Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2624
Views
50
Helpful
19
Replies

vpn configuration depends on the provided parameters from head office

amralrazzaz
Level 5
Level 5

‎05-05-2020 04:45 PM - edited ‎05-31-2020 03:54 AM

dears 

i need help to check from the below parameters which i were received from H.O ( they are using firewall) to deploy it on my local router ( remote location - using isr 2911 router) - need help to check if my configurations are fine and i didnt miss any . also if i did any mistake please help to correct this 

parameters:

KE Phase 1
IKE version 2
Diffie-Hellman group 14
Encryption algorithm AES256
Authentication algorithm SHA256
Authentication method Pre-shared key
Pre-shared key ++++++++
Key lifetime 86400
Dead peer detection Enabled

IKE Phase 2
IPsec protocol ESP (Tunnel mode)
Encryption algorithm AE
Authentication algorithm S
Key lifetime 28800
Perfect Forward Secrecy Enabled, Diffie-Hellman group 5
Replay Protection Enabled
Keep Alive Disabled

 

 

 

thanks

 

amr alrazzaz
0 Helpful
19 Replies 19

Rob Ingram
VIP
VIP
In response to amralrazzaz

‎05-10-2020 12:02 PM

Here is the full configuration for the VPN. You should be able to test this and establish a VPN tunnel.

 

## VPN Configuration ##

# IKEv2 Keyring #
crypto ikev2 keyring KR-1
peer NLAMS02E
address 19x.2x7.1xx.1xx
pre-shared-key xxxxxxxx

# IKEv2 Proposal #
crypto ikev2 proposal PROP-NLAMS02E
encryption aes-cbc-256
integrity sha256
group 14

# IKEv2 Policy #
crypto ikev2 policy POL-NLAMS02E
 proposal PROP-NLAMS02E

# IPSec Transform Set #
crypto ipsec transform-set NLAMS02E-TS esp-aes 256 esp-sha256-hmac
 mode tunnel

# IKEv2 Profile #
crypto ikev2 profile NLAMS02E-PROFILE
 match identity remote address 19x.2x7.1xx.1xx 255.255.255.255
 match address local interface GigabitEthernet0/1.328
 authentication local pre-share
 authentication remote pre-share
 keyring local KR-1
 lifetime 86400

# Crypto ACL (to represent the traffic to be encrypted over the VPN tunnel to HQ) #
 ip access-list extended VPN_ACL
 remark VPN from to the EGCAI01-NLAMS02E-Fortigate3951
 permit ip 192.168.0.0 0.0.15.255 10.0.0.0 0.255.255.255
 permit ip 192.168.0.0 0.0.15.255 172.16.0.0 0.15.255.255
 permit ip 192.168.0.0 0.0.15.255 192.168.0.0 0.0.255.255

# Crypto Map #
crypto map CMAP-NLAMS02E 10 ipsec-isakmp
 set peer 19x.2x7.1xx.1xx
 set pfs group5
 set security-association lifetime seconds 28800
 set transform-set NLAMS02E-TS
 set ikev2-profile NLAMS02E-PROFILE
 match address VPN_ACL

# Enable crypto map on the outside interface #
interface GigabitEthernet0/1.328
 description connected to PRIMARY_ISP
 crypto map CMAP-NLAMS02E

Don't use an object-group for the crypto ACL - there is a bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsq33560/?reffering_site=dumpcr

 

I'll look at writing something in regard to an ACL to filter the traffic over the VPN, but you should be able to test the VPN with what I have already provided.

 

HTH

amralrazzaz
Level 5
Level 5
In response to Rob Ingram

‎05-10-2020 04:39 PM

ill install the demo license and configure it until getting the permanent license 

 

So, now with this acl u modified and provided to me i can access all ?!

- sap server hosts - dns server host - wipro networks and others which i shared to u in excel sheet  ?

so no need to added them one by one like :

 

permit ip 192.168.0.0 0.0.15.255 host 10.xx.0.xx1
permit ip 192.168.0.0 0.0.15.255 10.xx.0.0 0.0.0.255
permit ip 192.168.0.0 0.0.15.255 host 10.x30.x2.1xx

and so on .... shall i add all hosts and networks which is too much or just enough with the
networks I.D thay u were added on ACL >?
ALSO NO NEED TO ADD PORT NUMBERS ON ACL LIKE BELOW EXAMPLE :

permit TCp 192.168.0.0 0.0.15.255 host 10.x30.x2.1xx eq 53
and so on

amr alrazzaz
0 Helpful

Rob Ingram
VIP
VIP
In response to amralrazzaz

‎05-11-2020 12:53 AM

The ACL in configuration I provided above does not need to be modified, it must mirror the configuration on the HQ firewall. If you modify this ACL you may have issues establishing the VPN.

I will look at writing the Zone Based Firewall configuration using the information you provided, this will be used to restrict what can be accessed over the VPN tunnel.

amralrazzaz
Level 5
Level 5
In response to Rob Ingram

‎05-11-2020 04:32 AM

hello dear 

 

i do configured the ikev2 as per what u provided ?

 

now how can i check ?

show crypto ikev2 sa detailed
show crypto ipsec sa
show crypto session

amr alrazzaz
0 Helpful

Rob Ingram
VIP
VIP
In response to amralrazzaz

‎05-11-2020 04:41 AM

Those commands are correct, do you see any output from either?
You will need to generate some traffic for the VPN to establish. Can you ping from a computer behind the router to a server at the HQ.

If the VPN has not established, if you enable debugs "debug crypto ikev2 protocol" and "debug crypto ikev2 platform".

I assume the configuration has been applied on the HQ firewall?
Customers Also Viewed These Support Documents