10-11-2022 03:34 AM - edited 10-11-2022 03:41 AM
Introduction:
Advantages of IKEv2 over IKEv1
IKE Modes:
GRE: Generic Routing Encapsulation) = Simple non-negotiated tunneling protocol
NHRP = Next Hop Resolution Protocol
VPN Tunnel:
LAB 1: Site-to-Site VPN with IKEv1
Configuration example: Site-to-Site IPSec tunnel with ikev1
STEP to create ikev1 Site-to-Site vpn tunnel:
R1 Config
!
crypto isakmp key cisco123 address 192.168.2.2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto ipsec transform-set TS esp-3des esp-md5-hmac
Ip access-list extended GRE
permit ip any any
crypto map CRYPTOMAP 10 ipsec-isakmp
set peer 192.168.2.2
set transform-set TS
match address GRE
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
ip mtu 1400
tunnel source Ethernet1/0
tunnel destination 192.168.2.2
int eth 1/0
ip address 192.168.1.1 255.255.255.0
crypto map CRYPTOMAP
R1# sh cry isakmp key
R1# sh crypto isakmp policy
R1# sh crypto is sa
R1#sh cry isakmp peers
R1#sh crypto ipsec transform-set
R1#sh cry ipsec sa
LAB 2: Site-to-Site VPN with IKEv2
Step to create ikev2 site-to-site vpn:
Step 1: ikev2 proposal (encryption, integrity and DH group)
Step 2: create ikev2 policy (call proposal)
Step 3: Create ikev2 key ring (peer name, address and local and remote pre-share key)
Step 4: create ikev2 profile (match local and remote identity, local and remote authentication method, call key-ring)
Step 5: create IPsec transform-set
Step 6: ACL for interesting traffic
Step 7: create crypto map (transform-set, profile, peer, DH group, ACL)
Step 8: Apply crypto map to wan
Step 9: create tunnel interface
R1#
!
crypto ikev2 proposal Pro1
encryption aes-cbc-128
integrity md5
group 2
crypto ikev2 policy Policy1
proposal Pro1
crypto ikev2 keyring K-Ring
peer R3
address 192.168.2.2
pre-shared-key local cisco123
pre-shared-key remote cisco123
!
crypto ikev2 profile Profile1
match identity remote address 192.168.2.2 255.255.255.255
identity local address 192.168.1.1
authentication remote pre-share
authentication local pre-share
keyring local K-Ring
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
mode tunnel
!
ip access-list extended GRE
permit ip any any
!
crypto map CMAP 1 ipsec-isakmp
set peer 192.168.2.2
set transform-set TSET
set pfs group2
set ikev2-profile Profile1
match address GRE
crypto map CMAP
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source Ethernet1/1
tunnel destination 192.168.2.2
tunnel mode gre ip
interface Ethernet1/1
ip address 192.168.1.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
duplex full
crypto map CMAP
end
debug crypto ikev2 packet
debug crypto ikev2 internal
show crypto ikev2 sa detailed
show crypto ipsec sa
show crypto session
R1#sh cry ikev2 sa
R1#sh crypto ikev2 session
LAB 3: DMVPN with IKEv1
R1-Configuration for Hub
!
crypto isamkp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
Crypto ipsec profile MY_PROFILE
Set transform-set TSET
!
Interface tunnel 0
bandwidth 1000
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
Ip address 172.16.1.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mass 1360
Ip nhrp authentication cisco123
Ip nhrp map multicast dynamic
Ip nhrp network-id 5
tunnel source eth 1/1
tunne mode gre multipoint
tunne key key6
tunnel protection ipsec profile MY_PROFOLE
router eigrp 1
network 10.10.10.0 0.0.0.255
no auto-summary
exit
Configuration on spoke R2
!
crypto isakmp policy 10
authentication pre-share
group 2
!
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
!
crypto ipsec profile MY_PROFILE
Set transform-set TSET
!
interface tunnel 0
bandwidth 1000
ip add 172.16.1.2 255.25255.255.0
ip mtu 1400
ip tcp adjust-mass 1360
ip nhrp authentication cisco123
ip nhrp map multicast 192.168.1.1
ip nhrp nhs 172.16.1.1
ip nhrp map 192.168.1.1 172.16.1.1
ip nhrp network-id 5
tunnel source eth 1/1
tunnel mode gre multipoint
tunnel key 6
router eigrp 1
network 20.20.20.0 0.0.0.255
Note: R3 will have identical configuration as R1, with updated tunnel ip.
# Show ip nhrp deail
# show crypto ipsec sa
LAB 4: DMVPN with IKEv2
Steps for IKEv2 DMVPN:
R1 Hub Config
!
crypto ikev2 proposal ikev2-proposal
encryption aes-cbc-256
integrity sha512
group 15
!
crypto ikev2 policy ikev2-policy
proposal ikev2-proposal
crypto ikev2 keyring K-Ring
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key cisco123
!
crypto ikev2 profile ikev2-profile
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local K-Ring
!
crypto ipsec profile ipsec-profile
set ikev2-profile ikev2-profile
interface Ethernet1/1
ip address 192.168.1.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
duplex full
end
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source Ethernet1
tunnel mode gre multipoint
tunnel protection ipsec profile ipsec-profile
end
R2 Spoke Config
!
crypto ikev2 proposal ikev2-proposal
encryption aes-cbc-256
integrity sha512
group 15
!
crypto ikev2 policy ikev2-policy
proposal ikev2-proposal
!
crypto ikev2 keyring K-Ring
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key cisco123
!
crypto ikev2 profile ikev2-profile
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local K-Ring
!
crypto ipsec profile ipsec-profile
set identity ANY
set ikev2-profile ikev2-profile
!
interface Tunnel0
bandwidth 1000
ip address 172.16.1.2 255.255.255.0
no ip redirects
ip nhrp authentication cisco123
ip nhrp map multicast 192.168.1.1
ip nhrp map 172.16.1.1 192.168.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
tunnel source Ethernet1/1
tunnel mode gre multipoint
tunnel protection ipsec profile ipsec-profile
end
interface Ethernet1/1
ip address 192.168.1.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
duplex full
R2 #sh cry ikev2 session
R2#sh crypto ikev2 sa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide