Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.
Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.
Site to Site CLI configuration with FlexVPN and IKEv2
FlexVPN is being called “one to rule them all” and there is no exaggeration in this statement. VPN that allows you for site to site connection with the remained VPNs like VTI, DMVPN and by the way for remote access as well. Let’s break FlexVPN down based on site to site configuration.
IKEv2 builds 2 tunnels : “IKEv2 tunnel” as a counterpart of Phase 1 ISAKMP from IKEv1 and “IPSEC (child tunnel)” as a counterpart as Phase 2 IPSEC IKEv1 tunnel.
Steps to configure FlexVPN IKEv2:
Configuring IKEv2 tunnel:
1. configuring Keyring – we specify remote peers, the keys don’t have to be symmetric, we may also identify the remote router by fully qualify domain name
2. configuring IKEv2 Proposal – Proposals are the counterpart of HAGLE process from IKEv1 but in IKEv2 we configure only Hash algorithm for Integrity, Encryption and DH group
3. configuring IKEv2 Policy – including proposals, we also specify restrictions in regard to ivrf (inside traffic) and fvrf – front door vrf (outside traffic, encrypted already)
4. configuring IKEv2 Profile – is simmilar to IKEv1 ISAKMP profile where we use keyring, we specify how are we going to authenticate each other and the keyring
Configuring IPSEC Child Tunnel:
5. configuring IPSEC Transform Set – we configure tunnel protection – Encryption and Integrity
6. configuring IPSEC Profile – including IKEv2 profile and transform set
Smart Defaults – consists of default Policy and Proposal, thanks to this we don’t have to configure them !
Configuration:
R1
crypto ikev2 keyring KEY-RING
peer R2-Router
address 2.2.2.2
identity fqdn R2.itbundle.net
pre-shared-key local ITBUNDLE-ABC
pre-shared-key remote ITBUNDLE-XYZ
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-256
integrity sha512
group 24
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL
crypto ikev2 profile IKEV2-PROFILE
identity local fqdn R1.itbundle.net
match identity remote fqdn R2.itbundle.net
authentication local pre-share
authentication remote pre-share
keyring local KEY-RING
crypto ipsec transform-set IPSEC-TRANS esp-aes esp-sha512-hmac
crypto ipsec profile IPSEC-PROFILE
set ikev2-profile IKEV2-PROFILE
set transform-set IPSEC-TRANS
interface loopback 0
ip address 10.0.0.1 255.255.255.0
interface tunnel0
ip unnumbered loop 0
tunnel source 1.1.1.1
tunnel destination 2.2.2.2
tunnel mode ipsec ipv4
ip mtu 1400
ip tcp adjust-mss 1360
tunnel protection ipsec profile IPSEC-PROFILE
ip route 192.168.2.0 255.255.255.0 tunnel0
R2
crypto ikev2 keyring KEY-RING
peer R1-Router
address 1.1.1.1
identity fqdn R1.itbundle.net
pre-shared-key local ITBUNDLE-XYZ
pre-shared-key remote ITBUNDLE-ABC
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-256
integrity sha512
group 24
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL
crypto ikev2 profile IKEV2-PROFILE
identity local fqdn R2.itbundle.net
match identity remote fqdn R1.itbundle.net
authentication local pre-share
authentication remote pre-share
keyring local KEY-RING
crypto ipsec transform-set IPSEC-TRANS esp-aes esp-sha512-hmac
crypto ipsec profile IPSEC-PROFILE
set ikev2-profile IKEV2-PROFILE
set transform-set IPSEC-TRANS
interface loopback 0
ip address 10.0.0.2 255.255.255.0
interface tunnel0
ip unnumbered loop 0
tunnel source 2.2.2.2
tunnel destination 1.1.1.1
tunnel mode ipsec ipv4
ip mtu 1400
ip tcp adjust-mss 1360
tunnel protection ipsec profile IPSEC-PROFILE
ip route 192.168.1.0 255.255.255.0 tunnel0
That’s all , try to ping 192.168.2.2 from 192.168.2.1
No, let’s check if our tunnel works properly
show crypto ikev2 sa
show crypto ikev2 session
show crypto ikev2 stats
Final Conclusions
1. We may use GRE tunnels, then tunnel encapsulation is set to “gre ip” and we don’t use “ip unnambered” option
2. We may apply above configuration as a crypto map and attache its to the outside interface as well