What is IKEv2? How to configure IKEv2?

 

Internet Key Exchange or IKE Is used by IPsec to establish security parameters between two sites. IKE allows us to exchange keys securely used for encryption and authentication over the internet. In the previous blog we discussed KE click here  

IKEv2 phase 2 is also known as child mode. the IKEv2 initiator sends a CREATE_CHILD_SA request, containing a list of acceptable proposals for the child SA.

 R3#show crypto ikev2 session
 IPv4 Crypto IKEv2 Session
 
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
 
Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         192.168.31.1/500      192.168.123.1/500     none/none            READY
      Encr: 3DES, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/2923 sec
Child sa: local selector  192.168.30.0/0 - 192.168.30.255/65535
          remote selector 192.168.10.0/0 - 192.168.10.255/65535
          ESP spi in/out: 0xCF0FA2FE/0x5AAC2F32
 
 IPv6 Crypto IKEv2 Session

The attributes that can be negotiated include the following:

Protocol (AH 0r ESP) AH, and ESP are the two protocols we use to protect user data. Both of them can be used in transport or tunnel mode, let’s see all the possible options.

Encapsulation mode (tunnel or transport) Transport mode is very simple, it just adds an AH header just after the IP header. Here’s an example of an IP packet that carries some TCP traffic:

Encryption algorithm (for example DES,3DES, or AES)

Authentication algorithm (for example, HMAC-MD5 or HMAC-SHA) peers have to show their identity to prove who he is. Peers use shared keys or digital certificates.

Diffle-hellman group information (for example, group 1, group 2, group 5, or group 14) DH group determines how strong the key is and how it's used in the exchange process of the key. The higher number means more secure but it takes longer to compute.

CLICK HERE FOR MORE TO LEARN

For gns3 IKEv2 supported in IOS 15.1.1t

 

• IKEv2 supports many types of VPN
• GRE with IPsec
• SVTI.DVTI  
• DMVPN
• GETVPN

To configure IKEv2 simple only 8 steps:-

1. Interesting traffic (ACL)
2. IKEv2 Proposal
3. IKEv2 Policy 
4. IKEv2 Keyring
5. IKEv2 Profile
6. IPsec Transform set
7. Crypto map
8. Apply Map on an interface

Let's see the configuration:-

Topology:-

Goal: 

• Configure the topology as per the diagram
• Configure the IP addresses as per the topology
• Configure ACL and permit Fa0/0 traffic
• Configure IKEv2 Proposal
• Configure IKEv2 Policy
• Configure  IKEv2 Keyring
• Configure IKEv2 Profile
• Configure Transform set
• Configure Crypto map
• Apply Crypto map on an interface   
• verify with show commands and ping 

R1(config)#interface serial 3/0

R1(config-if)#ip address 192.168.123.1 255.255.255.0

R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#no keepalive
R1(config-if)#exit

R1(config)#ip route 0.0.0.0 0.0.0.0 serial 3/0

R2(config)#interface serial 3/0
R2(config-if)#ip address 192.168.123.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface serial 3/1
R2(config-if)#ip address 192.168.31.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#ip route 192.168.10.0 255.255.255.0 serial 3/0
R2(config)#ip route 192.168.30.0 255.255.255.0 serial 3/1

R3(config)#interface serial 3/1
R3(config-if)#ip address 192.168.31.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 192.168.30.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#no keepalive
R3(config-if)#exit

R3(config)#ip route 0.0.0.0 0.0.0.0 serial 3/1

R1(config)#do ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/59/72 ms

 

R1#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.10.1    YES manual up                    up
Serial3/0              192.168.123.1   YES manual up                    up

R3(config)#do ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/64/76 ms

 
R3#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.30.1    YES manual up                    up
Serial3/1              192.168.31.1    YES manual up                    up

R3#show ip route static
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override
 
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
 
S*    0.0.0.0/0 is directly connected, Serial3/1
 

Interesting traffic (ACL)

