This is more of a point of reference for myself and my peers.
I'm not going to go into a long winded explanation about the templates posted here, as there is already an overwhelming about of information out there already.
I highly recommend Kat Mac's VPN blog series. This lays it out in plan English. Well crafted and beautifully done: https://www.network-node.com/blog/2017/7/24/ccie-security-ipsec-vpn-overview
Now for the templates. We will use the topology below as a basic topology. 2 Routers directly connected (via a swtich), each with a loopback. We want the traffic sourced from a loopback and destined for a loopback to be encrypted via IPSEC tunnels. All other traffic will route without encryption.
CAVEAT: These templates are an example of VRF Aware IPSEC. Each router is using a VRF routing table, NOT THE GLOBAL ROUTING TABLE (GRT)!!!
Basic Initial Configs:
R1:
vrf definition client
!
address-family ipv4
exit-address-family
interface Loopback1
vrf forwarding client
ip address 1.1.1.1 255.255.255.255
interface FastEthernet0/0
vrf forwarding client
ip address 10.1.1.1 255.255.255.252
ip route vrf client 100.1.1.1 255.255.255.255 10.1.1.2
R2:
vrf definition server
!
address-family ipv4
exit-address-family
interface Loopback100
vrf forwarding server
ip address 100.1.1.1 255.255.255.255
interface FastEthernet1/0
vrf forwarding server
ip address 10.1.1.2 255.255.255.252
ip route vrf server 1.1.1.1 255.255.255.255 10.1.1.1
IPSEC (IKEv1) configs:
R1:
access-list 100 permit ip host 1.1.1.1 host 100.1.1.1
crypto keyring MY_KEYRING vrf client
pre-shared-key address 10.1.1.2 255.255.255.255 key cisco
crypto isakmp policy 10
authentication pre-share
crypto isakmp profile MY_PROFILE
vrf client
keyring MY_KEYRING
match identity address 10.1.1.2 255.255.255.255 client
local-address FastEthernet0/0
crypto ipsec transform-set MYSET ah-md5-hmac esp-aes esp-sha-hmac
mode tunnel
crypto map MYMAP local-address FastEthernet0/0
crypto map MYMAP 1 ipsec-isakmp
set peer 10.1.1.2
set transform-set MYSET
set isakmp-profile MY_PROFILE
match address 100
int FastEthernet0/0
crypto map MYMAP
exit
R2:
access-list 100 permit ip host 100.1.1.1 host 1.1.1.1
crypto keyring MY_KEYRING_2 vrf server
pre-shared-key address 10.1.1.1 255.255.255.255 key cisco
crypto isakmp policy 10
authentication pre-share
crypto isakmp profile MY_PROFILE_2
vrf server
keyring MY_KEYRING_2
match identity address 10.1.1.1 255.255.255.255 server
local-address FastEthernet1/0
crypto ipsec transform-set MYSET ah-md5-hmac esp-aes esp-sha-hmac
mode tunnel
crypto map MYMAP_2 local-address FastEthernet1/0
crypto map MYMAP_2 1 ipsec-isakmp
set peer 10.1.1.1
set transform-set MYSET
set isakmp-profile MY_PROFILE_2
match address 100
int FastEthernet1/0
crypto map MYMAP_2
exit
Verify:
R1:
ping vrf client 100.1.1.1 source 1.1.1.1
show crypto isakmp sa vrf client
show crypto ipsec sa vrf client
R2:
ping vrf server 1.1.1.1 source 100.1.1.1
show crypto isakmp sa vrf server
show crypto ipsec sa vrf server
Great write-up Tony, let's get a few more blogs on the VPN. I have been following up Katie McNamara for a long time now.
ReplyDelete