Friday, January 2, 2015

FlexVPN - client and server

It’s time to test IKEv2. Cisco introduced the new IKE version 2 together with new configuration “standard” - FlexVPN. The idea was to have one unified way of configuration for all VPN types like site-to-site, client server, DMVPN (GET VPN is still in development phase).

You should remember the IKEv1 and IKEv2 are not compatible and devices with different IKE versions can’t establish a secure connection. More information about IKEv2 and the FlexiVPN you can find here:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/xe-3s/sec-flex-vpn-xe-3s-book.html

In today’s lab I would like to configure client-server VPN. Let’s start from parts which are common for the client and the server:

1) ikev2 proposal

Like with IKEv1 you need to specify parameters for the phase 1. You can use default ones or you can define your own:
 
crypto ikev2 proposal IKEV2-PROPOSAL
 encryption aes-cbc-128
 integrity sha512
 group 5

2) ikev2 policy

You can’t create the policy directly. First you need to specify the proposal and then your proposal is matched with your policy:
 
crypto ikev2 policy IKEV2-POLICY
 proposal IKEV2-PROPOSAL

3) keyring

For pre-share key authentication you have to define the keyring. There is a new functionality and you can define different keys for local and remote peer:
 
crypto ikev2 keyring KEYRING
 peer R2
  identity address 0.0.0.0
  pre-shared-key local cisco123
  pre-shared-key remote cisco123

4) aaa
 
aaa authorization network AUTH-LIST local

next the phase 2 part:

5) ipsec transform set and profile
 
crypto ipsec transform-set TS esp-aes 256 esp-sha512-hmac
 mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
 set transform-set TS
 set ikev2-profile IKEV2-PROFILE

Now it’s time to finish the client configuration:

6) authorization policy (client)

Under the authorization policy you have to define how the peer will send or learn its peer route. In below example the client will accept any route and it will send its interface IP to the server. The new routes will be reachable over the tunnel interface:
 
crypto ikev2 authorization policy default
 route set interface
 route accept any

7) ikev2 profile (client)
 
crypto ikev2 profile IKEV2-PROFILE
 match identity remote address 0.0.0.0
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING123
 aaa authorization group psk list AUTH-LIST default

8) crypto ikev2 client (client)

In the ikev2 client configuration you can specify more peers (server in my case) but in tunnel interface configuration your ‘tunnel destination’ should be 'dynamic’. You need to also specify which tunnel interface should be used for this particular connection:
 
crypto ikev2 client flexvpn FLEXVPN-CLIENT
  peer 1 8.8.8.2
  client connect Tunnel0
  connect auto

There are different methods of enabling the VPN. In my case I chose 'auto’:
 
r6(config-ikev2-flexvpn)#connect ?
  auto    Enable FlexVPN in Automatic mode
  manual  Enable FlexVPN in Manual mode
  track   connect track object

r6(config-ikev2-flexvpn)#

9) interface (client)

If you want to learn an IP for the client tunnel interface from your server (pool) your 'ip address’ should be 'negotiated’:
 
interface Tunnel0
 ip address negotiated
 tunnel source FastEthernet0/0
 tunnel mode ipsec ipv4
 tunnel destination dynamic
 tunnel protection ipsec profile IPSEC-PROFILE

Now I finish the server side:

6) authorization policy + acl + pool (server)

On the server side, under the authorization policy, you need to specify two things: local pool (if your client needs to receive IP from the server), access-list with subnet you want to send to your client.
 
ip access-list standard ACL
 permit 22.22.22.0 0.0.0.255
!
ip local pool MY-POOL 3.3.3.1 3.3.3.10
!
crypto ikev2 authorization policy default
 pool MY-POOL
 route set access-list ACL
!