R1(config)#ip access-list extended ACL-TRAFFIC
R1(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
R1(config-ext-nacl)#exit
 
R1#show access-lists
Extended IP access list ACL-TRAFFIC
    10 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 (6 matches)
 

R3(config)#ip access-list extended ACL-TRAFFIC

R3(config-ext-nacl)# permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255

R3(config-ext-nacl)#exit

R3#show access-list
Extended IP access list ACL-TRAFFIC
    10 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255 (9 matches)

IKEv2 Proposal

R1(config)#crypto ikev2 proposal IKEV2-PROPOSAL
IKEv2 proposal MUST have atleast an encryption algorithm, an integrity algorithm and a dh group configured
R1(config-ikev2-proposal)# encryption 3des aes-cbc-128 aes-cbc-256
R1(config-ikev2-proposal)# integrity sha1 sha256 sha384 sha512
R1(config-ikev2-proposal)# group 5 2 14 15
R1(config-ikev2-proposal)#exit
R1(config)#exit
 
R1#show crypto ikev2 proposal
 IKEv2 proposal: IKEV2-PROPOSAL
     Encryption : 3DES AES-CBC-128 AES-CBC-256
     Integrity  : SHA96 SHA256 SHA384 SHA512
     PRF        : SHA1 SHA256 SHA384 SHA512
     DH Group   : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2 DH_GROUP_2048_MODP/Group 14 DH_GROUP_3072_MODP/Group 15
 IKEv2 proposal: default
     Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
     Integrity  : SHA512 SHA384 SHA256 SHA96 MD596
     PRF        : SHA512 SHA384 SHA256 SHA1 MD5
     DH Group   : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2

R3(config)#crypto ikev2 proposal IKEV2-PROPOSAL
IKEv2 proposal MUST have atleast an encryption algorithm, an integrity algorithm and a dh group configured
R3(config-ikev2-proposal)# encryption 3des aes-cbc-128 aes-cbc-256
R3(config-ikev2-proposal)# integrity sha1 sha256 sha384 sha512
R3(config-ikev2-proposal)# group 5 2 14 15
R3(config-ikev2-proposal)#exit
 
 
R3#show crypto ikev2 proposal
 IKEv2 proposal: IKEV2-PROPOSAL
     Encryption : 3DES AES-CBC-128 AES-CBC-256
     Integrity  : SHA96 SHA256 SHA384 SHA512
     PRF        : SHA1 SHA256 SHA384 SHA512
     DH Group   : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2 DH_GROUP_2048_MODP/Group 14 DH_GROUP_3072_MODP/Group 15
 IKEv2 proposal: default
     Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
     Integrity  : SHA512 SHA384 SHA256 SHA96 MD596
     PRF        : SHA512 SHA384 SHA256 SHA1 MD5
     DH Group   : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2

IKEv2 Policy 

R1(config)#crypto ikev2 policy IKEV2-POLICY
IKEv2 policy MUST have atleast one complete proposal attached
R1(config-ikev2-policy)# proposal IKEV2-PROPOSAL
R1(config-ikev2-policy)#exit
R1(config)#
 
 
R1#show crypto ikev2 policy
 
 IKEv2 policy : IKEV2-POLICY
      Match fvrf  : global
      Match address local : any
      Proposal    : IKEV2-PROPOSAL22
 
 IKEv2 policy : default
      Match fvrf : any
      Match address local : any
      Proposal    : default

R3(config)#crypto ikev2 policy IKEV2-POLICY
IKEv2 policy MUST have atleast one complete proposal attached
R3(config-ikev2-policy)# proposal IKEV2-PROPOSAL
R3(config-ikev2-policy)#exit
 
 
R3#show crypto ikev2 policy
 
 IKEv2 policy : IKEV2-POLICY
      Match fvrf  : global
      Match address local : any
      Proposal    : IKEV2-PROPOSAL
 
 IKEv2 policy : default
      Match fvrf : any
      Match address local : any
      Proposal    : default

IKEv2 Keyring

R1(config)#crypto ikev2 keyring IKEV2-KEYRING
R1(config-ikev2-keyring)# peer R3
R1(config-ikev2-keyring-peer)#  address 192.168.31.1
R1(config-ikev2-keyring-peer)#  pre-shared-key local internet
R1(config-ikev2-keyring-peer)#  pre-shared-key remote internet
R1(config-ikev2-keyring-peer)# exit
R1(config-ikev2-keyring)#exit

R3(config)#crypto ikev2 keyring IKEV2-KEYRING
R3(config-ikev2-keyring)# peer R1
R3(config-ikev2-keyring-peer)#  address 192.168.123.1
R3(config-ikev2-keyring-peer)#  pre-shared-key local internet
R3(config-ikev2-keyring-peer)#  pre-shared-key remote internet
R3(config-ikev2-keyring-peer)# exit
R3(config-ikev2-keyring)#exit

IKEv2 Profile

R1(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.
R1(config-ikev2-profile)#match identity remote address 192.168.31.1 255.255.255.255
R1(config-ikev2-profile)# authentication remote pre-share
R1(config-ikev2-profile)# authentication local pre-share
R1(config-ikev2-profile)# keyring local IKEV2-KEYRING
R1(config-ikev2-profile)#exit
 
R1#show crypto ikev2 profile IKEV2-PROFILE
 
IKEv2 profile: IKEV2-PROFILE
 Ref Count: 2
 Match criteria:
  Fvrf: global
  Local address/interface: none
  Identities:
   address 192.168.31.1 255.255.255.255
  Certificate maps: none
 Local identity: none
 Remote identity: none
 Local authentication method: pre-share
 Remote authentication method(s): pre-share
 EAP options: none
 Keyring: IKEV2-KEYRING
 Trustpoint(s): none
 Lifetime: 86400 seconds
 DPD: disabled
 NAT-keepalive: disabled
 Ivrf: none
 Virtual-template: none
 AAA EAP authentication mlist: none
 AAA Accounting: none
 AAA group authorization: none
 AAA user authorization: none

R3(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.
R3(config-ikev2-profile)#match identity remote address 192.168.123.1 255.255.255.255
R3(config-ikev2-profile)# authentication remote pre-share
R3(config-ikev2-profile)# authentication local pre-share
R3(config-ikev2-profile)# keyring local IKEV2-KEYRING
R3(config-ikev2-profile)#exit
 
R3#show crypto ikev2 profile IKEV2-PROFILE
 
IKEv2 profile: IKEV2-PROFILE
 Ref Count: 2
 Match criteria:
  Fvrf: global
  Local address/interface: none
  Identities:
   address 192.168.123.1 255.255.255.255
  Certificate maps: none
 Local identity: none
 Remote identity: none
 Local authentication method: pre-share
 Remote authentication method(s): pre-share
 EAP options: none
 Keyring: IKEV2-KEYRING
 Trustpoint(s): none
 Lifetime: 86400 seconds
 DPD: disabled
 NAT-keepalive: disabled
 Ivrf: none
 Virtual-template: none
 AAA EAP authentication mlist: none
 AAA Accounting: none
 AAA group authorization: none
 AAA user authorization: none

Transform-set

R1(config)#crypto ipsec transform-set TRANS-set esp-3des esp-md5-hmac
R1(cfg-crypto-trans)#exit
 
R1#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },
 
Transform set TRANS-set: { esp-3des esp-md5-hmac  }
   will negotiate = { Tunnel,  },

R3(config)#crypto ipsec transform-set TRANS-set esp-3des esp-md5-hmac
R3(cfg-crypto-trans)#exit
 
 
R3#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },
 
Transform set TRANS-set: { esp-3des esp-md5-hmac  }
   will negotiate = { Tunnel,  },

Crypto Map

R1(config)#crypto map CRYPTO-MAP 11 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R1(config-crypto-map)# set peer 192.168.31.1
R1(config-crypto-map)# set transform-set TRANS-set
R1(config-crypto-map)# set ikev2-profile IKEV2-PROFILE
R1(config-crypto-map)# match address ACL-TRAFFIC
R1(config-crypto-map)#exit

