vpn configuration depends on the provided parameters from head office

amralrazzaz · ‎05-06-2020

dears

i need help to check from the below parameters which i were received from H.O ( they are using firewall) to deploy it on my local router ( remote location - using isr 2911 router) - need help to check if my configurations are fine and i didnt miss any . also if i did any mistake please help to correct this

parameters:

KE Phase 1
IKE version 2
Diffie-Hellman group 14
Encryption algorithm AES256
Authentication algorithm SHA256
Authentication method Pre-shared key
Pre-shared key ++++++++
Key lifetime 86400
Dead peer detection Enabled

IKE Phase 2
IPsec protocol ESP (Tunnel mode)
Encryption algorithm AES256
Authentication algorithm SHA256
Key lifetime 28800
Perfect Forward Secrecy Enabled, Diffie-Hellman group 5
Replay Protection Enabled
Keep Alive Disabled

configurations :

CISCO2911-EGCAI01#configure terminal
CISCO2911-EGCAI01(config)#crypto ikev2 keyring KR-1
CISCO2911-EGCAI01(config-ikev2-keyring)#peer NLAMS02E
CISCO2911-EGCAI01(config-ikev2-keyring-peer)#address x.x.x.x
CISCO2911-EGCAI01(config-ikev2-keyring-peer)#pre-shared-key .......
CISCO2911-EGCAI01(config-ikev2-keyring-peer)#exit
CISCO2911-EGCAI01(config-ikev2-keyring)#exit
CISCO2911-EGCAI01(config)#exit
----------------------------------
CISCO2911-EGCAI01#configure terminal
CISCO2911-EGCAI01(config)#crypto ikev2 proposal PROP-NLAMS02E
CISCO2911-EGCAI01(config-ikev2-proposal)#encryption aes-cbc-256
CISCO2911-EGCAI01(config-ikev2-proposal)#integrity sha256
CISCO2911-EGCAI01(config-ikev2-proposal)#group 14
CISCO2911-EGCAI01(config-ikev2-proposal)#exit
CISCO2911-EGCAI01(config)#exit
CISCO2911-EGCAI01#exit
---------------------------------------------------
CISCO2911-EGCAI01#configure terminal
CISCO2911-EGCAI01(config)#crypto ikev2 policy POL-NLAMS02E
CISCO2911-EGCAI01(config-ikev2-policy)#proposal PROP-NLAMS02E
CISCO2911-EGCAI01(config-ikev2-policy)#exit
CISCO2911-EGCAI01(config)#exit
--------------------------------------------------
CISCO2911-EGCAI01#configure terminal
CISCO2911-EGCAI01(config)#ip access-list extended VPN-ACL
CISCO2911-EGCAI01(config-ext-nacl)#remark Link from to the EGCAI01-NLAMS02E-Fortigate3951

CISCO2911-EGCAI01(config-ext-nacl)#permit ip object-group EGCAI01_remote object-group FC-EGCAI01_local
CISCO2911-EGCAI01(config-ext-nacl)#permit tcp object-group EGCAI01_remote object-group DNS-Servers eq 53
CISCO2911-EGCAI01(config-ext-nacl)#permit udp object-group EGCAI01_remote object-group DNS-Servers eq 53
CISCO2911-EGCAI01(config-ext-nacl)#permit tcp object-group EGCAI01_remote object-group SAP-Servers range 3200 3399
CISCO2911-EGCAI01(config-ext-nacl)#permit tcp object-group EGCAI01_remote object-group SAP-Servers range 8000 8099
CISCO2911-EGCAI01(config-ext-nacl)#permit tcp object-group EGCAI01_remote object-group SAP-Servers range 50000 59900
CISCO2911-EGCAI01(config-ext-nacl)#permit tcp object-group EGCAI01_remote object-group SAP-Servers range 3600 3699
CISCO2911-EGCAI01(config-ext-nacl)#permit object-group AD-Services object-group EGCAI01_remote object-group Wipro-DC
CISCO2911-EGCAI01(config-ext-nacl)#permit object-group SCCM-Services object-group EGCAI01_remote object-group Wipro-DC
CISCO2911-EGCAI01(config-ext-nacl)#permit tcp object-group EGCAI01_remote object-group FC-EGCAI01_local eq 389
CISCO2911-EGCAI01(config-ext-nacl)#permit ldap object-group EGCAI01_remote object-group FC-EGCAI01_local eq 389
CISCO2911-EGCAI01(config-ext-nacl)#permit object-group FC-DC-SERVICES object-group EGCAI01_remote object-group FC-Domain-Controller
CISCO2911-EGCAI01(config-ext-nacl)#permit ip object-group EGCAI01_remote object-group Other-APPS
CISCO2911-EGCAI01(config)#exit
----------------------------------

CISCO2911-EGCAI01#configure terminal
CISCO2911-EGCAI01(config)#crypto ipsec transform-set NLAMS02E-TS esp-aes 256 esp-sha256-hmac
CISCO2911-EGCAI01(cfg-crypto-trans)#exit
CISCO2911-EGCAI01(config)#exit
--------------------------------------------------
ISCO2911-EGCAI01#configure terminal
CISCO2911-EGCAI01(config)#crypto ikev2 profile NLAMS02E-PROFILE
CISCO2911-EGCAI01(config-ikev2-profile)#match identity remote address x.x.x.x 255.255.255.255
CISCO2911-EGCAI01(config-ikev2-profile)#authentication local pre-share
CISCO2911-EGCAI01(config-ikev2-profile)#authentication remote pre-share
CISCO2911-EGCAI01(config-ikev2-profile)#keyring local KR-1
CISCO2911-EGCAI01(config-ikev2-profile)#lifetime 86400
CISCO2911-EGCAI01(config-ikev2-profile)#exit
CISCO2911-EGCAI01(config)#exit
--------------------------------------------

CISCO2911-EGCAI01#configure terminal
CISCO2911-EGCAI01(config)#crypto map CMAP-NLAMS02E 10 ipsec-isakmp
CISCO2911-EGCAI01(config-crypto-map)#set peer x.x.x.x
CISCO2911-EGCAI01(config-crypto-map)#set pfs group5
CISCO2911-EGCAI01(config-crypto-map)#set security-association lifetime seconds 28800
CISCO2911-EGCAI01(config-crypto-map)#set transform-set NLAMS02E-TS
CISCO2911-EGCAI01(config-crypto-map)#set ikev2-profile NLAMS02E-PROFILE
CISCO2911-EGCAI01(config-crypto-map)#match address VPN-ACL
CISCO2911-EGCAI01(config-crypto-map)#exit
CISCO2911-EGCAI01(config)#exit

---------------------------------

CISCO2911-EGCAI01(config)interface GigabitEthernet0/1.328
CISCO2911-EGCAI01(config-subif)# description connected to PRIMARY_ISP
CISCO2911-EGCAI01(config-subif)# encapsulation dot1Q 328
CISCO2911-EGCAI01(config-subif)# ip address 172.19.x.x 255.255.255.252 secondary
CISCO2911-EGCAI01(config-subif)# ip address 196.2x.x.x 255.255.255.248 (this is public ip)
CISCO2911-EGCAI01(config-subif)# crypto map CMAP-NLAMS02E
CISCO2911-EGCAI01(config-subif)# ip flow ingress
CISCO2911-EGCAI01(config-subif)# ip flow egress
CISCO2911-EGCAI01(config-subif)# ip nat outside
CISCO2911-EGCAI01(config-subif)# ip virtual-reassembly in
CISCO2911-EGCAI01(config-subif)#exit
CISCO2911-EGCAI01(config)#exit

amr alrazzaz