A couple years ago I wrote a post about route-based IPSec VPNs involving NAT-T on Cisco Routers. However today I had to setup a lab environment using policy-based VPNs. This was a real blast from past as I hadn’t done a policy-based VPN on a Cisco router since the late 1990s :-O
VPN Parameters:
- Local side, private IP of external interface of router: 192.0.2.2
- Local side, private IP subnet 192.168.100.0/24
- Local side, public IP address: 198.18.51.78
- Remote side, public IP address: 203.0.113.161
- Remote side, private IP subnet: 10.13.0.0/16
- Pre-shared key: MySecretKey1234
- Phase 1 encryption and lifetime: AES-256, SHA-384, Group 14, 1 day
- Phase 2 encryption and lifetime: AES-128, SHA-1, Group 2, 1 hour
With both IKEv1 or v2, you’ll want to start by verifying NAT-T is enabled, which is the default setting. This will allow the router to detect behind behind NAT and tunnel traffic on udp/4500 rather than using regular ESP (protocol 50):
crypto ipsec nat-transparency udp-encapsulation
If the other side is expecting or requiring NAT-T and it’s been disabled, Cisco IOS will log this warning:
%IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: NAT-T disabled via cli
IKEv1
As with route-based VPN, I start by setting some global ISAKMP parameters:
crypto isakmp disconnect-revoked-peers
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 2 on-demand
crypto isakmp nat keepalive 900
The ISAKMP policy defines global encryption and authentication settings.
! 256-bit AES + SHA2-384 + PFS Group14 (2048-bit key)
crypto isakmp policy 100
encr aes 256
hash sha384
authentication pre-share
group 14
lifetime 86400 ! 1 day, which is the default
!
Configure authentication for the peer by defining a keyring, specifying the public IP of the remote side. Then create an ISAKMP profile, again specifying the remote’s public IP and the local’s external interface:
crypto keyring CRYPTO_KEYRING
local-address GigabitEthernet0/0
pre-shared-key address 203.0.113.161 key MySecretKey1234
!
crypto isakmp profile ISAKMP_PROFILE
keyring CRYPTO_KEYRING
match identity address 203.0.113.161 255.255.255.255
local-address GigabitEthernet0/0
!
Now the crypto map, which replaces the crypto ipsec profile of route-based VPNs. I’m just using the typical encryption settings of 128-bit AES/SHA-1/Group2 PFS. The access-list must be defined to match “interesting” traffic to send across the VPN.
! LOCAL = 192.168.100.0/24. REMOTE = 10.13.0.0/16
access-list 101 permit ip 192.168.100.0 0.0.0.255 10.13.0.0 0.0.255.255
!
crypto ipsec security-association replay window-size 1024
crypto ipsec df-bit clear
!
crypto ipsec transform-set ESP_AES128_SHA esp-aes esp-sha-hmac
mode tunnel
!
crypto map CRYPTO_MAP 1 ipsec-isakmp
set peer 203.0.113.161
set security-association lifetime seconds 3600 ! 1 hour, which is the default
set transform-set ESP_AES128_SHA
set pfs group2
match address 101
reverse-route
!
Finish by applying the crypto map to the external interface:
ip route 0.0.0.0 0.0.0.0 192.0.2.1
!
interface GigabitEthernet0/0
ip address 192.0.2.2 255.255.255.0
crypto map CRYPTO_MAP
!
interface GigabitEthernet0/1
ip address 192.168.100.100 255.255.255.0
!
Send a ping that matches the interesting traffic. Make sure to use an interface that’s with the source IP range specific on the ACL referenced by the Crypto Map.
Router# ping 10.13.113.11 source Gi0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.13.113.11, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.100
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 68/71/72 ms
Verify IPSEC SAs are up:
Router# show crypto ipsec sa peer 203.0.113.161
interface: GigabitEthernet0/0
Crypto map tag: CRYPTO_MAP, local addr 192.0.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.13.0.0/255.255.0.0/0/0)
current_peer 203.0.113.161 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
IKEv2
I always start IKEv2 configuration with some global settings:
crypto ikev2 nat keepalive 900
crypto ikev2 dpd 30 2 on-demand
crypto logging ikev2
As with route-based VPN, configure an IKEv2 proposal and policy. Here’s a broad one that should match anything with reason:
crypto ikev2 proposal IKEV2_PROPOSAL
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha512 sha384 sha256 sha1
group 21 20 19 16 14 2
!
crypto ikev2 policy IKEV2_POLICY
match fvrf any
proposal IKEV2_PROPOSAL
!
Create a keyring entry for the other side specifying their public IP, then an IKEv2 profile. If the other side is expecting to see the public IP address, configure that with the identity local address option. The match identity remote address must match their IKEv2 remote ID. This usually will be the public IP, but may require the private IP if they are also behind NAT and not overriding.
crypto ikev2 keyring IKEV2_KEYRING
peer TEST1
address 203.0.113.161
pre-shared-key MySecretKey1234
!
crypto ikev2 profile IKEV2_PROFILE
match address local interface GigabitEthernet0/0
match identity remote address 203.0.113.161 ! Other side's remote ID
identity local address 198.51.100.78 ! My public IP
authentication local pre-share
authentication remote pre-share
keyring local IKEV2_KEYRING
dpd 60 5 on-demand ! override global DPD setting, if desired
!
Crypto map is same as IKEv1 (see above), just with the IKEv2 profile specified:
crypto map CRYPTO_MAP 1 ipsec-isakmp
set ikev2-profile IKEV2_PROFILE
!
Finally apply crypto map to external interface. The IKEv2 SA should pop up within a few seconds.
*Feb 26 22:07:41 PST: %IKEV2-5-SA_UP: SA UP
Verify details of the IKEv2 SA:
Router# show crypto ikev2 sa remote 203.0.113.161 detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 192.0.2.2/4500 203.0.113.161/4500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA384, Hash: SHA384, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/115 sec
CE id: 1007, Session-id: 4
Status Description: Negotiation done
Local spi: 55543FD20BD46FA2 Remote spi: 03B6B07E9090FCF2
Local id: 192.0.2.2
Remote id: 10.113.13.2
Local req msg id: 0 Remote req msg id: 14
Local next msg id: 0 Remote next msg id: 14
Local req queued: 0 Remote req queued: 14
Local window: 5 Remote window: 1
DPD configured for 10 seconds, retry 2
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is detected inside
Cisco Trust Security SGT is disabled
Initiator of SA : No
IPv6 Crypto IKEv2 SA
As with IKEv1, the final step is verify the IPSEC SA.