R1#show crypto map

Crypto Map IPv4 "CRYPTO-MAP" 11 ipsec-isakmp

        Peer = 192.168.31.1

        IKEv2 Profile: IKEV2-PROFILE

        Extended IP access list ACL-TRAFFIC

            access-list ACL-TRAFFIC permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255

        Current peer: 192.168.31.1

        IKEV2 profile IKEV2-PROFILE

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                TRANS-set:  { esp-3des esp-md5-hmac  } ,

        }

 
 
R3(config)#crypto map CRYPTO-MAP 11 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R3(config-crypto-map)# set peer 192.168.123.1
R3(config-crypto-map)# set transform-set TRANS-set
R3(config-crypto-map)# set ikev2-profile IKEV2-PROFILE
R3(config-crypto-map)# match address ACL-TRAFFIC
R3(config-crypto-map)#exit
 
 
R1#show crypto map
Crypto Map IPv4 "CRYPTO-MAP" 11 ipsec-isakmp
        Peer = 192.168.31.1
        IKEv2 Profile: IKEV2-PROFILE
        Extended IP access list ACL-TRAFFIC
            access-list ACL-TRAFFIC permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
        Current peer: 192.168.31.1
        IKEV2 profile IKEV2-PROFILE
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                TRANS-set:  { esp-3des esp-md5-hmac  } ,
        }
       

Applying the Crypto Map 

R1(config)#interface serial 3/0
R1(config-if)#crypto map CRYPTO-MAP
R1(config-if)#exit

*Apr  1 17:15:52.575: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON


R1(config)#do ping 192.168.30.1 source fa 0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 52/69/92 ms
R1(config)#end
 

 
R1#show crypto ikev2 sa
 IPv4 Crypto IKEv2  SA
 
Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         192.168.123.1/500     192.168.31.1/500      none/none            READY
      Encr: 3DES, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/2693 sec
 
 IPv6 Crypto IKEv2  SA
 
 
 
 
 R3(config)#interface serial 3/1
R3(config-if)#crypto map CRYPTO-MAP
R3(config-if)#exit
 

*Apr  1 17:14:39.975: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R3#show crypto map interface serial 3/1
        Interfaces using crypto map CRYPTO-MAP:
                Serial3/1
 
 
 

Verify the IKEv2 IPsec 

 R3#show crypto ikev2 session
 IPv4 Crypto IKEv2 Session
 
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
 
Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         192.168.31.1/500      192.168.123.1/500     none/none            READY
      Encr: 3DES, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/2923 sec
Child sa: local selector  192.168.30.0/0 - 192.168.30.255/65535
          remote selector 192.168.10.0/0 - 192.168.10.255/65535
          ESP spi in/out: 0xCF0FA2FE/0x5AAC2F32
 
 IPv6 Crypto IKEv2 Session
 

 
 
R1#ping 192.168.30.1 source 192.168.10.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 52/63/112 ms



R1#show crypto ipsec sa
 
interface: Serial3/0
    Crypto map tag: CRYPTO-MAP, local addr 192.168.123.1
 
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
   current_peer 192.168.31.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 104, #pkts encrypt: 104, #pkts digest: 104
    #pkts decaps: 104, #pkts decrypt: 104, #pkts verify: 104
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
 
     local crypto endpt.: 192.168.123.1, remote crypto endpt.: 192.168.31.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial3/0
     current outbound spi: 0xCF0FA2FE(3473908478)
     PFS (Y/N): N, DH group: none
 
     inbound esp sas:
      spi: 0x5AAC2F32(1521233714)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: CRYPTO-MAP
        sa timing: remaining key lifetime (k/sec): (4184586/795)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
 
     inbound ah sas:
 
     inbound pcp sas:
 
     outbound esp sas:
      spi: 0xCF0FA2FE(3473908478)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: CRYPTO-MAP
        sa timing: remaining key lifetime (k/sec): (4184586/795)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
 
     outbound ah sas:
 
     outbound pcp sas:
 
 
 

 

 

Read More

How to configure Encrypted GRE Tunnel with IPsec ESP security?

