05-05-2020 04:45 PM - edited 05-31-2020 03:54 AM
dears
i need help to check from the below parameters which i were received from H.O ( they are using firewall) to deploy it on my local router ( remote location - using isr 2911 router) - need help to check if my configurations are fine and i didnt miss any . also if i did any mistake please help to correct this
parameters:
KE Phase 1
IKE version 2
Diffie-Hellman group 14
Encryption algorithm AES256
Authentication algorithm SHA256
Authentication method Pre-shared key
Pre-shared key ++++++++
Key lifetime 86400
Dead peer detection Enabled
IKE Phase 2
IPsec protocol ESP (Tunnel mode)
Encryption algorithm AE
Authentication algorithm S
Key lifetime 28800
Perfect Forward Secrecy Enabled, Diffie-Hellman group 5
Replay Protection Enabled
Keep Alive Disabled
thanks
05-10-2020 12:02 PM
Here is the full configuration for the VPN. You should be able to test this and establish a VPN tunnel.
## VPN Configuration ##
# IKEv2 Keyring #
crypto ikev2 keyring KR-1
peer NLAMS02E
address 19x.2x7.1xx.1xx
pre-shared-key xxxxxxxx
# IKEv2 Proposal #
crypto ikev2 proposal PROP-NLAMS02E
encryption aes-cbc-256
integrity sha256
group 14
# IKEv2 Policy #
crypto ikev2 policy POL-NLAMS02E
proposal PROP-NLAMS02E
# IPSec Transform Set #
crypto ipsec transform-set NLAMS02E-TS esp-aes 256 esp-sha256-hmac
mode tunnel
# IKEv2 Profile #
crypto ikev2 profile NLAMS02E-PROFILE
match identity remote address 19x.2x7.1xx.1xx 255.255.255.255
match address local interface GigabitEthernet0/1.328
authentication local pre-share
authentication remote pre-share
keyring local KR-1
lifetime 86400
# Crypto ACL (to represent the traffic to be encrypted over the VPN tunnel to HQ) #
ip access-list extended VPN_ACL
remark VPN from to the EGCAI01-NLAMS02E-Fortigate3951
permit ip 192.168.0.0 0.0.15.255 10.0.0.0 0.255.255.255
permit ip 192.168.0.0 0.0.15.255 172.16.0.0 0.15.255.255
permit ip 192.168.0.0 0.0.15.255 192.168.0.0 0.0.255.255
# Crypto Map #
crypto map CMAP-NLAMS02E 10 ipsec-isakmp
set peer 19x.2x7.1xx.1xx
set pfs group5
set security-association lifetime seconds 28800
set transform-set NLAMS02E-TS
set ikev2-profile NLAMS02E-PROFILE
match address VPN_ACL
# Enable crypto map on the outside interface #
interface GigabitEthernet0/1.328
description connected to PRIMARY_ISP
crypto map CMAP-NLAMS02E
Don't use an object-group for the crypto ACL - there is a bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsq33560/?reffering_site=dumpcr
I'll look at writing something in regard to an ACL to filter the traffic over the VPN, but you should be able to test the VPN with what I have already provided.
HTH
05-10-2020 04:39 PM
ill install the demo license and configure it until getting the permanent license
So, now with this acl u modified and provided to me i can access all ?!
- sap server hosts - dns server host - wipro networks and others which i shared to u in excel sheet ?
so no need to added them one by one like :
permit ip 192.168.0.0 0.0.15.255 host 10.xx.0.xx1
permit ip 192.168.0.0 0.0.15.255 10.xx.0.0 0.0.0.255
permit ip 192.168.0.0 0.0.15.255 host 10.x30.x2.1xx
and so on .... shall i add all hosts and networks which is too much or just enough with the
networks I.D thay u were added on ACL >?
ALSO NO NEED TO ADD PORT NUMBERS ON ACL LIKE BELOW EXAMPLE :
permit TCp 192.168.0.0 0.0.15.255 host 10.x30.x2.1xx eq 53
and so on
05-11-2020 12:53 AM
05-11-2020 04:32 AM
hello dear
i do configured the ikev2 as per what u provided ?
now how can i check ?
show crypto ikev2 sa detailed
show crypto ipsec sa
show crypto session
05-11-2020 04:41 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide