Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1877
Views
0
Helpful
3
Replies

IPsec VPN issue

Go to solution
bpp
Level 1
Level 1

‎05-04-2020 04:13 PM - edited ‎05-04-2020 04:27 PM

Hi all.

 

I have ISR1111 behind ISP's NAT with dynamic external address (from RFC1918 address space) and VPS with static routable address. For now I try to create route-based site-to-site IPsec tunnel between these 2 boxes but from Cisco side I have some issues.

 

Cisco config:

crypto ikev2 proposal IKEv2-PROPOSAL-1 
 encryption aes-cbc-256
 integrity sha256
 group 19
crypto ikev2 policy IKEv2-POLICY-1 
 proposal IKEv2-PROPOSAL-1
crypto ikev2 keyring IKEv2-KEYRING-1
 peer HETZNER
  address VPS_IP_ADDRESS
  pre-shared-key local VERYGOODSUPERPASSWORD
  pre-shared-key remote VERYGOODSUPERPASSWORD
 !
crypto ikev2 profile IKEv2-PROFILE-1
 match identity remote address VPS_IP_ADDRESS 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local IKEv2-KEYRING-1
crypto ikev2 nat keepalive 120
crypto ikev2 dpd 30 10 periodic
crypto ipsec transform-set IPSEC-TRANSFORM-SET-1 esp-aes 256 esp-sha256-hmac 
 mode tunnel
crypto map CRYPTO-MAP-1 1 ipsec-isakmp 
 set peer VPS_IP_ADDRESS
 set security-association lifetime seconds 28800
 set transform-set IPSEC-TRANSFORM-SET-1 
 set ikev2-profile IKEv2-PROFILE-1
 match address CLOUD-SRV-1
 crypto map CRYPTO-MAP-1

interface GigabitEthernet0/0/0
 description "ISP 1"
 ip address dhcp
 ip nat outside
 ip access-group EXTERNAL-LINK in
 crypto map CRYPTO-MAP-1

On VPS I've try to dump traffic on udp/500 and udp/4500 but none packet was captured.

 

Before Cisco router I've use EdgeRouter with almost same configuration and it works perfect. No changes was made on VPS side.

 

Could you please tell me where I'm wrong?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎05-05-2020 12:21 AM

Hello,

 

I would suggest to configure a (dynamic) VTI instead of using crypto maps. Is that an option ?

View solution in original post

0 Helpful
3 Replies 3

Go to solution
bpp
Level 1
Level 1

‎05-04-2020 04:42 PM

On EdgeRouter I've use this config and it's works

 interfaces {
     vti vti0 {
         address 172.16.1.1/30
         description "Hetzner IPsec"
         mtu 1436
     }
 } 

vpn {
     ipsec {
         allow-access-to-local-interface enable
         auto-firewall-nat-exclude enable
         esp-group GROUP-ESP-1 {
             compression disable
             lifetime 3600
             mode tunnel
             pfs disable
             proposal 1 {
                 encryption aes256
                 hash sha256
             }
         }
         ike-group GROUP-IKE-1 {
             dead-peer-detection {
                 action restart
                 interval 30
                 timeout 120
             }
             ikev2-reauth no
             key-exchange ikev2
             lifetime 28800
             proposal 1 {
                 dh-group 19
                 encryption aes256
                 hash sha256
             }
         }
         site-to-site {
             peer VPS_IP_ADDRESS {
                 authentication {
                     mode pre-shared-secret
                     pre-shared-secret VERYGOODSUPERPASSWORD
                 }
                 connection-type initiate
                 description "Hetzner VPN"
                 ike-group GROUP-IKE-1
                 ikev2-reauth inherit
                 local-address EXTERNAL_IP_ADDRESS
                 vti {
                     bind vti0
                     esp-group GROUP-ESP-1
                 }
             }
         }
     }
 }
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎05-05-2020 12:21 AM

Hello,

 

I would suggest to configure a (dynamic) VTI instead of using crypto maps. Is that an option ?

0 Helpful

Go to solution
bpp
Level 1
Level 1
In response to Georg Pauwen

‎05-05-2020 02:49 AM

Thank you Georg. Change to VTI mode and tunnel finally work.

 

For future visitors my final config here. Where 1.1.1.1 is my VPS external address and 10.159.21.33 is address on Cisco ISR provided by ISP

interface Tunnel0
 description "Hetzner IPsec"
 ip address 172.16.1.1 255.255.255.252
 tunnel source GigabitEthernet0/0/0
 tunnel mode ipsec ipv4
 tunnel destination 1.1.1.1
 tunnel protection ipsec profile IPSEC-PROFILE-1
end
crypto ikev2 proposal IKEv2-PROPOSAL-1 
 encryption aes-cbc-256
 integrity sha256
 group 19
crypto ikev2 policy IKEv2-POLICY-1 
 proposal IKEv2-PROPOSAL-1
crypto ikev2 keyring IKEv2-KEYRING-1
 peer CLOUD-SRV-1
  address 1.1.1.1
  pre-shared-key local VERYGOODSUPERPASSWORD
  pre-shared-key remote VERYGOODSUPERPASSWORD
 !
crypto ikev2 profile IKEv2-PROFILE-1
 match identity remote address 1.1.1.1 255.255.255.255 
 identity local address 10.159.21.33
 authentication remote pre-share
 authentication local pre-share
 keyring local IKEv2-KEYRING-1
 dpd 30 5 periodic
crypto ipsec transform-set IPSEC-TRANSFORM-SET-1 esp-aes 256 esp-sha256-hmac 
 mode tunnel
crypto ipsec profile IPSEC-PROFILE-1
 set transform-set IPSEC-TRANSFORM-SET-1 
 set ikev2-profile IKEv2-PROFILE-1
0 Helpful
Customers Also Viewed These Support Documents