When do we use the GRE? 

GRE is used when packets need to be sent from one network to another over the internet.

 

Generic Routing Encapsulation (GRE) is a network tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links or point-to-multipoint links over an Internet Protocol network. GRE tunnels also allow unicast, multicast, and broadcast traffic between routers but there is a problem with GRE tunnels it is clear text and GRE does not provide good-grade protection. However, we can encrypt the complete GRE tunnel with IPsec security which provides good-grade security.

let's see the configuration of the Encrypt GRE tunnel. 

Topology:- https://youtu.be/5_sfxQGPlg0?si=D4x3RWf8AoZHGvSY

(As you can see from the topology above here, we have 3 Sites, to encrypt the tunnel you have to configure the GRE tunnel first, So first we configure the GRE tunnel between Site-A to Site-B and Site-A to Site-C, after establishing the GRE tunnels we will encrypt the entire tunnel with IPsec ESP between Site-A to Site-B only.) 

GOAL: Youtube

• Configure the topology as per the diagram 
• Assign the IP addresses as per the topology
• Configure default route at Site-A, Site-B and Site-C
• Configure static routing on router 2 which is acting as an internet router
• Configure the GRE tunnel between Site-A to Site-B, the IP address of the tunnel will be 192.168.123.0/24
• Configure EIGRP on Site-A and Site-B and advertise LAN network and tunnel IP
• Verify the tunnel with show commands and trace commands to make sure data will travel in the tunnel created. 
• Same way configure the GRE tunnel for Site-C and remember we encrypt the entire tunnel only for Site-A to Site-B not for Site-C. 
• After establishing the GRE tunnel, 
• Configure IPsec and apply the tunnel protection IPsec profile on the tunnel interface. 
• Make sure the entire tunnel will encrypt data. 

• Assign the IP addresses as per the topology

SITE-A-router(config)#interface serial 4/0

SITE-A-router(config-if)#ip address 1.1.1.1 255.0.0.0

SITE-A-router(config-if)#no shutdown

SITE-A-router(config-if)#exit

SITE-A-router(config)#interface fastethernet 0/0

SITE-A-router(config-if)#ip address 10.1.1.1 255.0.0.0

SITE-A-router(config-if)#no shutdown

SITE-A-router(config-if)#exit

R2(config)#interface serial 4/0

R2(config-if)#ip address 1.1.1.2 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#interface serial 4/1

R2(config-if)#ip address 3.3.3.1 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#interface serial 4/2

R2(config-if)#ip address 4.4.4.1 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#exit

SITE-B-router(config)#interface serial 4/1

SITE-B-router(config-if)#ip address 3.3.3.2 255.0.0.0

SITE-B-router(config-if)#no shutdown

SITE-B-router(config-if)#exit

SITE-B-router(config)#interface fastethernet 0/0

SITE-B-router(config-if)#ip address 30.1.1.1 255.0.0.0

SITE-B-router(config-if)#no keepalive

SITE-B-router(config-if)#no shutdown

SITE-B-router(config-if)#exit

SITE-C-router(config)#interface serial 4/2

SITE-C-router(config-if)#ip address 4.4.4.2 255.0.0.0

SITE-C-router(config-if)#no shutdown

SITE-C-router(config-if)#exit

SITE-C-router(config)#interface fastethernet 0/0

SITE-C-router(config-if)#ip address 40.1.1.1 255.0.0.0

SITE-C-router(config-if)#no keepalive

SITE-C-router(config-if)#no shutdown

SITE-C-router(config-if)#exit

• Configure default route at Site-A, Site-B and Site-C

SITE-A-router(config)#ip route 0.0.0.0 0.0.0.0 serial 4/0

SITE-B-router(config)#ip route 0.0.0.0 0.0.0.0 serial 4/1

SITE-C-router(config)#ip route 0.0.0.0 0.0.0.0 serial 4/2

• Configure static routing on router 2 which is acting as an internet router

internet(config)#ip route 10.0.0.0 255.0.0.0 serial 4/0

internet(config)#ip route 30.0.0.0 255.0.0.0 serial 4/1

internet(config)#ip route 40.0.0.0 255.0.0.0 serial 4/2

SITE-A-router#show ip route static

S*   0.0.0.0/0 is directly connected, Serial4/0

SITE-B-router#show ip route static

S*   0.0.0.0/0 is directly connected, Serial4/1

SITE-C-router#show ip route static

S*   0.0.0.0/0 is directly connected, Serial4/2

• Configure the GRE tunnel between Site-A to Site-B, the IP address of the tunnel will be 192.168.123.0/24

SITE-A-router(config)#interface tunnel 123

SITE-A-router(config-if)#ip address 192.168.123.1 255.255.255.0

SITE-A-router(config-if)#ip mtu 1400

SITE-A-router(config-if)#ip tcp adjust-mss 1360

SITE-A-router(config-if)#tunnel source 1.1.1.1

SITE-A-router(config-if)#tunnel destination 3.3.3.2

SITE-A-router(config-if)#exit

*Jan  5 14:54:33.579: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel124,changed state to up

SITE-B-router(config)#interface tunnel 123

SITE-B-router(config-if)#ip address 192.168.123.2 255.255.255.0

SITE-B-router(config-if)#ip mtu 1400

SITE-B-router(config-if)#ip tcp adjust-mss 1360

SITE-B-router(config-if)#tunnel source 3.3.3.2

SITE-B-router(config-if)#tunnel destination 1.1.1.1

SITE-B-router(config-if)#exit

*Jan  5 14:44:06.719: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel123,changed state to up

SITE-A-router#show ip interface brief | ex unass

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            10.1.1.1        YES manual down              up                                                                                                                                    

Serial4/0                       1.1.1.1         YES manual up                    up                                                                                                                                     

Tunnel123                  192.168.123.1   YES manual up                up 

• Configure EIGRP on Site-A and Site-B and advertise LAN network and tunnel IP

SITE-A-router(config)#router eigrp 123

SITE-A-router(config-router)#network 10.0.0.0

SITE-A-router(config-router)#network 192.168.123.0

SITE-A-router(config-router)#no auto-summary

SITE-A-router(config-router)#exit

*Jan  5 14:45:42.327: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.2 (Tunnel123) is up: new adjacency

*Jan  5 14:45:54.175: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.2 (Tunnel123) is resync: peer graceful-restart

SITE-B-router(config)#router eigrp 123

SITE-B-router(config-router)#network 30.0.0.0

SITE-B-router(config-router)#network 192.168.123.0

SITE-B-router(config-router)#no auto-summary

SITE-B-router(config-router)#exit

*Jan  5 14:45:53.559: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.1(Tunnel123) is resync: summary configured

*Jan  5 14:45:41.811: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.1 (Tunnel123) is up: new adjacency

SITE-A-router#ping 30.1.1.1 source fastEthernet 0/0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 48/60/64 ms

• Verify the tunnel with show commands and trace commands to make sure data will travel in the tunnel created. 

SITE-A-router#traceroute 30.1.1.1

Type escape sequence to abort.

Tracing the route to 30.1.1.1

  1 192.168.123.2 56 msec 64 msec 56 msec

SITE-A-router#traceroute 40.1.1.1

Type escape sequence to abort.

Tracing the route to 40.1.1.1

  1 1.1.1.2 52 msec 32 msec 36 msec

  2 4.4.4.2 56 msec 64 msec 68 msec

Same way configure the GRE tunnel for Site-C and remember we encrypt the entire tunnel only for Site-A to Site-B not for Site-C.

SITE-A-router(config)#interface tunnel 124

SITE-A-router(config-if)#ip address 192.168.124.1 255.255.255.0

SITE-A-router(config-if)#ip mtu 1400

SITE-A-router(config-if)#ip tcp adjust-mss 1360

SITE-A-router(config-if)#tunnel source 1.1.1.1

SITE-A-router(config-if)#tunnel destination 4.4.4.2

SITE-A-router(config-if)#exit

*Jan  5 19:52:36.575: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel124, changed state to up

SITE-C-router(config)#interface tunnel 124

SITE-C-router(config-if)#ip address 192.168.124.2 255.255.255.0

SITE-C-router(config-if)#ip mtu 1400

SITE-C-router(config-if)#ip tcp adjust-mss 1360

SITE-C-router(config-if)#tunnel source 4.4.4.2

SITE-C-router(config-if)#tunnel destination

SITE-C-router(config-if)#tunnel destination 1.1.1.1

SITE-C-router(config-if)#exit

*Jan  5 19:53:48.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel124, changed state to up

SITE-A-router(config)#router eigrp 123

SITE-A-router(config-router)#network 192.168.124.0

SITE-A-router(config-router)#exit

SITE-C-router(config)#router eigrp 123

SITE-C-router(config-router)#network 192.168.124.0

SITE-C-router(config-router)#network 40.0.0.0

SITE-C-router(config-router)#no auto-summary

SITE-C-router(config-router)#exit

SITE-A-router#show ip interface brief | exclude unass

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            10.1.1.1        YES manual up                    up

Serial4/0                       1.1.1.1         YES manual up                    up

Tunnel123                  192.168.123.1   YES manual up                    up

Tunnel124                  192.168.124.1   YES manual up                    up

SITE-A-router#traceroute 40.1.1.1

Type escape sequence to abort.

Tracing the route to 40.1.1.1

  1 192.168.124.2 72 msec 48 msec 56 msec

SITE-A-router#traceroute 30.1.1.1

Type escape sequence to abort.

Tracing the route to 30.1.1.1

  1 192.168.123.2 52 msec 56 msec 64 msec

Read More

How to configure IPsec VPN on Cisco ASA Firewall?

 

(Internet Protocol Security) IPSec is a set of protocols developed by the Internet Engineering Task Force (IETF). Internet protocol security (IPsec) is a framework that helps us to protect our IP traffic on the network layer. Why? Because the (internet protocol) IP protocol itself doesn’t have any security features at all. IPsec allows two or more hosts to communicate securely by authenticating and encrypting each IP packet of a communication session. we already discussed in click here

previously that we configured IPsec VPN with routers, in this lab we are going to configure an ASA firewall. I'm using the Cisco Adaptive Security Appliance Software Version 8.4(2). if you are using an older version some of the commands may be different like ikev1 to isakmp. I'm assuming you follow our blogs and are familiar with IKE, if not then click here

IKE (Internet Key Exchange) Phase 1 

The main reason for IKE Phase 1 is to establish security for IKE Phase 2 or IPsec. let's understand Phase 1 in steps 

• The first step is Negotiation between future neighbors or peers have traffic to be 

Step 1: Negotiation

the neighbor (peer) who has traffic and wants to protect will initiate the INK phase 1 negotiation. Peers will negotiate about the following:

• Hashing : peers will use a hashing algorithm to verify the integrity and use MD5 or SHA.
• Authentication: peers have to show their identity to prove who he is. Peers use shared keys or digital certificates.
• DH (Diffie Hellman) group: DH group determines how strong the key is and how it's used in the exchange process of the key. The higher number means more secure but it takes longer to compute.
• Lifetime: lifetime means how long does the IKE phase 1 tunnel stand up? The shorter the lifetime means the more secure it is because rebuilding the tunnel means we will also use new keying material. Each vendor uses a different lifetime; a default value is 86400 seconds (1 day).
• Encryption: algorithm we use for encryption DES, 3DES, or AES.

