cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1580
Views
4
Helpful
6
Replies

Crypto on 3560C / IKEV2 / IPSEC

keith_gajeski
Level 1
Level 1

Hello all,

Just a quick question. I was always told that one needs a router to terminate VPNs. I just installed a 3560C, and was documenting port descriptions. As I was poking around, I ran:

sh crypto ?
  call             Show crypto call admission info
  datapath         Data Path
  debug-condition  Debug Condition filters
  dynamic-map      Crypto map templates
  eli              Encryption Layer Interface
  engine           Show crypto engine info
  entropy          Entropy sources
  identity         Show crypto identity list
  ikev2            Shows ikev2 info
  ipsec            Show IPSEC policy
  isakmp           Show ISAKMP
........

Then:

sh crypto ikev2 ?
  authorization      Author policy
  certificate-cache  Show certificates in ikev2 certificate-cache
  diagnose           Shows ikev2 diagnostic
  policy             Show policies
  profile            Shows ikev2 profiles
  proposal           Show proposals
  sa                 Shows ikev2 SAs
  session            Shows ikev2 active session
  stats              Shows ikev2 sa stats

Finally:

sh cry ikev2 prop
 IKEv2 proposal: default
     Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
     Integrity  : SHA512 SHA384 SHA256 SHA96 MD596
     PRF        : SHA512 SHA384 SHA256 SHA1 MD5
     DH Group   : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
 

 

So.... when did layer 3 switches get IKEV2? What is the purpose? Since there is not any firewall functionality, I could only see this being useful in a Metro-E application. Is anyone currently using this?

 

Thanks!
 

6 Replies 6

ghostinthenet
Level 7
Level 7

Limited ISAKMP/IKEv2/IPSec functionality is present on the 3560 in order to provide full support for IPv6, which uses this for embedded encryption. You're not going to be using it to generate traditional policy-based IPSec VPNs though. That still needs a router.

Thank you for the answer!

I'm happy to help.

If you found my response useful, please rate it and/or mark it as correct.

Just for grins... I had a spare 3560C to play with... I was able to configure flex vpn on it, and I am passing traffic (IPV4)... Part of me is debating to throw the WAN into a separate VRF, and then use it as a VPN endpoint (only for testing). Would be interesting to see what the throughput would be.

Wow! It's not supposed to be able to do that... so now you've got me intrigued. Care to post a working configuration so I can play with it too?

Sure thing. It's lab'ed up, so no need to sanitize the config....

3560 first, then 881 config below that.

 

3560C:

version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Flex_A
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
ip routing
!
!
vtp mode transparent
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
crypto ikev2 keyring MyKeys
 peer Flex_A.cisco.com
  address 44.33.22.12
  pre-shared-key local k3yA
  pre-shared-key remote k3yB
 !
!
!
crypto ikev2 profile default
 match identity remote fqdn Flex_B.cisco.com
 identity local fqdn Flex_A.cisco.com
 authentication remote pre-share
 authentication local pre-share
 keyring local MyKeys
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.255
!
interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 tunnel source FastEthernet0/12
 tunnel destination 44.33.22.12
 tunnel protection ipsec profile default
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
 no switchport
 ip address 44.33.22.11 255.255.255.0
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 shutdown
!
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 44.33.22.12
ip route 192.168.2.1 255.255.255.255 10.0.0.1
!
!
!
line con 0
line vty 5 15
!
end
 

 

!

881 Router:

version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Flex_B
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
memory-size iomem 10
!
!
!
!
!
!


!
!
!
!
ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
!
!
multilink bundle-name authenticated
!
!
vtp mode transparent
!
!
!
crypto ikev2 keyring MyKeys
 peer Flex_A.cisco.com
  address 44.33.22.11
  pre-shared-key local k3yB
  pre-shared-key remote k3yA
 !
!
!
crypto ikev2 profile default
 match identity remote fqdn Flex_A.cisco.com
 identity local fqdn Flex_B.cisco.com
 authentication remote pre-share
 authentication local pre-share
 keyring local MyKeys
!
!
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
!
!
crypto ipsec profile default
 set ikev2-profile default
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.2.1 255.255.255.255
!
interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 tunnel source FastEthernet4
 tunnel destination 44.33.22.11
 tunnel protection ipsec profile default
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 ip address 44.33.22.12 255.255.255.0
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 44.33.22.11
ip route 192.168.1.1 255.255.255.255 10.0.0.2
!
!
!
control-plane
!
!
!
line con 0
 logging synchronous
 no modem enable
line aux 0
line vty 0 4
 login
 transport input all
!
!
end

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: