Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1700
Views
0
Helpful
9
Replies

Assign remote IP via DHCP using IPSEC using virtual tunnel interface

amarshah
Level 1
Level 1

‎02-11-2022 10:04 AM

Hello,

 

I am wondering if it is possible to assign an remote IP to a device connecting via IPSEC using a virtual tunnel interface on an ASR1K. In the diagram below the ASR1K can be depicted as the PSeGW. Once the BTS has its temporary IP it will send a DHCP request to the BSC to get it's final IP address. This final IP will be used as the source IP of the BTS to be used in the encryption domain.

Screenshot 2022-02-11 175847.png

 
 
 
 

 

 

Thanks in advance

 

 

 

 

 

 

 

Labels:
0 Helpful
9 Replies 9

Rob Ingram
VIP
VIP

‎02-11-2022 10:08 AM

@amarshah if using FlexVPN on the ASR1K you can dynamically assign an IP address to the device connecting to it, whether it's another router or an AnyConnect user. The IP address can be issued from a VPN pool on the ASR1K or from DHCP, if authorised by RADIUS.

0 Helpful

Walker1
Level 1
Level 1

‎02-13-2022 09:19 PM - edited ‎02-14-2022 07:40 PM

A virtual tunnel interface is a Layer 3 logical interface where the encapsulation protocol is GRE and IPSec. The device can provide the IPSec service for the virtual tunnel interface. All the packets routed to the virtual tunnel interface are protected by IPSec. The virtual tunnel interface can simplify IPSec parameters

 

GMGlobalConnect

0 Helpful

amarshah
Level 1
Level 1

‎02-17-2022 08:22 AM

I have tried the following configuration

aaa new-model

aaa authorization network pico local

crypto ikev2 keyring Keyring_2G_Pico
peer Peer_2G_Pico
address 0.0.0.0 0.0.0.0
identity address 0.0.0.0
pre-shared-key ******


crypto ikev2 authorization policy pico
pool pico
route set access-list pico

crypto ikev2 profile IKEv2_Profile_2G_Pico
match fvrf FVRF
match address local W.A.N.IP
match identity remote fqdn picogsmsegw10
identity local fqdn gsmgateway
authentication remote pre-share
authentication local pre-share
keyring local Keyring_2G_Pico
aaa authorization user psk list pico
virtual-template 2

crypto isakmp profile isakmp_prof_2G_Pico
keyring keyring_2G_Pico
match identity address 0.0.0.0 FVRF
virtual-template 2
local-address Loopback2

crypto ipsec transform-set TS_2G_Pico esp-3des esp-md5-hmac
mode tunnel

crypto ipsec profile IPsec_Profile_2G_Pico
set transform-set TS_2G_Pico
set ikev2-profile IKEv2_Profile_2G_Pico
reverse-route

interface Loopback2
description IPSEC Peer - External IPSec
vrf forwarding FVRF
ip address W.A.N.IP 255.255.255.255

interface Virtual-Template2 type tunnel
description IKEv2 IPSec 2G Pico
vrf forwarding trust
ip unnumbered Loopback2
zone-member security IPSEC
no logging event link-status
tunnel source Loopback2
tunnel mode ipsec ipv4
tunnel vrf FVRF
tunnel protection ipsec profile IPsec_Profile_2G_Pico

ip local pool pico 172.7.1.1 172.7.1.254

ip access-list standard pico
10 permit 172.7.1.0 0.0.0.255

However I get the following error

Feb 17 16:17:01.299: IKEv2:Received Packet [From CLI.NT.IP.ADDR:500/To W.A.N.IP:500/VRF i0:f3]
Initiator SPI : CDE4C82491FD8E2E - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID

Feb 17 16:17:01.300: IKEv2:(SESSION ID = 52394,SA ID = 14):Verify SA init message
Feb 17 16:17:01.300: IKEv2:(SESSION ID = 52394,SA ID = 14):Insert SA
Feb 17 16:17:01.300: IKEv2:(SESSION ID = 52394,SA ID = 14):Processing IKE_SA_INIT message
Feb 17 16:17:01.302: IKEv2:(SESSION ID = 52394,SA ID = 14):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 1
Feb 17 16:17:01.302: IKEv2:(SESSION ID = 52394,SA ID = 14):(SA ID = 14):[Crypto Engine -> IKEv2] DH key Computation PASSED
Feb 17 16:17:01.302: IKEv2:(SESSION ID = 52394,SA ID = 14):Request queued for computation of DH key
Feb 17 16:17:01.302: IKEv2:(SESSION ID = 52394,SA ID = 14):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 1
Feb 17 16:17:01.302: IKEv2:(SESSION ID = 52394,SA ID = 14):Request queued for computation of DH secret
Feb 17 16:17:01.304: IKEv2:(SESSION ID = 52394,SA ID = 14):(SA ID = 14):[Crypto Engine -> IKEv2] DH key Computation PASSED
Feb 17 16:17:01.304: IKEv2:(SESSION ID = 52394,SA ID = 14):(SA ID = 14):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
Feb 17 16:17:01.304: IKEv2:(SESSION ID = 52394,SA ID = 14):(SA ID = 14):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
Feb 17 16:17:01.304: IKEv2:(SESSION ID = 52394,SA ID = 14):Generating IKE_SA_INIT message
Feb 17 16:17:01.305: IKEv2:(SESSION ID = 52394,SA ID = 14):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA1 SHA96 DH_GROUP_768_MODP/Group 1

Feb 17 16:17:01.305: IKEv2:(SESSION ID = 52394,SA ID = 14):
ABCD_EF_PE_EDGE#Sending Packet [To CLI.NT.IP.ADDR:500/From W.A.N.IP:500/VRF i0:f3]
Initiator SPI : CDE4C82491FD8E2E - Responder SPI : FC24BC44D9D29BAC Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

Feb 17 16:17:01.306: IKEv2:(SESSION ID = 52394,SA ID = 14):Completed SA init exchange
Feb 17 16:17:01.306: IKEv2:(SESSION ID = 52394,SA ID = 14):Starting timer (30 sec) to wait for auth message
Feb 17 16:17:08.701: IKEv2:(SESSION ID = 52394,SA ID = 14):Retransmitting packet

Feb 17 16:17:08.701: IKEv2:(SESSION ID = 52394,SA ID = 14):Sending Packet [To CLI.NT.IP.ADDR:500/From W.A.N.IP:500/VRF i0:f3]
Initiator SPI : CDE4C82491FD8E2E - Responder SPI : FC24BC44D9D29BAC Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

Feb 17 16:17:08.702: IKEv2:(SESSION ID = 52394,SA ID = 14):Packet is a retransmission
Feb 17 16:17:31.307: IKEv2-ERROR:(SESSION ID = 52394,SA ID = 14):: Failed to receive the AUTH msg before the timer expired
Feb 17 16:17:31.307: IKEv2:(SESSION ID = 52394,SA ID = 14):Auth exchange failed
Feb 17 16:17:31.308: IKEv2-ERROR:(SESSION ID = 52394,SA ID = 14):: Auth exchange failed
Feb 17 16:17:31.310: IKEv2:(SESSION ID = 52394,SA ID = 14):Abort exchange
Feb 17 16:17:31.310: IKEv2:(SESSION ID = 52394,SA ID = 14):Deleting SA




0 Helpful

amarshah
Level 1
Level 1

‎08-24-2022 12:41 AM

We have modified the configuration to the below

 

aaa new-model
aaa local authentication attempts max-fail 3
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization network pico-author-list none
!
!
aaa attribute list pico_attribute_list
attribute type addr-pool "pool_pico"
!
!
aaa session-id common

crypto ikev2 authorization policy ikev2_author_policy_pico
pool pool_pico
aaa attribute list pico_attribute_list
route set access-list acl_pico

crypto ikev2 keyring Keyring_2G_Pico
peer Peer_2G_Pico
address 0.0.0.0 0.0.0.0
identity fqdn picogsmsegw10
pre-shared-key password

crypto ikev2 profile IKEv2_Profile_2G_Pico
match fvrf FVRF
match address local WA.N.i.P
match identity remote fqdn picogsmsegw10
authentication remote pre-share key password
authentication local pre-share
keyring local Keyring_2G_Pico
aaa authorization user psk list pico-author-list picogsmsegw10 local
virtual-template 2

crypto keyring keyring_2G_Pico vrf FVRF
local-address Loopback2
pre-shared-key address 0.0.0.0 0.0.0.0 key huawei

