cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1115
Views
50
Helpful
19
Replies
Highlighted
Contributor

vpn configuration depends on the provided parameters from head office

dears 

i need help to check from the below parameters which i were received from H.O ( they are using firewall) to deploy it on my local router ( remote location - using isr 2911 router) - need help to check if my configurations are fine and i didnt miss any . also if i did any mistake please help to correct this 

parameters:

KE Phase 1
IKE version 2
Diffie-Hellman group 14
Encryption algorithm AES256
Authentication algorithm SHA256
Authentication method Pre-shared key
Pre-shared key ++++++++
Key lifetime 86400
Dead peer detection Enabled

IKE Phase 2
IPsec protocol ESP (Tunnel mode)
Encryption algorithm AE
Authentication algorithm S
Key lifetime 28800
Perfect Forward Secrecy Enabled, Diffie-Hellman group 5
Replay Protection Enabled
Keep Alive Disabled

 

 

 

thanks

 

amr alrazzaz
19 REPLIES 19
Highlighted

Here is the full configuration for the VPN. You should be able to test this and establish a VPN tunnel.

 

## VPN Configuration ##

# IKEv2 Keyring #
crypto ikev2 keyring KR-1
peer NLAMS02E
address 19x.2x7.1xx.1xx
pre-shared-key xxxxxxxx

# IKEv2 Proposal #
crypto ikev2 proposal PROP-NLAMS02E
encryption aes-cbc-256
integrity sha256
group 14

# IKEv2 Policy #
crypto ikev2 policy POL-NLAMS02E
proposal PROP-NLAMS02E

# IPSec Transform Set #
crypto ipsec transform-set NLAMS02E-TS esp-aes 256 esp-sha256-hmac
mode tunnel

# IKEv2 Profile #
crypto ikev2 profile NLAMS02E-PROFILE
match identity remote address 19x.2x7.1xx.1xx 255.255.255.255
match address local interface GigabitEthernet0/1.328
authentication local pre-share
authentication remote pre-share
keyring local KR-1
lifetime 86400

# Crypto ACL (to represent the traffic to be encrypted over the VPN tunnel to HQ) #
ip access-list extended VPN_ACL
remark VPN from to the EGCAI01-NLAMS02E-Fortigate3951
permit ip 192.168.0.0 0.0.15.255 10.0.0.0 0.255.255.255
permit ip 192.168.0.0 0.0.15.255 172.16.0.0 0.15.255.255
permit ip 192.168.0.0 0.0.15.255 192.168.0.0 0.0.255.255

# Crypto Map #
crypto map CMAP-NLAMS02E 10 ipsec-isakmp
set peer 19x.2x7.1xx.1xx
set pfs group5
set security-association lifetime seconds 28800
set transform-set NLAMS02E-TS
set ikev2-profile NLAMS02E-PROFILE
match address VPN_ACL

# Enable crypto map on the outside interface #
interface GigabitEthernet0/1.328
description connected to PRIMARY_ISP
crypto map CMAP-NLAMS02E

Don't use an object-group for the crypto ACL - there is a bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsq33560/?reffering_site=dumpcr

 

I'll look at writing something in regard to an ACL to filter the traffic over the VPN, but you should be able to test the VPN with what I have already provided.

 

HTH

Highlighted

ill install the demo license and configure it until getting the permanent license 

 

So, now with this acl u modified and provided to me i can access all ?!

- sap server hosts - dns server host - wipro networks and others which i shared to u in excel sheet  ?

so no need to added them one by one like :

 

permit ip 192.168.0.0 0.0.15.255 host 10.xx.0.xx1
permit ip 192.168.0.0 0.0.15.255 10.xx.0.0 0.0.0.255
permit ip 192.168.0.0 0.0.15.255 host 10.x30.x2.1xx

and so on .... shall i add all hosts and networks which is too much or just enough with the
networks I.D thay u were added on ACL >?
ALSO NO NEED TO ADD PORT NUMBERS ON ACL LIKE BELOW EXAMPLE :

permit TCp 192.168.0.0 0.0.15.255 host 10.x30.x2.1xx eq 53
and so on

amr alrazzaz
Highlighted

The ACL in configuration I provided above does not need to be modified, it must mirror the configuration on the HQ firewall. If you modify this ACL you may have issues establishing the VPN.

I will look at writing the Zone Based Firewall configuration using the information you provided, this will be used to restrict what can be accessed over the VPN tunnel.
Highlighted

hello dear 

 

i do configured the ikev2 as per what u provided ?

 

now how can i check ?

show crypto ikev2 sa detailed
show crypto ipsec sa
show crypto session

amr alrazzaz
Highlighted

Those commands are correct, do you see any output from either?
You will need to generate some traffic for the VPN to establish. Can you ping from a computer behind the router to a server at the HQ.

If the VPN has not established, if you enable debugs "debug crypto ikev2 protocol" and "debug crypto ikev2 platform".

I assume the configuration has been applied on the HQ firewall?