 15
crypto keyring mykey
! local-address is the private IP address of this CSR
  pre-shared-key address key Aviatrix1!
! is the public IP address of Avaitrix 
crypto isakmp policy 10
 encryption aes 256
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp keepalive 10 3 periodic
crypto isakmp profile myprofile
   keyring mykey
   self-identity address
   match identity address 
crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac 
 mode tunnel
crypto ipsec df-bit clear
crypto ipsec profile ipsec_profile
 set security-association lifetime seconds 28800
 set transform-set myset 
 set pfs group2
interface Loopback0
 ip address
interface Tunnel0
 ip address
 ip tcp adjust-mss 1387
 tunnel source
 tunnel mode ipsec ipv4
 tunnel destination
 tunnel protection ipsec profile ipsec_profile
interface VirtualPortGroup0
 vrf forwarding GS
 ip address
 ip nat inside
 no mop enabled
 no mop sysid
interface GigabitEthernet1
 ip address dhcp
 ip nat outside
 negotiation auto
 no mop enabled
 no mop sysid
router bgp 65002
 bgp log-neighbor-changes
 network mask
 neighbor remote-as 65003
 neighbor timers 10 30 30
 address-family vpnv4
  neighbor activate
  neighbor send-community extended
ip forward-protocol nd
ip tcp mss 1387
ip tcp window-size 8192
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload
ip route vrf GS GigabitEthernet1 global
ip ssh rsa keypair-name ssh-key
ip ssh version 2
ip ssh pubkey-chain
  username ec2-user
   key-hash ssh-rsa BF29B2896E9286C9B44DD472EF3397DA ec2-user
ip scp server enable
ip access-list standard GS_NAT_ACL
 10 permit
 20 permit
line con 0
 stopbits 1
line vty 0 4
 login local
 transport input ssh
line vty 5 20
 login local
 transport input ssh
app-hosting appid guestshell
 app-vnic gateway1 virtualportgroup 0 guest-interface 0
  guest-ipaddress netmask
 app-default-gateway guest-interface 0


BGP Working Config. with address-family ipv4

The configuration above uses the vpn4 as address family. You can also make it work with ipv4 address family

router bgp 65002
 bgp log-neighbor-changes
 neighbor remote-as 65003
 neighbor timers 10 30 30
 neighbor remote-as 65001
 neighbor timers 10 30 30
 address-family ipv4
  ! is being advertised by Cisco CSR
  redistribute connected
  neighbor activate
  neighbor activate
Aviatrix Transit GW receives advertised by Cisco CSR


Aviatrix Transit Gateway workflow allows direct connectivity from Transit Gateway to 3rd party devices. The standard IPSec protocols allows Aviatrix Transit Gateway to connect to any devices supporting IPSec. These devices could be in the same Public Cloud, a different Public Cloud or to the On-Prem devices.

The workflow based implementation allows ease of use and reduces time to market.



Comments are closed