7) ikev2 profile (server)

On the server side you need to add a virtual template (one difference between client and server):
 
crypto ikev2 profile IKEV2-PROFILE
 match identity remote address 0.0.0.0
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING123
 aaa authorization group psk list AUTH-LIST default
 virtual-template 1

8) interface (server)
 
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet0/0
 tunnel source FastEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC-PROFILE

Once the configuration is completed I can check if everything works fine. On the client I check the
connection status:
 
r6#sh crypto ikev2 client flexvpn

  Profile : FLEXVPN-CLIENT
  Current state:ACTIVE
  Peer : 8.8.8.2
  Source : FastEthernet0/0
  ivrf : IP DEFAULT
  fvrf : IP DEFAULT
  Backup group: Default
  Tunnel interface : Tunnel0
r6#

The phase one on the client:
 
r6#sh crypto ikev2 sa
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         7.7.7.2/500           8.8.8.2/500           none/none            READY
      Encr: AES-CBC, keysize: 128, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4 sec

 IPv6 Crypto IKEv2  SA

r6#
r6#sh crypto ikev2 sa detailed
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         7.7.7.2/500           8.8.8.2/500           none/none            READY
      Encr: AES-CBC, keysize: 128, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/31 sec
      CE id: 1029, Session-id: 25
      Status Description: Negotiation done
      Local spi: E0341D22812D9F47       Remote spi: 0B1273E12470126E
      Local id: 7.7.7.2
      Remote id: 8.8.8.2
      Local req msg id:  3              Remote req msg id:  0
      Local next msg id: 3              Remote next msg id: 0
      Local req queued:  3              Remote req queued:  0
      Local window:      5              Remote window:      5
      DPD configured for 0 seconds, retry 0
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Initiator of SA : Yes
      Pushed IP address: 3.3.3.9
      Remote subnets:
      22.22.22.0 255.255.255.0

 IPv6 Crypto IKEv2  SA

r6#

Then the phase two:
 
r6#sh crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 7.7.7.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 8.8.8.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 7.7.7.2, remote crypto endpt.: 8.8.8.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xCFF2C04F(3488792655)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x6E4689A8(1850116520)
        transform: esp-256-aes esp-sha512-hmac ,
        in use settings ={Tunnel, }
        conn id: 64, flow_id: 64, sibling_flags 80000040, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4274446/3483)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xCFF2C04F(3488792655)
        transform: esp-256-aes esp-sha512-hmac ,
        in use settings ={Tunnel, }
        conn id: 63, flow_id: 63, sibling_flags 80000040, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4274446/3483)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
r6#

and then 'detailed’ version:
 
r6#sh crypto ipsec sa detail

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 7.7.7.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 8.8.8.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 7.7.7.2, remote crypto endpt.: 8.8.8.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xCFF2C04F(3488792655)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x6E4689A8(1850116520)
        transform: esp-256-aes esp-sha512-hmac ,
        in use settings ={Tunnel, }
        conn id: 64, flow_id: 64, sibling_flags 80000040, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4274446/3450)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xCFF2C04F(3488792655)
        transform: esp-256-aes esp-sha512-hmac ,
        in use settings ={Tunnel, }
        conn id: 63, flow_id: 63, sibling_flags 80000040, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4274446/3450)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
r6#
I check also the crypto session:
r6#sh crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Tunnel0
Uptime: 00:03:30
Session status: UP-ACTIVE
Peer: 8.8.8.2 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 8.8.8.2
      Desc: (none)
  IKEv2 SA: local 7.7.7.2/500 remote 8.8.8.2/500 Active
          Capabilities:(none) connid:1 lifetime:23:56:30
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 5 drop 0 life (KB/Sec) 4274446/3390
        Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4274446/3390

r6#
And the same on the server:
r5#sh crypto ikev2 sa
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         8.8.8.2/500           7.7.7.2/500           none/none            READY
      Encr: AES-CBC, keysize: 128, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/378 sec

 IPv6 Crypto IKEv2  SA

r5#
r5#
r5#
r5#sh crypto ikev2 sa detailed
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         8.8.8.2/500           7.7.7.2/500           none/none            READY
      Encr: AES-CBC, keysize: 128, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/383 sec
      CE id: 1028, Session-id: 28
      Status Description: Negotiation done
      Local spi: 0B1273E12470126E       Remote spi: E0341D22812D9F47
      Local id: 8.8.8.2
      Remote id: 7.7.7.2
      Local req msg id:  0              Remote req msg id:  3
      Local next msg id: 0              Remote next msg id: 3
      Local req queued:  0              Remote req queued:  3
      Local window:      5              Remote window:      5
      DPD configured for 0 seconds, retry 0
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Assigned host addr: 3.3.3.9
      Initiator of SA : No
      Remote subnets:
      3.3.3.9 255.255.255.255

