Team,
I have attempted to create a IKEv2/IPSec between Cisco IOS and a StrongSwan VPN client. Is this even possible to do IKEv2/IPSec remote access with a Cisco IOS headend? Right now I am using PSK but will flip over to rsa-sig once I get the preliminary settings down.
Consider the attached diagram… I am able to create an SA between the VPN client and the IOS Headend but the traffic doesn't appear to go through the IPSec trunnel we have. My "show crypto ipsec sa" counters show that the IOS Headend is only decrypting traffic. It doesn't appear to be encrypting.
FLEXHEAD#show crypto ipsec sa
interface: Virtual-Access1
Crypto map tag: Virtual-Access1-head-0, local addr 192.168.6.10
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)
current_peer 192.168.6.2 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 204, #pkts decrypt: 204, #pkts verify: 204
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.6.10, remote crypto endpt.: 192.168.6.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x5E744D59(1584680281)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x4D128576(1293059446)
transform: esp-gcm ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2029, flow_id: CSR:29, sibling_flags FFFFFFFF80000048, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2739)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5E744D59(1584680281)
transform: esp-gcm ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2030, flow_id: CSR:30, sibling_flags FFFFFFFF80000048, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2739)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
I also don't appear to be using any pool ip addresses:
FLEXHEAD#show ip local pool flexpool
Pool Begin End Free In use
flexpool 192.168.10.5 192.168.10.10 6 0
Available addresses:
192.168.10.5
192.168.10.6
192.168.10.7
192.168.10.8
192.168.10.9
192.168.10.10
Inuse addresses:
None
FLEXHEAD#
Here is my IKEv2 SA:
FLEXHEAD#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 192.168.6.10/4500 192.168.6.2/4500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/3083 sec
IPv6 Crypto IKEv2 SA
FLEXHEAD#
Here is my configuration:
aaa new-model
!
!
aaa authentication login AUTH local
aaa authorization network NET local
!
aaa session-id common
!
username cisco password 0 cisco
!
!
crypto ikev2 authorization policy flex_dtu
pool flexpool
netmask 255.255.255.0
include-local-lan
route set interface
!
crypto ikev2 proposal flex_dtu
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy flex_policy
proposal flex_dtu
!
crypto ikev2 keyring flexdtu
peer dtu
address 192.168.6.0 255.255.255.0
pre-shared-key cisco
!
!
!
crypto ikev2 profile flex_dtu
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local flexdtu
virtual-template 1
!
crypto ipsec transform-set FLEXDTU esp-gcm
mode tunnel
!
crypto ipsec profile DTUIPSEC
set transform-set FLEXDTU
set ikev2-profile flex_dtu
!
interface GigabitEthernet1
description WAN access for StrongSwan VPN
ip address 192.168.6.10 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
description LAN access to Server
ip address 192.168.10.1 255.255.255.0
negotiation auto
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet1
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel protection ipsec profile DTUIPSEC
!
!
ip local pool flexpool 192.168.10.5 192.168.10.10
ip forward-protocol nd
!
end
Thanks
Chris
