Today I would like to test a new version of s-2-s VPN - ikev2. This
is improved and more secure version of ikev1. I will configure the
tunnel working on the below case scenario:
Let’s start to define an ACL to match interesting traffic:
Now I configure ikev2 proposals on R1:
and then policy:
On ASA I configure the policy:
and enable it on the outside interface:
Now on R1 I add key for ISAKMP:
and ikev2 profile:
and on ASA1 tunnel group:
Ok, the first part is completed. Let’s start with transform set on asa1:
and r1:
Last step is to add crypto map and then apply on the interface:
Ok, we are ready to test the tunnel. Let’s ping R2 (20.0.0.1) from R1 (from loopback interface):
Let’s check the ASA tunnel:
and then r1:
Ok, the tunnel is working fine, the traffic is passing through as we see by checking packets encapsulated and decapsulated:
In case we need to troubleshoot on the router we have new commands:
and depends on the problem we can set different level of debug.
On the ASA the command for ikev2 is different:
In one of my next posts, instead of pre-share-key, I will configure the tunnel using certificates.
Full configurations:
I found one missing parameter on ASA1:
crypto ikev2 policy 10
prf md5
The default one doesn’t work. More details in my next post.
|<-VPN->|
/----\ ----- /----\
Loop0 ---- | R1 |-------| ASA1 |------Gig0/0-| R2 |
11.11.11.11 \----/ ----- 20.0.0.1 \----/
Let’s start to define an ACL to match interesting traffic:
R1(config)#access-list 101 permit ip host 11.11.11.11 host 20.0.0.1
asa1(config)# access-list VPN extended permit ip host 20.0.0.1 host 11.11.11.11
Now I configure ikev2 proposals on R1:
R1(config)#crypto ikev2 proposal IKEV2-PROPOSAL
R1(config-ikev2-proposal)#encryption 3des
R1(config-ikev2-proposal)#group 5
R1(config-ikev2-proposal)#integrity md5
R1(config-ikev2-proposal)#exit
and then policy:
R1(config)#crypto ikev2 policy IKEV2-POLICY
R1(config-ikev2-policy)#proposal IKEV2-PROPOSAL
R1(config-ikev2-policy)#exit
On ASA I configure the policy:
asa1(config)# crypto ikev2 policy 10
asa1(config-ikev2-policy)# group 5
asa1(config-ikev2-policy)# integrity md5
asa1(config-ikev2-policy)# encryption 3des
asa1(config-ikev2-policy)# exit
and enable it on the outside interface:
asa1(config)# crypto ikev2 enable outside
Now on R1 I add key for ISAKMP:
R1(config)#crypto ikev2 keyring KEYRING
R1(config-ikev2-keyring)#peer 10.0.0.2
R1(config-ikev2-keyring-peer)#pre-shared-key local cisco123
R1(config-ikev2-keyring-peer)#pre-shared-key remote cisco123
R1(config-ikev2-keyring-peer)#address 10.0.0.2
R1(config-ikev2-keyring-peer)#exit
R1(config-ikev2-keyring)#
and ikev2 profile:
R1(config)#crypto ikev2 profile IKEV2-PROFILE
R1(config-ikev2-profile)#match identity remote address 10.0.0.2
R1(config-ikev2-profile)#authentication remote pre-share
R1(config-ikev2-profile)#authentication local pre-share
R1(config-ikev2-profile)#keyring local KEYRING
or (depends on your IOS version)
R1(config-ikev2-profile)#keyring KEYRING
and on ASA1 tunnel group:
asa1(config)# tunnel-group 10.0.0.1 type ipsec-l2l
asa1(config)# tunnel-group 10.0.0.1 ipsec-attributes
asa1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 0 cisco123
INFO: You must configure ikev2 remote-authentication pre-shared-key
and/or certificate to complete authentication.
