If you are new to the basic concepts of VPN (Virtual Private Network) and IPSec, please learn following lessons before continuing.
What is VPN (Virtual Private Network)
What is IPSec and Why we need IPSec
Important Technical Terms Related with IPSec
What are the terms Encryption, Decryption, Clear-Text and Cipher-Text
What are the terms Symmetric Encryption and Assymetric Encryption
Important Symmetric and Assymmetric Encryption Algorithms
What are Hash values? Important Hash value Algorithms
How Hash Values can be used to determine Integrity of Data
What is HMAC (Hashed Message Authentication Code)
What is Diffie-Hellman Key Exchange
What is Diffie-Hellman Group
Main Components of IPSec - IKE, ESP and AH
IPSec VPN Modes - Tunnel Mode and Transport Mode
Security Association and Security Parameter Index
IKEv1 Main Mode, Aggressive Mode and Quick mode Message Exchanges
What is Perfect Forward Secrecy (PFS)
IKEv2 Phase 1 (IKE SA) and Phase 2 (Child SA) Message Exchanges
What is NAT-Traversal (Network Address Translation - Traversal)
Site-to-Site IKEv2 IPSec VPN Configuration - Lab Topology
Before proceeding, make sure that all the IP Addresses of your network devices are configured correctly. Make sure that routing is configured correctly. Make sure you can reach all the devices by pinging all IP Addresses.
Step 1: Configure Host name and Domain name in IPSec peer Routers
• To configure Hostname on OmniSecuR1 use the following commands.
Router#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#hostname OmniSecuR1OmniSecuR1(config)#exitOmniSecuR1#
• To configure Domain name on OmniSecuR1, use the following commands.
OmniSecuR1#configure terminalEnter configuration commands, one per line. End with CNTL/Z.OmniSecuR1(config)#ip domain-name omnisecu.comOmniSecuR1(config)#exitOmniSecuR1#
• To configure Hostname on OmniSecuR2 use the following commands.
Router#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#hostname OmniSecuR2OmniSecuR2(config)#exitOmniSecuR2#
• To configure Domain name on OmniSecuR2, use the following commands.
OmniSecuR2#configure terminalEnter configuration commands, one per line. End with CNTL/Z.OmniSecuR2(config)#ip domain-name omnisecu.comOmniSecuR2(config)#exit
Following are the main components which are used to construct Site-to-Site IKEv2 IPSec VPN.
• IKEv2 Proposal
• IKEv2 Policy
• IKEv2 Profile
• IKEv2 Keyring
• Crypto Map
Step 2: Define IKEv2 Keyring
An IKEv2 keyring consists of preshared keys associated with an IKEv2 profile. Authentication is performed by Pre-Shared Keys defined inside an IKEv2 keyring.
• To define a IKEv2 Keyring in OmniSecuR1, use following commands.
OmniSecuR1#configure terminalOmniSecuR1(config)#crypto ikev2 keyring KR-1OmniSecuR1(config-ikev2-keyring)#peer SITE-2OmniSecuR1(config-ikev2-keyring-peer)#address 192.168.0.2OmniSecuR1(config-ikev2-keyring-peer)#pre-shared-key OmniSecuDotComOmniSecuR1(config-ikev2-keyring-peer)#exitOmniSecuR1(config-ikev2-keyring)#exitOmniSecuR1(config)#exitOmniSecuR1#
• To define a IKEv2 Keyring in OmniSecuR2, use following commands.
OmniSecuR2#configure terminalOmniSecuR2(config)#crypto ikev2 keyring KR-1OmniSecuR2(config-ikev2-keyring)#peer SITE-1OmniSecuR2(config-ikev2-keyring-peer)#address 192.168.0.1OmniSecuR2(config-ikev2-keyring-peer)#pre-shared-key OmniSecuDotComOmniSecuR2(config-ikev2-keyring-peer)#exitOmniSecuR2(config-ikev2-keyring)#exitOmniSecuR2(config)#exitOmniSecuR2#
Step 3: Define IKEv2 Proposal
An IKEv2 proposal consists of transforms which are used in the negotiation of IKE SAs, in IKE_SA_INIT exchange. Following parameters are defined.
• Encryption Algorithm
• Integrity Algorithm
• Pseudo-Random Function (PRF) algorithm
• Diffie-Hellman (DH) Group
• To define a IKEv2 Proposal in OmniSecuR1, use following commands.
OmniSecuR1#configure terminalOmniSecuR1(config)#crypto ikev2 proposal PROP-SITE2OmniSecuR1(config-ikev2-proposal)#encryption aes-cbc-256OmniSecuR1(config-ikev2-proposal)#integrity sha512OmniSecuR1(config-ikev2-proposal)#group 24OmniSecuR1(config-ikev2-proposal)#exitOmniSecuR1(config)#exitOmniSecuR1#
• To define a IKEv2 Proposal in OmniSecuR2, use following commands.
OmniSecuR2#configure terminalOmniSecuR2(config)#crypto ikev2 proposal PROP-SITE1OmniSecuR2(config-ikev2-proposal)#encryption aes-cbc-256OmniSecuR2(config-ikev2-proposal)#integrity sha512OmniSecuR2(config-ikev2-proposal)#group 24OmniSecuR2(config-ikev2-proposal)#exitOmniSecuR2(config)#exitOmniSecuR2#
Step 4: Define IKEv2 Policies
An IKEv2 Policy contains IKEv2 Proposals (defined in above step) which are used to negotiate the Encryption Algorithm, Integrity Algorithm, PRF Algorithms, and Diffie-Hellman (DH) Group in IKE_SA_INIT exchange.
• To define IKEv2 Policy in OmniSecuR1, use following commands.
OmniSecuR1#configure terminalOmniSecuR1(config)#crypto ikev2 policy POL-SITE2OmniSecuR1(config-ikev2-policy)#proposal PROP-SITE2OmniSecuR1(config-ikev2-policy)#exitOmniSecuR1(config)#exitOmniSecuR1#
• To define IKEv2 Policy in OmniSecuR2, use following commands.
OmniSecuR2#configure terminalOmniSecuR2(config)#crypto ikev2 policy POL-SITE1OmniSecuR2(config-ikev2-policy)#proposal PROP-SITE1OmniSecuR2(config-ikev2-policy)#exitOmniSecuR2(config)#exitOmniSecuR2#
Step 5: Define Crypto ACL to identify IPSec secured traffic
Crypto ACL is just an ACL created using normal ACL syntax, with permit or deny statements. Crypto ACLs are not used to permit or deny traffic similar to normal ACLs. In Crypto ACL, a permit statement is used to identify the traffic which is to be secured using IPSec and a deny statement is used to identify the traffic whish doesn't need to be secured. Here we are using "named extended access lists".
New to Access Control Lists (ACLs)? Please refer below lessons if you wish.
Introduction to Access Control Lists (ACL)
Standard Access Control Lists (ACLs)
Where should a Standard Access Control List (ACL) be placed
Access Control List (ACL) - Wildcard Masks
How to create and configure Standard Access Control Lists (ACLs)
Extended Access Control Lists (ACLs)
Where should an Extended Access Control List (ACL) be placed
Extended Access Control List (ACL) - Operators
Extended Access Control List (ACL) - TCP and UDP port numbers and names
Extended Access Control List (ACL)- established Keyword
How to create and configure Extended Access Control Lists (ACLs)
How to create and configure Access Control Lists (ACLs) for vty lines (telnet and ssh)
Named Access Control Lists (ACLs)
How to create and configure Standard Named Access Control Lists (ACLs)
How to create and configure Extended Named Access Control List (ACL)
How to edit a Named Access Control List (ACL) on router
• To configure a Crypto ACL in OmniSecuR1 (to identify the traffic to OmniSecuR2), use the following commands.
OmniSecuR1#configure terminalOmniSecuR1(config)#ip access-list extended SITE1-SITE2-CACLOmniSecuR1(config-ext-nacl)#permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255OmniSecuR1(config-ext-nacl)#exitOmniSecuR1(config)#exitOmniSecuR1#
• To configure a Crypto ACL in OmniSecuR2 (to identify the traffic to OmniSecuR1), use the following commands.
OmniSecuR2#configure terminalOmniSecuR2(config)#ip access-list extended SITE2-SITE1-CACLOmniSecuR2(config-ext-nacl)#permit ip 172.17.0.0 0.0.255.255 172.16.0.0 0.0.255.255OmniSecuR2(config-ext-nacl)#exitOmniSecuR2(config)#exitOmniSecuR2#
Step 6: Define Transform Sets
A Transform Set is used to define how the data traffic between IPSec peers is going to be protected in Child Tunnel (IPSec Tunnel).
