12-04-2014 01:48 PM - edited 02-21-2020 07:58 PM
Hello all,
Just a quick question. I was always told that one needs a router to terminate VPNs. I just installed a 3560C, and was documenting port descriptions. As I was poking around, I ran:
sh crypto ?
call Show crypto call admission info
datapath Data Path
debug-condition Debug Condition filters
dynamic-map Crypto map templates
eli Encryption Layer Interface
engine Show crypto engine info
entropy Entropy sources
identity Show crypto identity list
ikev2 Shows ikev2 info
ipsec Show IPSEC policy
isakmp Show ISAKMP
........
Then:
sh crypto ikev2 ?
authorization Author policy
certificate-cache Show certificates in ikev2 certificate-cache
diagnose Shows ikev2 diagnostic
policy Show policies
profile Shows ikev2 profiles
proposal Show proposals
sa Shows ikev2 SAs
session Shows ikev2 active session
stats Shows ikev2 sa stats
Finally:
sh cry ikev2 prop
IKEv2 proposal: default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : SHA512 SHA384 SHA256 SHA96 MD596
PRF : SHA512 SHA384 SHA256 SHA1 MD5
DH Group : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
So.... when did layer 3 switches get IKEV2? What is the purpose? Since there is not any firewall functionality, I could only see this being useful in a Metro-E application. Is anyone currently using this?
Thanks!
12-04-2014 04:31 PM
Limited ISAKMP/IKEv2/IPSec functionality is present on the 3560 in order to provide full support for IPv6, which uses this for embedded encryption. You're not going to be using it to generate traditional policy-based IPSec VPNs though. That still needs a router.
12-06-2014 03:48 PM
Thank you for the answer!
12-06-2014 04:31 PM
I'm happy to help.
If you found my response useful, please rate it and/or mark it as correct.
12-15-2014 06:33 AM
Just for grins... I had a spare 3560C to play with... I was able to configure flex vpn on it, and I am passing traffic (IPV4)... Part of me is debating to throw the WAN into a separate VRF, and then use it as a VPN endpoint (only for testing). Would be interesting to see what the throughput would be.
12-15-2014 06:35 AM
12-15-2014 10:48 AM
Sure thing. It's lab'ed up, so no need to sanitize the config....
3560 first, then 881 config below that.
3560C:
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Flex_A
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
ip routing
!
!
vtp mode transparent
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
crypto ikev2 keyring MyKeys
peer Flex_A.cisco.com
address 44.33.22.12
pre-shared-key local k3yA
pre-shared-key remote k3yB
!
!
!
crypto ikev2 profile default
match identity remote fqdn Flex_B.cisco.com
identity local fqdn Flex_A.cisco.com
authentication remote pre-share
authentication local pre-share
keyring local MyKeys
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.255
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.0
tunnel source FastEthernet0/12
tunnel destination 44.33.22.12
tunnel protection ipsec profile default
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
no switchport
ip address 44.33.22.11 255.255.255.0
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 44.33.22.12
ip route 192.168.2.1 255.255.255.255 10.0.0.1
!
!
!
line con 0
line vty 5 15
!
end
!
881 Router:
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Flex_B
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
memory-size iomem 10
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
!
!
multilink bundle-name authenticated
!
!
vtp mode transparent
!
!
!
crypto ikev2 keyring MyKeys
peer Flex_A.cisco.com
address 44.33.22.11
pre-shared-key local k3yB
pre-shared-key remote k3yA
!
!
!
crypto ikev2 profile default
match identity remote fqdn Flex_A.cisco.com
identity local fqdn Flex_B.cisco.com
authentication remote pre-share
authentication local pre-share
keyring local MyKeys
!
!
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
!
!
crypto ipsec profile default
set ikev2-profile default
!
!
!
!
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.255
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
tunnel source FastEthernet4
tunnel destination 44.33.22.11
tunnel protection ipsec profile default
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address 44.33.22.12 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 44.33.22.11
ip route 192.168.1.1 255.255.255.255 10.0.0.2
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
login
transport input all
!
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide