Introduction:

• IPSec = IETF protocol suit, provide confidentiality, peer authentication, data integrity, replay protection and access control.
  Sub-Protocol: ESP & AH
• ESP (Encapsulation Security Payload) = Provide encryption service
• AH (Authentication Header) = Provide integrity
• ISAKMP (Internet Security Association Key Management Protocol)= Frame work to create Security Association
• SA (Security Association) = Session parameters for AH and ESP
• IKE = Internet Key Exchange used to setup Security Association (SA). uses UDP port 500 and 4550 (NAT-T)
  IKE is two phase process
  Phase 1 = ISAKMP SA = Mgmt. (1-bidirectional)
  Phase 2 = IPSec SA = Data (2-unidirectional)
  There are two version of  IKEv1,IKEv2 

Advantages of IKEv2 over IKEv1

• Uses less bandwidth and messages
• DPD (Dead Peer Detection), NAT-T, ISAKMP are built-in
• Support EAP
• Support PFS (Perfect forward Secrecy)

IKE Modes:

• Main mode
• Aggressive mode
• Quick mode (IPSec SA)

GRE: Generic Routing Encapsulation) = Simple non-negotiated tunneling protocol 

NHRP = Next Hop Resolution Protocol

VPN Tunnel:

1. site-to-site ipsec tunnel
2. DMVPN tunnel 

LAB 1: Site-to-Site VPN with IKEv1
Configuration example: Site-to-Site IPSec tunnel with ikev1

STEP to create ikev1 Site-to-Site vpn tunnel:

1. Create pre-share key
2. Create crypto isakmp policy (authentication, encryption, hash, and group)
3. Create IPsec transform-set
4. Create ACL to define interesting traffic
5. Create crypto map (set peer, transform-set, ACL-interesting traffic)
6. Create tunnel (source, destination, and mode gre IP)
7. Apply crypto map to WAN interface

R1 Config
!
crypto isakmp key cisco123 address 192.168.2.2
! 
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
 
crypto ipsec transform-set TS esp-3des esp-md5-hmac 

Ip access-list extended GRE
permit ip any any

crypto map CRYPTOMAP 10 ipsec-isakmp
 set peer 192.168.2.2
 set transform-set TS
 match address GRE

interface Tunnel0
 ip address 172.16.1.1 255.255.255.0
 ip mtu 1400
 tunnel source Ethernet1/0
 tunnel destination 192.168.2.2

 
int eth 1/0
 ip address 192.168.1.1 255.255.255.0
  crypto map CRYPTOMAP 

R1#  sh cry isakmp key
R1#  sh crypto isakmp policy
R1#  sh crypto is sa

R1#sh cry isakmp peers
R1#sh crypto ipsec transform-set
R1#sh cry ipsec sa

LAB 2: Site-to-Site VPN with IKEv2

Step to create ikev2 site-to-site vpn:
Step 1: ikev2 proposal (encryption, integrity and DH group)
Step 2: create ikev2 policy  (call proposal)
Step 3: Create ikev2 key ring (peer name, address and local and remote pre-share key)
Step 4: create ikev2 profile (match local and remote identity, local and remote authentication method, call key-ring)
Step 5: create IPsec transform-set
Step 6: ACL for interesting traffic
Step 7: create crypto map (transform-set, profile, peer, DH group, ACL)
Step 8: Apply crypto map to wan
Step 9: create tunnel interface

R1#
!
crypto ikev2 proposal Pro1
 encryption aes-cbc-128
 integrity md5
 group 2
 

crypto ikev2 policy Policy1
 proposal Pro1 

crypto ikev2 keyring K-Ring
  peer R3
  address 192.168.2.2
  pre-shared-key local cisco123
  pre-shared-key remote cisco123
!

crypto ikev2 profile Profile1
 match identity remote address 192.168.2.2 255.255.255.255
 identity local address 192.168.1.1
 authentication remote pre-share
 authentication local pre-share
 keyring local K-Ring 

crypto ipsec transform-set TSET esp-3des esp-md5-hmac
  mode tunnel
!
ip access-list extended GRE
   permit ip any any

! 
crypto map CMAP 1 ipsec-isakmp
 set peer 192.168.2.2
 set transform-set TSET
 set pfs group2
 set ikev2-profile Profile1
 match address GRE
 crypto map CMAP

 
interface Tunnel0
 ip address 172.16.1.1 255.255.255.0
 tunnel source Ethernet1/1
 tunnel destination 192.168.2.2
 tunnel mode gre ip

interface Ethernet1/1
 ip address 192.168.1.1 255.255.255.0
 ip mtu 1400
 ip tcp adjust-mss 1360
 duplex full
 crypto map CMAP
end

debug crypto ikev2 packet
debug crypto ikev2 internal
show crypto ikev2 sa detailed
show crypto ipsec sa
show crypto session

 R1#sh cry ikev2 sa

R1#sh crypto ikev2 session

LAB 3: DMVPN with IKEv1

R1-Configuration for Hub
!
crypto isamkp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto isakmp policy 10 
  authentication pre-share
  group 2

crypto ipsec transform-set TSET esp-aes esp-sha-hmac

Crypto ipsec profile MY_PROFILE
 Set transform-set TSET
!

Interface  tunnel 0
 bandwidth 1000 
 no ip  next-hop-self eigrp 1
 no ip split-horizon eigrp 1
 Ip address 172.16.1.1 255.255.255.0
 ip mtu 1400
 ip  tcp adjust-mass 1360
 Ip nhrp authentication cisco123
 Ip nhrp map multicast dynamic
 Ip nhrp network-id 5
tunnel source eth 1/1
tunne mode gre multipoint
tunne key key6
tunnel protection ipsec profile MY_PROFOLE

router eigrp 1
 network 10.10.10.0 0.0.0.255
 no auto-summary
 exit

Configuration on spoke R2 
!
crypto isakmp policy 10
 authentication pre-share
 group 2
!
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
!
crypto ipsec profile MY_PROFILE
 Set transform-set TSET
! 
interface tunnel 0
 bandwidth 1000
 ip add 172.16.1.2 255.25255.255.0
 ip mtu 1400
 ip tcp adjust-mass 1360 
 ip nhrp authentication cisco123
 ip nhrp map multicast 192.168.1.1
 ip nhrp nhs 172.16.1.1
 ip nhrp map 192.168.1.1 172.16.1.1
 ip nhrp network-id 5 
tunnel source eth 1/1
tunnel mode gre multipoint
tunnel key 6

router eigrp 1
 network 20.20.20.0 0.0.0.255

Note: R3 will have identical configuration as R1, with updated tunnel ip.

# Show ip nhrp deail

# show crypto ipsec sa

LAB 4: DMVPN with IKEv2

Steps for IKEv2 DMVPN:

1. IKEv2 proposal (define encryption, integrity, and group)
2. IKEv2 policy (attach proposal to policy)
3. IKEv2 keyring (peer, local and remote key)
4. IKEv2 profile (attach key ring)
5. IPsec profile (call ikev2 profile)
6. Create tunnel: apply ipsec profile using tunnel protection ipsec profile command

R1 Hub Config
!
crypto ikev2 proposal ikev2-proposal
 encryption aes-cbc-256
 integrity sha512
 group 15
 
 !
crypto ikev2 policy ikev2-policy
 proposal ikev2-proposal 

crypto ikev2 keyring K-Ring
  peer ANY
 address 0.0.0.0 0.0.0.0
  pre-shared-key cisco123

!

crypto ikev2 profile ikev2-profile
 match identity remote address 0.0.0.0
 authentication remote pre-share
 authentication local pre-share
 keyring local K-Ring

!
crypto ipsec profile ipsec-profile
 set ikev2-profile ikev2-profile 

interface Ethernet1/1
 ip address 192.168.1.1 255.255.255.0
 ip mtu 1400
 ip tcp adjust-mss 1360
 duplex full
end

!
interface Tunnel0
 ip address 172.16.1.1 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco123
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source Ethernet1
 tunnel mode gre multipoint
 tunnel protection ipsec profile ipsec-profile
end

R2 Spoke Config
!
crypto ikev2 proposal ikev2-proposal
 encryption aes-cbc-256
 integrity sha512
 group 15

! 
crypto ikev2 policy ikev2-policy
 proposal ikev2-proposal
!
crypto ikev2 keyring K-Ring
  peer ANY
  address 0.0.0.0 0.0.0.0
  pre-shared-key cisco123
 !

crypto ikev2 profile ikev2-profile
 match identity remote address 0.0.0.0
 authentication remote pre-share
 authentication local pre-share
 keyring local K-Ring 
!

crypto ipsec profile ipsec-profile
 set identity ANY
 set ikev2-profile ikev2-profile

! 
interface Tunnel0
 bandwidth 1000
 ip address 172.16.1.2 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco123
 ip nhrp map multicast 192.168.1.1
 ip nhrp map 172.16.1.1 192.168.1.1
 ip nhrp network-id 1
 ip nhrp nhs 172.16.1.1
 tunnel source Ethernet1/1
 tunnel mode gre multipoint
 tunnel protection ipsec profile ipsec-profile
end

interface Ethernet1/1
 ip address 192.168.1.2 255.255.255.0
 ip mtu 1400
 ip tcp adjust-mss 1360
 duplex full
 

R2 #sh cry ikev2 session

R2#sh crypto ikev2 sa