Here's a very easy example for site-to-site tunnel using IKEv2 and crypto maps.
In fact it's very easy to "upgrade" your existing L2L tunnel to use IKEv2. You'll notice that the trick is to apply ike version 2 profile to existing crypto map.
Topology:
192.168.1.0/24 - Site1 router --(L2 connection)--- Site2 router - 192.168.2.0/24
Both site1 and site2 routers use 15.1(2)T IOS.
So how does the configuration work.
First of all you define IKEv2 proposals.
----------
crypto ikev2 proposal PROPOSAL_1
encryption aes-cbc-128 3des
integrity sha256 md5
group 5 2
----------
You apply this(or those) proposals to a policy.
-----------
crypto ikev2 policy POLICY_1
proposal PROPOSAL_1
-----------
Define a keyring (this comes from site2 router, site_1's public IP is 10.0.0.1)
-----------
crypto ikev2 keyring KEYRING_1
peer SITE_1
address 10.0.0.1
pre-shared-key cisco
-----------
Following this you define a profile:
-----------
crypto ikev2 profile PROFILE_1
match identity remote address 10.0.0.1 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring KEYRING_1
-----------
Last thing to do is to apply the profile to you crypto map.
-----------
crypto map MAP 10 ipsec-isakmp
set peer 10.0.0.1
set transform-set TRANSFORM_1
set ikev2-profile PROFILE_1
match address VPN
-------------
Result?
########################################
Site2#deb cry ikev2 event
IKEV2 event debugging is on
Site2#ping 192.168.1.1 sou e0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
*Jul 26 10:46:07.931: IKEv2:% Getting preshared key from profile keyring KEYRING_1
*Jul 26 10:46:07.931: IKEv2:% Matched peer block 'SITE_1'
*Jul 26 10:46:07.931: IKEv2:Found Policy POLICY_1
*Jul 26 10:46:07.931: IKEv2:(1): Getting configured policies
*Jul 26 10:46:07.931: IKEv2:(1): Setting configured policies
*Jul 26 10:46:07.931: IKEv2:(1): Computing DH public key
*Jul 26 10:46:07.931: IKEv2:(1):
*Jul 26 10:46:07.931: IKEv2:(1): Sending initial message
*Jul 26 10:46:07.931: IKEv2: IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 8
AES-CBC 3DES SHA256 MD5 SHA256 MD596 DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
*Jul 26 10:46:07.931:
*Jul 26 10:46:07.931: IKEv2:(1): Checking if request will fit in peer window
*Jul 26 10:46:07.931: IKEv2:Tx [L 10.0.0.2:500/R 10.0.0.1:500/VRF i0:f0] m_id: 0x0
*Jul 26 10:46:07.931: IKEv2:HDR[i:8984BC53859B1136 - r: 0000000000000000]
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
*Jul 26 10:46:07.931:
*Jul 26 10:46:07.931: IKEv2:(1): Insert SA
*Jul 26 10:46:08.007: IKEv2:Rx [L 10.0.0.2:500/R 10.0.0.1:500/VRF i0:f0] m_id: 0x0
*Jul 26 10:46:08.007: IKEv2:HDR[i:8984BC53859B1136 - r: 153FE7D81F5F453A]
*Jul 26 10:46:08.007: SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
*Jul 26 10:46:08.007:
*Jul 26 10:46:08.007: IKEv2:(1): Processing initial message
*Jul 26 10:46:08.007: IKEv2:(1): Verify SA init message
*Jul 26 10:46:08.007: IKEv2:(1): Processing initial message
*Jul 26 10:46:08.007: IKEv2:(1): Process NAT discovery notify
*Jul 26 10:46:08.007: IKEv2:(1): Check NAT discovery
*Jul 26 10:46:08.007: IKEv2:(1): Computing DH secret key
*Jul 26 10:46:08.019: IKEv2:(1):
*Jul 26 10:46:08.019: IKEv2:(1): Generate skeyid
*Jul 26 10:46:08.019: IKEv2:(1): Complete SA init exchange
*Jul 26 10:46:08.019: IKEv2:(1): Check for EAP exchange
*Jul 26 10:46:08.019: IKEv2:(1): Generate my authentication data
*Jul 26 10:46:08.019: IKEv2:(1): Use preshared key for id 10.0.0.2, key len 5
*Jul 26 10:46:08.019: IKEv2:(1): Get my authentication method
*Jul 26 10:46:08.019: IKEv2:(1): Check for EAP exchange
*Jul 26 10:46:08.019: IKEv2:(1): Sending auth message
*Jul 26 10:46:08.019: IKEv2: ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96
*Jul 26 10:46:08.019:
*Jul 26 10:46:08.019: IKEv2:(1): Building packet for encryption; contents are: VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Jul 26 10:46:08.019:
*Jul 26 10:46:08.019: IKEv2:(1): Checking if request will fit in peer window
*Jul 26 10:46:08.019: IKEv2:Tx [L 10.0.0.2:500/R 10.0.0.1:500/VRF i0:f0] m_id: 0x1
*Jul 26 10:46:08.019: IKEv2:HDR[i:8984BC53859B1136 - r: 153FE7D81F5F453A]
ENCR
*Jul 26 10:46:08.019:
*Jul 26 10:46:08.071: IKEv2:Rx [L 10.0.0.2:500/R 10.0.0.1:500/VRF i0:f0] m_id: 0x1
*Jul 26 10:46:08.071: IKEv2:HDR[i:8984BC53859B1136 - r: 153FE7D81F5F453A]
*Jul 26 10:46:08.071: VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Jul 26 10:46:08.071:
*Jul 26 10:46:08.071: IKEv2:(1): Process auth response notify
*Jul 26 10:46:08.071: IKEv2:(1): Peer is a Cisco device Platform:IOS Capabilities: Granite
*Jul 26 10:46:08.071: IKEv2:(1): Getting configured policies
*Jul 26 10:46:08.071: IKEv2:Found Policy POLICY_1
*Jul 26 10:46:08.071: IKEv2:(1): Verify peer's policy
*Jul 26 10:46:08.071: IKEv2:(1): Get peer authentication method
*Jul 26 10:46:08.071: IKEv2:(1): Get peer's preshared key for 10.0.0.1
*Jul 26 10:46:08.071: IKEv2:(1): Verify authentication data
*Jul 26 10:46:08.071: IKEv2:(1): Use preshared key for id 10.0.0.1, key len 5
*Jul 26 10:46:08.071: IKEv2:(1): Check for EAP exchange
*Jul 26 10:46:08.071: IKEv2:(1): Processing auth message
*Jul 26 10:46:08.071: IKEv2:(1): Closing the PKI session
*Jul 26 10:46:08.071: IKEv2:(1): SA created; inserting SA into database
*Jul 26 10:46:08.071: IKEv2:(1): Load IPSEC key material
*Jul 26 10:46:08.071: IKEv2:(1): Checking for duplicate SA.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/12/20 ms
Site2#sh cry ikev2 sa det
Tunnel-id Local Remote fvrf/ivrf Status
1 10.0.0.2/500 10.0.0.1/500 (none)/(none) READY
Encr: AES-CBC, keysize: 128, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/163 sec
CE id: 1004, Session-id: 4
Status Description: Negotiation done
Local spi: 8984BC53859B1136 Remote spi: 153FE7D81F5F453A
Local id: 10.0.0.2
Remote id: 10.0.0.1
Local req msg id: 2 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 2 Remote req queued: 0
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
NAT-T is not detected
########################################
While on the responder:
########################################
Site1#
*Jul 26 10:46:07.839: IKEv2:Rx [L 10.0.0.1:500/R 10.0.0.2:500/VRF i0:f0] m_id: 0x0
*Jul 26 10:46:07.839: IKEv2:HDR[i:8984BC53859B1136 - r: 0000000000000000]
*Jul 26 10:46:07.839: SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
*Jul 26 10:46:07.839:
*Jul 26 10:46:07.839: IKEv2:Verify SA init message
*Jul 26 10:46:07.839: IKEv2:Insert SA
*Jul 26 10:46:07.839: IKEv2:(1): Getting configured policies
*Jul 26 10:46:07.839: IKEv2:Found Policy POLICY_1
*Jul 26 10:46:07.839: IKEv2:(1): Processing initial message
*Jul 26 10:46:07.839: IKEv2:(1): Process NAT discovery notify
*Jul 26 10:46:07.839: IKEv2:(1): Setting configured policies
*Jul 26 10:46:07.839: IKEv2:Failed to retrieve Certificate Issuer list
*Jul 26 10:46:07.839: IKEv2:(1): Computing DH public key
*Jul 26 10:46:07.839: IKEv2:(1):
*Jul 26 10:46:07.839: IKEv2:(1): Computing DH secret key
*Jul 26 10:46:07.907: IKEv2:(1):
*Jul 26 10:46:07.907: IKEv2:(1): Generate skeyid
*Jul 26 10:46:07.907: IKEv2:(1): Sending initial message
*Jul 26 10:46:07.907: IKEv2: IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_1536_MODP/Group 5
*Jul 26 10:46:07.907:
*Jul 26 10:46:07.907: IKEv2:Failed to retrieve Certificate Issuer list
*Jul 26 10:46:07.907: IKEv2:Tx [L 10.0.0.1:500/R 10.0.0.2:500/VRF i0:f0] m_id: 0x0