asa1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 0 cisco123
asa1(config-tunnel-ipsec)# exit
asa1(config)#
Ok, the first part is completed. Let’s start with transform set on asa1:
asa1(config)# crypto ipsec ikev2 ipsec-proposal IPSEC-PROPOSAL
asa1(config-ipsec-proposal)# protocol esp integrity md5
asa1(config-ipsec-proposal)# protocol esp encryption 3des
asa1(config-ipsec-proposal)# exit
asa1(config)#
and r1:
R1(config)#crypto ipsec transform-set TS esp-3des esp-md5-hmac
R1(cfg-crypto-trans)#exit
R1(config)#
Last step is to add crypto map and then apply on the interface:
R1(config)#crypto map MAPA 10 ipsec-isakmp
R1(config-crypto-map)#match address 101
R1(config-crypto-map)#set peer 10.0.0.2
R1(config-crypto-map)#set transform-set TS
R1(config-crypto-map)#set ikev2-profile IKEV2-PROFILE
R1(config-crypto-map)#exit
R1(config)#
R1(config)#int gig0/0
R1(config-if)#crypto map MAPA
R1(config-if)#
*May 3 16:08:12.759: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#
asa1(config)# crypto map MAPA 10 match address VPN
asa1(config)# crypto map MAPA 10 set peer 10.0.0.1
asa1(config)# crypto map MAPA 10 set ikev2 ipsec-proposal IPSEC-PROPOSAL
asa1(config)# crypto map MAPA interface outside
asa1(config)#
Ok, we are ready to test the tunnel. Let’s ping R2 (20.0.0.1) from R1 (from loopback interface):
R1#ping 20.0.0.1 source loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#
Let’s check the ASA tunnel:
asa1# sh crypto ikev2 sa
IKEv2 SAs:
Session-id:9, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
418992871 10.0.0.2/500 10.0.0.1/500 READY RESPONDER
Encr: 3DES, Hash: MD596, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/795 sec
Child sa: local selector 20.0.0.1/0 - 20.0.0.1/65535
remote selector 11.11.11.11/0 - 11.11.11.11/65535
ESP spi in/out: 0xefc2b8b/0x4098633c
asa1#
asa1#
asa1#
asa1# sh crypto ipsec sa
interface: outside
Crypto map tag: MAPA, seq num: 10, local addr: 10.0.0.2
access-list VPN extended permit ip host 20.0.0.1 host 11.11.11.11
local ident (addr/mask/prot/port): (20.0.0.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
current_peer: 10.0.0.1
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.0.0.2/500, remote crypto endpt.: 10.0.0.1/500
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 4098633C
current inbound spi : 0EFC2B8B
inbound esp sas:
spi: 0x0EFC2B8B (251407243)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 200704, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (4101119/27991)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000003FF
outbound esp sas:
spi: 0x4098633C (1083728700)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 200704, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (4331519/27991)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
asa1#
and then r1:
R1#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 10.0.0.1/500 10.0.0.2/500 none/none READY
Encr: 3DES, Hash: MD596, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/946 sec
IPv6 Crypto IKEv2 SA
R1#sh crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: MAPA, local addr 10.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (20.0.0.1/255.255.255.255/0/0)
current_peer 10.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xEFC2B8B(251407243)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x4098633C(1083728700)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80000040, crypto map: MAPA
sa timing: remaining key lifetime (k/sec): (4325061/2483)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xEFC2B8B(251407243)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map: MAPA
sa timing: remaining key lifetime (k/sec): (4325061/2483)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#
Ok, the tunnel is working fine, the traffic is passing through as we see by checking packets encapsulated and decapsulated:
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
In case we need to troubleshoot on the router we have new commands:
R1#debug crypto ikev2 ?
client Client
detail debug level 5 - all other details, including state transition
error debug level 1 - debug messages signalling an error
event debug level 3 - description of packet, contents and policy matching
packet debug level 4 - packet dump debugging
terse debug level 2 - message exchange debugs
<cr>
R1#debug crypto ikev2
and depends on the problem we can set different level of debug.
On the ASA the command for ikev2 is different:
asa1# debug crypto ikev2 ?
ha debug the ikev2 ha
platform debug the ikev2 platform
protocol debug the ikev2 protocol
timers debug the ikev2 timers
asa1# debug crypto ikev2 pr
asa1# debug crypto ikev2 protocol ?
<1-255> Specify an optional debug level (default is 1)
<cr>
asa1# debug crypto ikev2 protocol 127
In one of my next posts, instead of pre-share-key, I will configure the tunnel using certificates.
Full configurations:
--
ASA1:
--
hostname asa1
!
interface Eth0/0
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.0
no sh
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 20.0.0.2 255.255.255.0
no sh
!
access-list VPN extended permit ip host 20.0.0.1 host 11.11.11.11
!
route outside 11.11.11.11 255.255.255.255 10.0.0.1 1
!
crypto ipsec ikev2 ipsec-proposal IPSEC-PROPOSAL
protocol esp integrity md5
protocol esp encryption 3des
!
crypto map MAPA 10 match address VPN
crypto map MAPA 10 set peer 10.0.0.1
crypto map MAPA 10 set ikev2 ipsec-proposal IPSEC-PROPOSAL
crypto map MAPA interface outside
!
crypto ikev2 policy 10
encryption 3des
integrity md5
group 5
!
crypto ikev2 enable outside
!
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key cisco123
ikev2 local-authentication pre-shared-key cisco123
!
--
R1:
--
hostname R1
!
crypto ikev2 proposal IKEV2-PROPOSAL
encryption 3des
integrity md5
group 5
!
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL
!
crypto ikev2 keyring KEYRING
peer 10.0.0.2
address 10.0.0.2
pre-shared-key local cisco123
pre-shared-key remote cisco123
!
!
!
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 10.0.0.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map MAPA 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set TS
set ikev2-profile IKEV2-PROFILE
match address 101
!
!
interface Loopback0
ip address 11.11.11.11 255.255.255.255
!
interface GigabitEthernet0/0
ip address 10.0.0.1 255.255.255.0
crypto map MAPA
no sh
!
ip route 0.0.0.0 0.0.0.0 10.0.0.2
!
access-list 101 permit ip host 11.11.11.11 host 20.0.0.1
!
--
!!!! ATTENTION !!!!I found one missing parameter on ASA1:
crypto ikev2 policy 10
prf md5
The default one doesn’t work. More details in my next post.
Comments
Post a Comment