Re: VPN and ACLs

Mark Mattix · ‎07-29-2013

I have configured a VPN using IKEv2 and IPSEC over a GRE tunnel. The link connects and operates correctly but I was wondering if someone could offer some advice for the ACLs on this edge router. Here is the current config:

crypto ikev2 keyring LAB123

peer LABRouter2

address 192.168.1.2

pre-shared-key labtest12345

!

crypto ikev2 profile LABRouter1ikev2

match identity remote address 192.168.1.2 255.255.255.252

authentication remote pre-share

authentication local pre-share

keyring local LABRouter1

dpd 60 2 on-demand

!

crypto ipsec profile LABRouter1ipsec

set ikev2-profile LABRouter1ikev2

!

interface Tunnel0

ip address 172.30.1.2 255.255.255.252

tunnel source GigabitEthernet0/0

tunnel destination 192.168.1.2

tunnel protection ipsec profile LABRouter1ipsec

!

interface GigabitEthernet0/0

description Link to Outside

ip address 192.168.1.1 255.255.255.252

duplex auto

speed auto

!

interface GigabitEthernet0/1

description Inside

ip address 10.1.1.1 255.255.0.0

duplex auto

speed auto

!

router eigrp 10

network 10.1.0.0 0.0.255.255

network 172.30.1.0 0.0.0.3

redistribute static

!

ip route 10.150.0.0 255.255.0.0 172.30.1.1 <-LAN on remote site

_______________________________________________________

I was thinking about adding a standard ACL going IN on the interface connecting the ISP. I would configure only my networks that I want to come into my VPN. Which makes me wonder, would I apply that ACl to the physical Gi0/0 interface or the tunnel 0 interface? Also in past VPN configurations I specified with an ACL in the crypto map on what to send through the VPN. In this configuration with IKEv2 and IPSEC I am not specifying what to encrypt, does this mean anything going out interface gi0/0 will be encrypted? If not is there a way to do this? Also, what would you call my VPN configuration, just IKEv2 and IPSEC or is this considered FlexVPN? I read a document on FlexVPN and i believe the only thing different is that it used an elliptical curve algorithm, is that required for a FlexVPN configuration?

Thanks for any help!

Lei Tian · ‎07-29-2013

Hi Mark,

All traffic go through your tunnel interface will be encrypted. The routing protocol, EIGRP in your case controls what traffic will be encrypted. There is no need for interested ACL like you do before in IPSec VPN. You will not see real source/destination IP from outside interface, because the packets are encapsulated with tunnel endpoint IP and encrypted. You can call it flexvpn, since it is based on ikev2.

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App

Mark Mattix · ‎07-30-2013

Thank you for your reply Lei Tan! I am just confused about one other thing, should I have an ACL on gi0/0 blocking any traffic that isn't from a tunnel endpoint IP? This link is a leased layer 2 link (not going over the internet) but I want to make sure I'm stopping any traffic that shouldn't be allowed. If the tunnel is applied to both interfaces does that mean the interface will only allow traffic from the opposite tunnel endpoint?

Thanks again for your help!

Lei Tian · ‎07-30-2013

Hi Mark,

Thanks for the great rating. If the other end of the p2p lease line is considered trusted site, I don't think is needed to apply ACL on the interfaces. If you really want to secure the box, you can apply Inbound ACL and only permit encrypted traffic.

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App

Mark Mattix · ‎07-31-2013

Thank you Lei Tian, I'll look into this. I'm curious to see what will happen to the EIGRP messages, I'm not certain that they're being encrypted but I'll test it out. Thanks for your help!

Mark Mattix · ‎07-31-2013

Lei Tian, I created this ACL and applied it to the interface while the tunnel was operational:

ip access-list extended ONLYENCRYPTED

permit esp host 192.168.1.1 host 192.168.1.2

!

int gi0/0

ip access-group ONLYENCRYPTED in

When I applied this the link continued to operate normally but when restarting a router the link did not come up again, an ACl debug showed that it was blocking the data.

My question is, on my permit statement what protocol should I allow, all of IP or can I get more specific like I tried to here with only ESP? What protocols need to be used to get the link up and should my ACl have to reference the tunnel IPs at all or is just the physical IPs ok? I'm not sure what part is being blocked... Thanks for your help!

Lei Tian · ‎07-31-2013

Hi Mark,

You almost got it. Besides ESP, you also need to allow isakmp packet, which is needed for phase 1 SA. In addition, you may want consider permit some control traffic, snmp/ssh/telnet/netflow. In case something happens to the ipsec, you still can manage the device.

HTH,

Lei Tian

Mark Mattix · ‎08-01-2013

Thank you Lei Tian, that's a good idea for allowing control protocols but I thought they too would be encrypted in the tunnel's ESP protocol, thus allowing them through? Do they travel outside of the tunnel? I'm going to try a few changes in the ACL shortly, thanks again for your help! -Mark

Mark Mattix · ‎08-01-2013

Oh nevermind, you said to allow those protocols as well incase the tunnel goes down, that makes sense! Thanks!

Mark Mattix · ‎08-02-2013

Lei Tian, I was wondering if you could answer another question I've been over looking. 2 remote sites are going to connect to This router1, if I want another router to connect to it over the same type of IPSec configuration will I have to have another ikev2 keyring.profile and ipsec profile statment for the 2nd remote site and apply it to a second virtual tunnel?

Thanks for your help!

Lei Tian · ‎08-02-2013

Hi Mark,

You dont have to create new profiles if remotes can share same policy. Here is a configure example for hub spoke flexvpn config:

HTH,

Lei Tian

Hub Configuration

Configure an IKEv2 Keyring

crypto ikev2 keyring All-SPOKES
 peer all
  address 0.0.0.0 0.0.0.0
  pre-shared-key Cisco123

Configure an IKEv2 Profile:
- Match the ISKAMP identities of any IPv4 address to this profile
- Set authentication method for local and remote peers to be pre-shared-keys
- Reference the keyring defined above
- Reference the virtual-template that will be used to spawn the virtual-access for the incoming connection
```
crypto ikev2 profile All-SPOKES
 match identity remote address 0.0.0.0 
 authentication remote pre-share
 authentication local pre-share
 keyring local All-SPOKES
 virtual-template 1
```
Configure the default IPsec profile to use the IKEv2 profile.
```
crypto ipsec profile default
 set ikev2-profile All-SPOKES
```
Configure the Virtual-Template to:
- Enable IP on the Virtual-Accesses but borrow the LAN interface IP (Ethernet 0/0 here is the inside interface)
- Enable IPsec/IKEv2 protection of the tunnel
```
interface Virtual-Template1 type tunnel
 ip unnumbered Ethernet0/0
 tunnel protection ipsec profile default
```
Configure EIGRP Routing to advertise out the inside interface and the spawned virtual-access interfaces (since the Virtual-Template uses unnumber from the Ethernet0/0)
```
router eigrp 100
 no auto-summary
 network 172.16.0.1 0.0.0.0
```

Spoke Configuration

Configure an IKEv2 Keyring on Spoke-1

crypto ikev2 keyring All-SPOKES
 peer all
  address 0.0.0.0 0.0.0.0
  pre-shared-key Cisco123

Configure an IKEv2 Profile:
- Match the ISKAMP identities of any IPv4 address to this profile
- Set authentication method for local and remote peers to be pre-shared-keys
- Reference the keyring defined above
- Reference the virtual-template (will be used in the Spoke to Spoke section)
```
crypto ikev2 profile All-SPOKES
 match identity remote address 0.0.0.0 
 authentication remote pre-share
 authentication local pre-share
 keyring local All-SPOKES
 virtual-template 1
```
Configure the default IPsec profile to use the IKEv2 profile.
```
crypto ipsec profile default
 set ikev2-profile All-SPOKES
```
Configure a Tunnel interface:
- To enable IP on the interface but borrow the LAN interface IP
- To specify the source interface
- To specify the destionation IP address
- To enable IPsec/IKEv2 protection of the tunnel
```
interface Tunnel 1
 ip unnumbered Ethernet0/1
 tunnel source Ethernet0/0
 tunnel destination 200.1.1.2
 tunnel protection ipsec profile default
```

Configure EIGRP to exchange information across the link

router eigrp 100
 no auto-summary
 network 172.16.1.1 0.0.0.0

Repeat the steps for Spoke-2

crypto ikev2 keyring All-SPOKES
 peer all
  address 0.0.0.0 0.0.0.0
  pre-shared-key Cisco123
!
crypto ikev2 profile All-SPOKES
 match identity remote address 0.0.0.0
 authentication remote pre-share
 authentication local pre-share
 keyring local All-SPOKES
 virtual-template 1
!
crypto ipsec profile default 
 set ikev2-profile All-SPOKES
!
interface Tunnel 1
 ip unnumbered Ethernet0/1
 tunnel source Ethernet0/0
 tunnel destination 200.1.1.2
 tunnel protection ipsec profile default
!
router eigrp 100
 no auto-summary
 network 172.16.2.1 0.0.0.0

Mark Mattix · ‎08-05-2013

Thank you for that configuration Lei, it helped a lot! Thanks again for all your help!!!

Mark Mattix · ‎08-06-2013

Lei Tian, I was wondering, do you know why it's best to configure the unnumbered virtual interface? The physical fiber link connecting the locations will be a 192 subnet, why do I want to use my local LAN gateway address instead of the outside 192 address?

Also, where in the configuration is data told to be encrypted when traversing the outside 192 link? Thanks for all your help!