Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8240
Views
5
Helpful
2
Replies

IPSEC VPN Configuration Best Practice

Go to solution
Mokhalil82
Level 4
Level 4

‎04-20-2018 03:43 AM - edited ‎03-12-2019 05:13 AM

Hi

I have created a VPN configuration template and just would like someone to check it over and advise on if any changes/additions that may be required, or just general view points.

 

I understand the configuration will now and again needs to be tweaked depending on who the other end is and what they support.

 

NAT EXEMPTION
object-group network LOCAL
network-object <LOCAL> 255.255.255.0
object-group network REMOTE
network-object <REMOTE> 255.255.255.0
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE

 

ENCRYPTION DOMAIN
access-list CUSTOMER_VPN extended permit ip object-group LOCAL object-group REMOTE

 

PHASE 1 PROPOSAL
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 21
prf sha256
lifetime seconds 28800

 

PHASE 2 PROPOSAL
crypto ipsec ikev2 ipsec-proposal AES256-SHA256
protocol esp encryption aes-256
protocol esp integrity sha256

TUNNEL GROUP
tunnel-group <ENDPOINT> type ipsec-l2l
tunnel-group <ENDPOINT> ipsec-attributes
ikev2 remote-authentication pre-shared-key <PRESHARED KEY>
ikev2 local-authentication pre-shared-key <PRESHARED KEY>

CRYPTOMAP
crypto map outside_map <100> match address CUSTOMER_VPN
crypto map outside_map <100> set peer <ENDPOINT>
crypto map outside_map <100> set pfs group5
crypto map outside_map <100> set ikev2 ipsec-proposal AES256-SHA256
crypto map outside_map <100> set nat-t disable

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-20-2018 03:59 AM

Hi,

Good job, looks good to me. BTW, you don't have the group policy to define ikev2

 

group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev2

 

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎04-20-2018 03:59 AM

Hi,

Good job, looks good to me. BTW, you don't have the group policy to define ikev2

 

group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev2

 

 

0 Helpful

Go to solution
Mokhalil82
Level 4
Level 4
In response to Rob Ingram

‎04-20-2018 04:33 AM

Thanks for checking, I already have ikev2 tunnels so the group policy is already there to define ikev2. I was just creating a template with updated encryption/integrity methods
0 Helpful
Customers Also Viewed These Support Documents