access-list extended can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. These are the ACLs that use source IP, Destination IP, source port, and Destination port. we can also mention which IP traffic should be allowed or denied. This gives the extended access list the ability to make much more granular decisions when controlling traffic. These uses range from 100-199 and 2000-2699. (it's very important to use extended ACL in IPsec with VPN, the access-list is used to tell the router which traffic is to encrypt.)

crypto isakmp enable this command is used to enable IKE for IPsec function. IKE is enabled by default but if it's disabled then you must enable it with the help of this command. IKE is also called ISAKMP. it's a negotiation protocol that is used to allow two hosts to agree on how to build an IPsec security association. IKE separates negotiation into two Phases. phase 1 is used to create the first tunnel. phase 2 creates the tunnel that protects data. 

Crypto ISAKMP policy internet security association key management protocol policy (ISAKMP). we need to create an ISAKMP policy for the IKE phase 1 negotiation process and define the authentication, encryption, and hash function which is used to control traffic between the VPN endpoints. 

ISAKMP commands:

  authentication  Set authentication method for protection suite

  default         Set a command to its defaults

  encryption      Set encryption algorithm for protection suite

  exit            Exit from ISAKMP protection suite configuration mode

  group           Set the Diffie-Hellman group

  hash            Set hash algorithm for protection suite

  lifetime        Set lifetime for ISAKMP security association

  no              Negate a command or set its defaults

The crypto isakmp key is a pre-shared key, this feature is used for the authentication method in IKE policy. we must configure a key on each site router and the same key is configured on the other endpoint of the VPN. pre-shared keys must match for successful authentication.

crypto IPsec transform-set transform set combination of algorithms and protocol this going to create a security policy. here we have encapsulation protocol you can choose ESP or AH, encryption DES,3DES, AES, and hashing MD5, SSHA1, SHA2.

R1(config)#crypto ipsec transform-set INTERNETWORKS ?

  ah-md5-hmac   AH-HMAC-MD5 transform

  ah-sha-hmac   AH-HMAC-SHA transform

  comp-lzs      IP Compression using the LZS compression algorithm

  esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)

  esp-aes       ESP transform using AES cipher

  esp-des       ESP transform using DES cipher (56 bits)

  esp-md5-hmac  ESP transform using HMAC-MD5 auth

  esp-null      ESP transform w/o cipher

  esp-seal      ESP transform using SEAL cipher (160 bits)

  esp-sha-hmac  ESP transform using HMAC-SHA auth

R1(config)#crypto ipsec transform-set INTERNETWORKS COMp-lzs ?

  ah-md5-hmac   AH-HMAC-MD5 transform

  ah-sha-hmac   AH-HMAC-SHA transform

  esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)

  esp-aes       ESP transform using AES cipher

  esp-des       ESP transform using DES cipher (56 bits)

  esp-md5-hmac  ESP transform using HMAC-MD5 auth

  esp-null      ESP transform w/o cipher

  esp-seal      ESP transform using SEAL cipher (160 bits)

  esp-sha-hmac  ESP transform using HMAC-SHA auth

  <cr>

 6. A crypto map is used to match an ACL that is configured earlier to a peer and other IKE and IPsec features. you have to set the peer and this map is applied on the interface which points toward the IPsec peer. for more information click here 

Topology: - we need to encrypt the traffic 10.0.0.0/8 going to 20.0.0.0/8 and vice versa 

Goal: -

• configure the topology as per the diagram 
• configure the IP addresses as per the topology
• configure gig0 outside on ASA 1 and configure gig1 outside on ASA 2
• configure Fa0/0 inside on both the ASA 
• configure the default route on both ASA firewall
• ensure the connection with the PING 
• define the traffic that we want to encrypt from 10.0.0.0/8 going to 20.0.0.0/8 and vice versa on both ASA using Extended ACL and name (IP-TRAFFIC) 
• configure ikve1 phase 1 on both ASA
• configure Phase 2 on both ASAs
• make sure traffic will be encrypted with IPsec VPN.

Read More