crypto isakmp profile isakmp_prof_2G_Pico
keyring keyring_2G_Pico
match identity address 0.0.0.0 FVRF
virtual-template 2
local-address Loopback2

crypto ipsec transform-set TS_2G_Pico esp-3des esp-md5-hmac
mode tunnel

crypto ipsec profile IPsec_Profile_2G_Pico
set transform-set TS_2G_Pico
set ikev2-profile IKEv2_Profile_2G_Pico

interface Loopback2
description IPSEC Peer - External IPSec
vrf forwarding FVRF
ip address W.AN.I.P 255.255.255.255

interface Virtual-Template2 type tunnel
description IKEv2 IPSec 2G Pico
vrf forwarding trust
ip unnumbered Loopback2
zone-member security IPSEC
no logging event link-status
tunnel source Loopback2
tunnel mode ipsec ipv4
tunnel vrf FVRF
tunnel protection ipsec profile IPsec_Profile_2G_Pico

ip local pool pool_pico 172.7.1.1 172.7.1.254

ip access-list standard acl_pico
10 permit 172.7.1.0 0.0.0.255

END


0 Helpful

amarshah
Level 1
Level 1

‎08-24-2022 12:42 AM

However it still seems to fail assigning the IP address, here is some except from the log. I have also attached the full debug

Aug 17 14:55:35.777: INFO: AAA/ATTR(00000000): next attr: sublist(0x7F650AAD0988) index(3): 7F650AAD0998 0 00000081 username(450) 13 picogsmsegw10
INFO: AAA/ATTR(00000000): username skip
Aug 17 14:55:35.777: INFO: AAA/ATTR(00000000): next attr: sublist(0x7F650AAD0988) index(3): 7F650AAD09D8 0 00000081 password(320) 5 <opaque value>
INFO: AAA/ATTR(00000000): password skip
Aug 17 14:55:35.777: INFO: AAA/ATTR(00000000): next attr: sublist(0x7F650AAD0988) index(3): 7F650AAD0A18 0 00000082 formatted-clid(37) 11 51.6.59.111
INFO: AAA/ATTR(00000000): formatted-clid skip
Aug 17 14:55:35.777: INFO: AAA/ATTR(00000000): next attr: sublist(0x7F650AAD0988) index(3): 7F650AAD0A58 0 0000008A audit-session-id(819) 43 L2L43E06A365ZO2L433063B6FZH11941194H3H3Z912
INFO: AAA/ATTR(00000000): audit-session-id skip
Aug 17 14:55:35.777: INFO: AAA/ATTR(00000000): not foundnone

Payload contents:
VID Next payload: IDr, reserved: 0x0, length: 20
IDr Next payload: AUTH, reserved: 0x0, length: 12
Id type: IPv4 address, Reserved: 0x0 0x0
AUTH Next payload: NOTIFY, reserved: 0x0, length: 28
Auth method PSK, reserved: 0x0, reserved 0x0
NOTIFY(INTERNAL_ADDRESS_FAILURE) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: INTERNAL_ADDRESS_FAIL

Preview file
716 KB
0 Helpful

MHM Cisco World
VIP
VIP

‎08-24-2022 02:34 AM

BTS config IP Helper address point to BSC <DHCP Server>
you must sure that the BSC have route for User Subnet 

0 Helpful

amarshah
Level 1
Level 1

‎08-24-2022 06:10 AM

I think we are failing at the first stage, the BTS is not able to obtain an IP using DHCP.

0 Helpful

MHM Cisco World
VIP
VIP
In response to amarshah

‎08-24-2022 06:16 AM

BTS-PSeGW-SSeGW-BSC
Now PSeGW-SSeGW there is IPSec VPN ? If Yes 
then 
BTS-PSeGW the BTS interface config with IP address DHCP ? If yes 
then 
PSeGW interface connect to BTS must config with IP helper
also 
BSC must have static route for this DHCP Pool return to PSeGW 

anyway I will make small lab and share result.

0 Helpful

MHM Cisco World
VIP
VIP

‎08-24-2022 06:47 AM

nbvbnvbnvbnvbnv.png
and success 
the IPsec between the R2 and R3 
and R4 success get IP from R5 (DHCP Server)

0 Helpful
Customers Also Viewed These Support Documents