I highly recommend Kat Mac's VPN blog series. This lays it out in plan English. Well crafted and beautifully done: https://www.network-node.com/blog/2017/7/24/ccie-security-ipsec-vpn-overview
For the "configlet" we will use the topology below (same as the previous blog post). 2 Routers directly connected (via a swtich), each with a loopback. We want the traffic sourced from a loopback and destined for a loopback to be encrypted via IPSEC tunnels. All other traffic will route without encryption.
The below topology and initial configs are the same from the previous blog post: VRF Aware IPSEC: IKEv1.
CAVEAT: These templates are an example of VRF Aware IPSEC. Each router is using a VRF routing table, NOT THE GLOBAL ROUTING TABLE (GRT)!!!
Basic Initial Configs:
R1:
vrf definition client
!
address-family ipv4
exit-address-family
interface Loopback1
vrf forwarding client
ip address 1.1.1.1 255.255.255.255
interface FastEthernet0/0
vrf forwarding client
ip address 10.1.1.1 255.255.255.252
ip route vrf client 100.1.1.1 255.255.255.255 10.1.1.2
R2:
vrf definition server
!address-family ipv4
exit-address-family
interface Loopback100
vrf forwarding server
ip address 100.1.1.1 255.255.255.255
interface FastEthernet1/0
vrf forwarding server
ip address 10.1.1.2 255.255.255.252
ip route vrf server 1.1.1.1 255.255.255.255 10.1.1.1
IPSEC (IKEv2) Configs:
R1:
access-list 100 permit ip host 1.1.1.1 host 100.1.1.1
crypto ikev2 proposal client
enc aes-cbc-256
inte sha256
group 21
exit
crypto ikev2 policy client
match fvrf client
proposal client
exit
crypto ikev2 keyring KEYRING
peer server
address 10.1.1.2
pre-shared-key local cisco
pre-shared-key remote cisco
exit
crypto ikev2 profile client
match fvrf client
match address local interface FastEthernet0/0
match identity remote address 10.1.1.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
lifetime 28800
exit
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
mode tunnel
exit
crypto map MYMAP 10 ipsec-isakmp
set peer 10.1.1.2
set transform-set MYSET
set ikev2-profile client
match address 100
exit
int fa0/0
crypto map MYMAP
exit
R2:
access-list 100 permit ip host 100.1.1.1 host 1.1.1.1
crypto ikev2 proposal server
enc aes-cbc-256
inte sha256
group 21
exit
crypto ikev2 policy server
match fvrf server
proposal server
exit
crypto ikev2 keyring SERVER_KEYRING
peer client
address 10.1.1.1
pre-shared-key local cisco
pre-shared-key remote cisco
exit
exit
crypto ikev2 profile server
match fvrf server
match address local interface FastEthernet1/0
match identity remote address 10.1.1.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local SERVER_KEYRING
lifetime 28800
exit
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
mode tunnel
exit
crypto map MYMAP_SERVER 10 ipsec-isakmp
set peer 10.1.1.1
set transform-set MYSET
set ikev2-profile server
match address 100
exit
int fa1/0
crypto map MYMAP_SERVER
exit
Verify:
R1:
ping vrf client 100.1.1.1 source 1.1.1.1
show crypto ikev2 sa fvrf client [detailed]
show crypto ipsec sa vrf client
show crypto ipsec sa vrf client
R2:
ping vrf server 1.1.1.1 source 100.1.1.1
show crypto ikev2 sa fvrf server [detailed]
show crypto ipsec sa vrf server
show crypto ikev2 sa fvrf server [detailed]
show crypto ipsec sa vrf server
Show Output:
R1#show crypto ikev2 sa fvrf client
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 10.1.1.1/500 10.1.1.2/500 client/client READY
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:21, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/41 sec
IPv6 Crypto IKEv2 SA
R1#show crypto ikev2 sa fvrf client detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 10.1.1.1/500 10.1.1.2/500 client/client READY
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:21, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/54 sec
CE id: 1001, Session-id: 1
Status Description: Negotiation done
Local spi: 21E078A4CC7C3612 Remote spi: 42905DBF44368F78
Local id: 10.1.1.1
Remote id: 10.1.1.2
Local req msg id: 2 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 2 Remote req queued: 0
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
R1#show crypto ipsec sa vrf client
interface: FastEthernet0/0
Crypto map tag: MYMAP, local addr 10.1.1.1
[ ... OUTPUT REMOVED TO SAVE SPACE ... ]
protected vrf: client
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (100.1.1.1/255.255.255.255/0/0)
current_peer 10.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x52F8B750(1392031568)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x522A72A4(1378513572)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4179797/3586)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x52F8B750(1392031568)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4179797/3586)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
No comments:
Post a Comment