V18 - Route based VPN with Cisco CSR behind NAT route

Question

Hello all, 
 Hope all are doing well and safe. 
 
 I'm trying this virtual Tunnel Interface feature on V18 SFOS (BO Side) and a Cisco CSR (HO side), Cisco CSR being behind a NAT router. 
 
 I've tried similar setup but with both sides having V18 SFOS XG and able to achieve dynamic routing. 
 
 Issue with using Cisco CSR instead of SFOS on HO side is the tunnels are established however no traffic is passing. i.e. I'm not able to ping the xfrm interface IP of SFOS from cisco or vice versa. if it was both end SFOS XG v18 then i'm able to ping the xfrm interface IPs. 
 
 CSR2#ping 15.15.19.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 15.15.19.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) 
 
 SFVUNL_KV01_SFOS 18.0.0 GA-Build354# ping 15.15.19.1 PING 15.15.19.1 (15.15.19.1): 56 data bytes 
 ^C --- 15.15.19.1 ping statistics --- 6 packets transmitted, 0 packets received, 100% packet loss

below is the ipsec status for SFOS BO to SFOS HO behind NAT router 
 
 BO SFOS public IP : 192.3.10.2 
 HO SFOS NAT IP : 11.10.0.2 (public facing router IP 192.168.30.2) 
 
 Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.14.38, x86_64): uptime: 5 hours, since Apr 22 11:46:06 2020 malloc: sbrk 2498560, mmap 0, used 547296, free 1951264 worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 17 loaded plugins: charon aes des rc2 sha2 sha3 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink socket-default stroke vici xauth-generic xauth-access-server ippool-access-server cop-updown garner-logging error-notify unity Listening IP addresses: 169.254.234.5 172.16.16.16 11.10.0.2 10.255.0.1 15.15.20.1 Connections: HO_BO-1: 11.10.0.2...192.3.10.2 IKEv1, dpddelay=30s HO_BO-1: local: [11.10.0.2] uses pre-shared key authentication HO_BO-1: remote: [192.3.10.2] uses pre-shared key authentication HO_BO-1: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): HO_BO-1[9]: ESTABLISHED 53 minutes ago, 11.10.0.2[11.10.0.2]...192.3.10.2[192.3.10.2] HO_BO-1[9]: IKEv1 SPIs: d272df8da421f198_i 86161f41982a933f_r*, rekeying in 116 minutes HO_BO-1[9]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 HO_BO-1{11}: REKEYED, TUNNEL, reqid 2, expires in 6 minutes HO_BO-1{11}: 0.0.0.0/0 === 0.0.0.0/0 HO_BO-1{12}: REKEYED, TUNNEL, reqid 2, expires in 7 minutes HO_BO-1{12}: 0.0.0.0/0 === 0.0.0.0/0 HO_BO-1{13}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c1688b37_i c907acf6_o HO_BO-1{13}: AES_CBC_128/HMAC_SHA1_96, 796 bytes_i (10 pkts, 359s ago), 8064 bytes_o (98 pkts, 303s ago), rekeying in 37 minutes HO_BO-1{13}: 0.0.0.0/0 === 0.0.0.0/0 
 ----------------------------------------------------------------------------------------------------------------------------- 
 
 below is the ipsec status for SFOS to Cisco CSR 
 BO SFOS public IP : 192.3.10.2 
 HO Cisco CSR NAT IP : 10.11.0.2 (public facing router IP 192.168.30.2) 
 SFVUNL_KV01_SFOS 18.0.0 GA-Build354# ipsec statusall Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.14.38, x86_64): uptime: 38 minutes, since Apr 23 06:26:55 2020 malloc: sbrk 2605056, mmap 0, used 511968, free 2093088 worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8 loaded plugins: charon aes des rc2 sha2 sha3 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink socket-default stroke vici xauth-generic xauth-access-server ippool-access-server cop-updown garner-logging error-notify unity Listening IP addresses: 169.254.234.5 172.19.19.19 192.3.10.2 10.255.0.1 15.15.19.2 Connections: Sophos_CSR-1: 192.3.10.2...192.168.30.2 IKEv1, dpddelay=30s Sophos_CSR-1: local: [192.3.10.2] uses pre-shared key authentication Sophos_CSR-1: remote: [10.11.0.2] uses pre-shared key authentication Sophos_CSR-1: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear Security Associations (1 up, 0 connecting): Sophos_CSR-1[5]: ESTABLISHED 55 seconds ago, 192.3.10.2[192.3.10.2]...192.168.30.2[10.11.0.2] Sophos_CSR-1[5]: IKEv1 SPIs: 7bdefaae83d57f02_i 2307a27ef4b37115_r*, rekeying in 55 minutes Sophos_CSR-1[5]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Sophos_CSR-1{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c5a24902_i 39dc28c9_o Sophos_CSR-1{2}: AES_CBC_128/HMAC_SHA1_96, 476 bytes_i, 0 bytes_o, rekeying in 55 minutes Sophos_CSR-1{2}: 192.3.10.2/32[47] === 10.11.0.2/32[47] SFVUNL_KV01_SFOS 18.0.0 GA-Build354# 
 
 Please can anyone help what changes i need to do on my cisco end ? this is the tunnel interface config on Cisco 
 ! interface Tunnel2 ip address 15.15.19.1 255.255.255.0 tunnel source GigabitEthernet1 tunnel destination 192.3.10.2 tunnel protection ipsec profile IPSECPROF end 
 
 Cisco IP SA 
 CSR2#sh cry ip sa peer 192.3.10.2 
 interface: Tunnel2 Crypto map tag: Tunnel2-head-0, local addr 10.11.0.2 
 protected vrf: (none) local ident (addr/mask/prot/port): (10.11.0.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (192.3.10.2/255.255.255.255/47/0) current_peer 192.3.10.2 port 4500 PERMIT, flags={origin_is_acl,} #pkts encaps: 425, #pkts encrypt: 425, #pkts digest: 425 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 
 local crypto endpt.: 10.11.0.2, remote crypto endpt.: 192.3.10.2 plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1 current outbound spi: 0xC1917531(3247535409) PFS (Y/N): N, DH group: none 
 inbound esp sas: spi: 0x947736D4(2490840788) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel UDP-Encaps, } conn id: 2005, flow_id: CSR:5, sibling_flags FFFFFFFF80000048, crypto map: Tunnel2-head-0 sa timing: remaining key lifetime (k/sec): (4608000/3379) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) 
 inbound ah sas: 
 inbound pcp sas: 
 outbound esp sas: spi: 0xC1917531(3247535409) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel UDP-Encaps, } conn id: 2006, flow_id: CSR:6, sibling_flags FFFFFFFF80000048, crypto map: Tunnel2-head-0 sa timing: remaining key lifetime (k/sec): (4607998/3379) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: 
 outbound pcp sas:

Zeeshan Yousuf · Accepted Answer

So silly of me missing an important command on cisco tun interface 
 
 Current configuration : 192 bytes ! interface Tunnel2 ip address 15.15.19.1 255.255.255.0 tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination 192.3.10.2 tunnel protection ipsec profile IPSECPROF end 
 
 tunnels came up and BGP was formed.