*Jul 26 10:46:07.907: IKEv2:HDR[i:8984BC53859B1136 - r: 153FE7D81F5F453A]
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
*Jul 26 10:46:07.907:
*Jul 26 10:46:07.907: IKEv2:(1): Complete SA init exchange
*Jul 26 10:46:07.907: IKEv2:(1): Starting timer to wait for auth message
*Jul 26 10:46:07.975: IKEv2:Rx [L 10.0.0.1:500/R 10.0.0.2:500/VRF i0:f0] m_id: 0x1
*Jul 26 10:46:07.975: IKEv2:HDR[i:8984BC53859B1136 - r: 153FE7D81F5F453A]
*Jul 26 10:46:07.975: VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Jul 26 10:46:07.975:
*Jul 26 10:46:07.975: IKEv2:(1): Stopping timer to wait for auth message
*Jul 26 10:46:07.975: IKEv2:(1): Check NAT discovery
*Jul 26 10:46:07.975: IKEv2:(1): Recieved valid parameteres in process id
*Jul 26 10:46:07.975: IKEv2:(1): Peer is a Cisco device Platform:IOS Capabilities: Granite
*Jul 26 10:46:07.975: IKEv2:(1): Getting configured policies
*Jul 26 10:46:07.975: IKEv2:found matching IKEv2 profile 'PROFILE_1'
*Jul 26 10:46:07.975: ISAKMP:(0):: peer matches PROFILE_1 profile
*Jul 26 10:46:07.975: IKEv2:% Getting preshared key from profile keyring KEYRING_1
*Jul 26 10:46:07.975: IKEv2:% Matched peer block 'SITE_2'
*Jul 26 10:46:07.975: IKEv2:Found Policy POLICY_1
*Jul 26 10:46:07.975: IKEv2:(1): Setting configured policies
*Jul 26 10:46:07.975: IKEv2:(1): Verify peer's policy
*Jul 26 10:46:07.975: IKEv2:(1): Get peer authentication method
*Jul 26 10:46:07.975: IKEv2:(1): Get peer's preshared key for 10.0.0.2
*Jul 26 10:46:07.975: IKEv2:(1): Verify authentication data
*Jul 26 10:46:07.975: IKEv2:(1): Use preshared key for id 10.0.0.2, key len 5
*Jul 26 10:46:07.975: IKEv2:(1): Processing initial contact
*Jul 26 10:46:07.975: IKEv2:(1): Processing auth message
*Jul 26 10:46:07.975: IKEv2:(1): Get my authentication method
*Jul 26 10:46:07.975: IKEv2:(1): Get peer's preshared key for 10.0.0.2
*Jul 26 10:46:07.975: IKEv2:(1): Generate my authentication data
*Jul 26 10:46:07.975: IKEv2:(1): Use preshared key for id 10.0.0.1, key len 5
*Jul 26 10:46:07.975: IKEv2:(1): Get my authentication method
*Jul 26 10:46:07.975: IKEv2:(1): Sending auth message
*Jul 26 10:46:07.975: IKEv2: ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96
*Jul 26 10:46:07.975:
*Jul 26 10:46:07.975: IKEv2:(1): Building packet for encryption; contents are: VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Jul 26 10:46:07.975:
*Jul 26 10:46:07.975: IKEv2:
Site1#Tx [L 10.0.0.1:500/R 10.0.0.2:500/VRF i0:f0] m_id: 0x1
*Jul 26 10:46:07.975: IKEv2:HDR[i:8984BC53859B1136 - r: 153FE7D81F5F453A]
ENCR
*Jul 26 10:46:07.975:
*Jul 26 10:46:07.975: IKEv2:(1): Closing the PKI session
*Jul 26 10:46:07.975: IKEv2:(1): SA created; inserting SA into database
*Jul 26 10:46:07.975: IKEv2:(1): Load IPSEC key material
*Jul 26 10:46:07.975: IKEv2:(1): Checking for duplicate SA
*Jul 26 10:46:07.975: IKEv2:(1): Starting timer to delete negotiation context
Site1#sh cry ikev2 sa det
Tunnel-id Local Remote fvrf/ivrf Status
1 10.0.0.1/500 10.0.0.2/500 (none)/(none) READY
Encr: AES-CBC, keysize: 128, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/132 sec
CE id: 1004, Session-id: 4
Status Description: Negotiation done
Local spi: 153FE7D81F5F453A Remote spi: 8984BC53859B1136
Local id: 10.0.0.1
Remote id: 10.0.0.2
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
NAT-T is not detected
########################################
Configuration guide is located here.
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cfg_ikev2_ps10592_TSD_Products_Configuration_Guide_Chapter.html
Related RFC:
http://www.ietf.org/rfc/rfc4306.txt
Subscribe to:
Post Comments (Atom)
2 comments:
Very helpful... thanks so much.
very straight forward explanation, thanks
Post a Comment