Solved: Cisco VTI and IPSec (IKE Phase2) SA proposal configuration.

muutttu · ‎10-30-2012

Hi there,

I'd have a question over the configuration option for Virtual Tunnel Interface (VTI) feature. I have a Cisco IOS router, which terminates customers with individual tunnel interfaces. The issue I now have is that how can I specify 'interesting' traffic on the IPsec SA (IKE Phase2) security association proposal. The configuration on the router is made by crypto profiles like this:

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp profile ISAKMP_PHASE1_PARAMETERS

keyring PRESHARED_KEYS

match identity address 1.2.3.4 255.255.255.255

!

crypto keyring PRESHARED_KEYS

pre-shared-key address 1.2.3.4 key xyz

!

crypto ipsec transform-set VPN-TRANSFORMSET esp-3des esp-sha-hmac

!

crypto ipsec profile ISAKMP_PHASE2_TUNNEL

set transform-set VPN-TRANSFORMSET

set pfs group2

set isakmp-profile ISAKMP_PHASE1_PARAMETERS

!

interface Tunnel1

ip address 10.10.10.1 255.255.255.252

ip mtu 1450

tunnel source Loopback1

tunnel destination 1.2.3.4

tunnel mode ipsec ipv4

tunnel protection ipsec profile ISAKMP_PHASE2_TUNNEL

!

Now when I look at the output of command "show crypto ipsec sa int tu1" I get the following:

....

interface: Tunnel1

Crypto map tag: Tunnel1-head-0, local addr x.x.x.x

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer 1.2.3.4 port 500

PERMIT, flags={origin_is_acl,}

....

However, the peer on the other side don't accept the proposal, since he would like to have specific IP subnets on the IPSec SA proposal parameters. He'd accept the policy if the local remote identity proxies would be for example 192.168.10.0/255.255.255.0/0/0 (local) and

192.168.200.0/255.255.255.0/0/0 (remote).

Is there any IOS configuration options for configuring the 'interesting' traffic on the crypto profile? With the crypto map -based configuration we can specify the interesting traffic with an ACL under the crypto map configuration section.

I'm running IOS version 15.1(4)M with Advanced IP Services feature set.

Marcin Latosiewicz · ‎10-30-2012

Hi,

SVTI will always want to negotiatiate any any as traffic selectors.

What you MIGHT be looking for is multi-SA DVTI configuration, in which remote end could say which proxy identities it would like to encrypt. (Supported as of 15.2M/T)

The ceveat of such configuration is unfortunately that remote end needs to initiate negotiation.

M.

View solution in original post

Marcin Latosiewicz · ‎10-30-2012

Hi,

SVTI will always want to negotiatiate any any as traffic selectors.

What you MIGHT be looking for is multi-SA DVTI configuration, in which remote end could say which proxy identities it would like to encrypt. (Supported as of 15.2M/T)

The ceveat of such configuration is unfortunately that remote end needs to initiate negotiation.

M.

muutttu · ‎11-01-2012

Hi Marcin and thanks for the reply.

I was hoping for another solution, but I guess this could be feature to look after in the near future. Hopefully Cisco would create a better solution for this kind of issue.

Marcin Latosiewicz · ‎11-01-2012

The solution exists forever it's called crypto maps :-)

In the meantime, Flex VPN is taking majority of our effort. I haven't seen a limitation in this regard there. However it does use IKEv2.

muutttu · ‎11-01-2012

Well, yeah... Initially I wanted to move away from legacy crypto map configurations by using VTI, but it turned out so that it was the only way dealing with the issue I had. So I got 360 degrees on crypto maps

Anyways, thanks for the tips.