 IPv6 Crypto IKEv2  SA

r5#
r5#sh crypto ipsec sa

interface: Virtual-Access1
    Crypto map tag: Virtual-Access1-head-0, local addr 8.8.8.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 7.7.7.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 8.8.8.2, remote crypto endpt.: 7.7.7.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x6E4689A8(1850116520)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xCFF2C04F(3488792655)
        transform: esp-256-aes esp-sha512-hmac ,
        in use settings ={Tunnel, }
        conn id: 65, flow_id: 65, sibling_flags 80000040, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4330399/3210)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x6E4689A8(1850116520)
        transform: esp-256-aes esp-sha512-hmac ,
        in use settings ={Tunnel, }
        conn id: 66, flow_id: 66, sibling_flags 80000040, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4330399/3210)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
r5#
r5#
r5#sh crypto ipsec sa detail

interface: Virtual-Access1
    Crypto map tag: Virtual-Access1-head-0, local addr 8.8.8.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 7.7.7.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 8.8.8.2, remote crypto endpt.: 7.7.7.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x6E4689A8(1850116520)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xCFF2C04F(3488792655)
        transform: esp-256-aes esp-sha512-hmac ,
        in use settings ={Tunnel, }
        conn id: 65, flow_id: 65, sibling_flags 80000040, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4330399/3205)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x6E4689A8(1850116520)
        transform: esp-256-aes esp-sha512-hmac ,
        in use settings ={Tunnel, }
        conn id: 66, flow_id: 66, sibling_flags 80000040, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4330399/3205)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
r5#
r5#sh crypto session
Crypto session current status

Interface: Virtual-Access1
Session status: UP-ACTIVE
Peer: 7.7.7.2 port 500
  IKEv2 SA: local 8.8.8.2/500 remote 7.7.7.2/500 Active
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 2, origin: crypto map

r5#sh crypto session  d
r5#sh crypto session  detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Virtual-Access1
Uptime: 00:06:47
Session status: UP-ACTIVE
Peer: 7.7.7.2 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 7.7.7.2
      Desc: (none)
  IKEv2 SA: local 8.8.8.2/500 remote 7.7.7.2/500 Active
          Capabilities:(none) connid:1 lifetime:23:53:13
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 5 drop 0 life (KB/Sec) 4330399/3193
        Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4330399/3193

r5#

I check now if peers learned their peer IP:
 
r6#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      11.0.0.0/32 is subnetted, 1 subnets
C        11.11.11.11 is directly connected, Loopback0
      22.0.0.0/24 is subnetted, 1 subnets
S        22.22.22.0 is directly connected, Tunnel0
r6#

As you see on the client we see static route of the server loopback interface (22.22.22.22).
 
r5#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      3.0.0.0/32 is subnetted, 1 subnets
S        3.3.3.9 is directly connected, Virtual-Access1
      7.0.0.0/24 is subnetted, 1 subnets
S        7.7.7.0 [1/0] via 8.8.8.1
      8.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        8.8.8.0/24 is directly connected, FastEthernet0/0
L        8.8.8.2/32 is directly connected, FastEthernet0/0
      22.0.0.0/32 is subnetted, 1 subnets
C        22.22.22.22 is directly connected, Loopback0
r5#

On the server side we see the client tunnel interface IP assigned by the server (3.3.3.9).
Let’s test the connectivity between the client and the server:
 
r6#ping 22.22.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/86/92 ms
r6#


r6#sh crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Tunnel0
Uptime: 00:04:29
Session status: UP-ACTIVE
Peer: 8.8.8.2 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 8.8.8.2
      Desc: (none)
  IKEv2 SA: local 7.7.7.2/500 remote 8.8.8.2/500 Active
          Capabilities:(none) connid:1 lifetime:23:55:31
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 10 drop 0 life (KB/Sec) 4304981/3330
        Outbound: #pkts enc'ed 10 drop 0 life (KB/Sec) 4304981/3330

r6#

No comments:

Post a Comment