This document discuss about IPv6 IPsec Site-to-Site VPN Using Virtual Tunnel Interface with configuration example.
Cisco IOS IPsec functionality provides network data encryption at the IP packet level, offering a robust, standards-based security solution. IPsec provides data authentication and anti-replay services in addition to data confidentiality services. With IPsec, data can be sent across a public network without observation, modification, or spoofing. General usage scenarios for IPv6 IPSec: 1) Site-to-site VPN – protect all IPv6 traffic between two trusted networks 2) Configured Secure Tunnel – protect IPv6 traffic being tunneled over an non trusted IPv4 network. 3) IPSec can also be used to protect control plane functions, such as IPSec to protect OSPFv3.
In following example IPSec-protected tunnel is set up between CE1 and CE2 to communicate over public network. The routers ISP_IR1 and ISP_IR2 have global IPv6 address and does not have knowledge about private subnets present on CE1 and CE2.
Site-to-site VPN is configure on router as follows:
Step 1: Configure IKE Policy and Pre-shared Key:
Configure same ISAKMP policy on the routers CE1 and CE2
CE1#conf t Enter configuration commands, one per line. End with CNTL/Z. CE1(config)#crypto isakmp policy 10 CE1(config-isakmp)#encryption 3des CE1(config-isakmp)#group 2 CE1(config-isakmp)#authentication pre-share CE1(config-isakmp)#exit
Each router must be configured with the same key, but the configuration statement should designate the address of the appropriate interface on the peer router.
Step 2: Configuring an IPsec Transform Set and IPsec Profile:
Configure same IPsec Transform Set and IPsec Profile on the routers CE1 and CE2:
CE1(config)#crypto ipsec transform-set ipv6_tran esp-3des esp-sha-hmac CE1(cfg-crypto-trans)#mode tunnel CE1(cfg-crypto-trans)#exit CE1(config)#crypto ipsec profile ipv6_ipsec_pro ……(This transform set need to bind in VTI step4) CE1(ipsec-profile)#set transform-set ipv6_tran CE1(ipsec-profile)#exit CE1(config)#
Step 3: Configure an ISAKMP Profile in IPv6:
ISAKMP profile is configured in the routers CE1 and CE2 and ensure that configuration statement must designate the identity address of the appropriate interface on the peer router.
CE1(config)#crypto isakmp profile 3des % A profile is deemed incomplete until it has match identity statements CE1(conf-isa-prof)#self-identity address ipv6 CE1(conf-isa-prof)#match identity address ipv6 2002::1/128 CE1(conf-isa-prof)#keyring default CE1(conf-isa-prof)# exit CE1(config)#
Step 4: Configure ipsec IPv6 VTI :
Configuring IPv6 IPsec VTI on router is pretty simple
To displays a summary of the configuration information for the crypto engines.
CE1#show crypto engine connection active Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address 1 Tu1 IPsec 3DES+SHA 0 95 2001::1 2 Tu1 IPsec 3DES+SHA 128 0 2001::1 1007 Tu1 IKE SHA+3DES 0 0 2001::1
CE1#ping fc01::1 source fc00::1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FC01::1, timeout is 2 seconds: Packet sent with a source address of FC00::1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/187/388 ms
CE1#traceroute Protocol [ip]: ipv6 Target IPv6 address: fc01::1 Source address: fc00::1 Insert source routing header? [no]: Numeric display? [no]: Timeout in seconds : Probe count : Minimum Time to Live : Maximum Time to Live : Priority : Port Number : Type escape sequence to abort. Tracing the route to FC01::1
Hi folks,regarding border nodes types, as per my understanding Internal border: routes are redistributed from VRF routing table to correspondig LISP instanceExternal border: no routes are redistributed from VRF routing table to LISP instances at all....
Does the Cisco Catalyst 9300 & 9500 series have full Layer 3 Routing Capabilities? Reasons why I question are below:Do these terms mean full routing? "routed access" "Layer 3 forwarding" These terms are used in the data sheet and license details....
Currently we are in the process of migrating our legacy 7k/5k/2k environment to VXLAN EVPN. We have our 7k enviornment connected to two border gateways. We are connected at layer 2 (VPC) and layer3 (BGP). We have a desire to move SVI's b...
Has anyone setup VOIP Health for their spoke officesto measure voice quality to calls via Ring Central?Can you share what voip servers you plugged inas being targets of the health monitoring? Anyother issues to consider? https://documentation.meraki....
Hi all, At site A we have a core router and distrubution router Site A - AS number 100 (example)Core router - connected to ISP A with ebgp. Distribution router - we have done ibgp with core router and 103.*.*.1/24 prefix is used at si...