• To configure Transform Set in OmniSecuR1, use following commands.
OmniSecuR1#configure terminalOmniSecuR1(config)#crypto ipsec transform-set SITE2-TS esp-aes esp-sha512-hmacOmniSecuR1(cfg-crypto-trans)#exitOmniSecuR1(config)#exitOmniSecuR1#f
• To configure Transform Set in OmniSecuR2, use following commands.
OmniSecuR2#configure terminalOmniSecuR2(config)#crypto ipsec transform-set SITE1-TS esp-aes esp-sha512-hmacOmniSecuR2(cfg-crypto-trans)#exitOmniSecuR2(config)#exitOmniSecuR2#
Step 7: Define IKEv2 Profiles
IKEv2 Profiles are similar to IKEv1 ISAKMP Profile.
• To configure IKEv2 Profiles in OmniSecuR1, use following commands.
OmniSecuR1#configure terminalOmniSecuR1(config)#crypto ikev2 profile SITE2-PROFILEOmniSecuR1(config-ikev2-profile)#match identity remote address 192.168.0.2 255.255.255.255OmniSecuR1(config-ikev2-profile)#authentication local pre-shareOmniSecuR1(config-ikev2-profile)#authentication remote pre-shareOmniSecuR1(config-ikev2-profile)#keyring local KR-1OmniSecuR1(config-ikev2-profile)#exitOmniSecuR1(config)#exitOmniSecuR1#
• To configure IKEv2 Profiles in OmniSecuR2, use following commands.
OmniSecuR2#configure terminalOmniSecuR2(config)#crypto ikev2 profile SITE1-PROFILEOmniSecuR2(config-ikev2-profile)#match identity remote address 192.168.0.1 255.255.255.255OmniSecuR2(config-ikev2-profile)#authentication local pre-shareOmniSecuR2(config-ikev2-profile)#authentication remote pre-shareOmniSecuR2(config-ikev2-profile)#keyring local KR-1OmniSecuR2(config-ikev2-profile)#exitOmniSecuR2(config)#exitOmniSecuR2#
Step 8: Define Crypto Maps
Crypto Maps are used to connect all the pieces of IPSec configuration together. A Crypto Map consists of one or more entries. A Crypto Map is made up of Crypto ACL, Transform Set, Remote Peer, the lifetime of the data connections etc.
• To define Crypto Map in OmniSecuR1, use following commands.
OmniSecuR1#configure terminalOmniSecuR1(config)#crypto map CMAP-SITE2 10 ipsec-isakmpOmniSecuR1(config-crypto-map)#set peer 192.168.0.2OmniSecuR1(config-crypto-map)#set pfs group24OmniSecuR1(config-crypto-map)#set security-association lifetime seconds 3600OmniSecuR1(config-crypto-map)#set transform-set SITE2-TSOmniSecuR1(config-crypto-map)#set ikev2-profile SITE2-PROFILEOmniSecuR1(config-crypto-map)#match address SITE1-SITE2-CACLOmniSecuR1(config-crypto-map)#exitOmniSecuR1(config)#exit
• To define Crypto Map in OmniSecuR2, use following commands.
OmniSecuR2#configure terminalOmniSecuR2(config)#crypto map CMAP-SITE1 10 ipsec-isakmpOmniSecuR2(config-crypto-map)#set peer 192.168.0.1OmniSecuR2(config-crypto-map)#set pfs group24OmniSecuR2(config-crypto-map)#set security-association lifetime seconds 3600OmniSecuR2(config-crypto-map)#set transform-set SITE1-TSOmniSecuR2(config-crypto-map)#set ikev2-profile SITE1-PROFILEOmniSecuR2(config-crypto-map)#match address SITE2-SITE1-CACLOmniSecuR2(config-crypto-map)#exitOmniSecuR2(config)#exitOmniSecuR2#
Step 9: Activate Crypto Maps by applying the Crypto Map to Router's Interface
• To apply Crypto Map to the WAN Interface on OmniSecuR1, use following commands.
OmniSecuR1#configure terminalOmniSecuR1(config)#interface gi0/0OmniSecuR1(config-if)#crypto map CMAP-SITE2OmniSecuR1(config-if)#exitOmniSecuR1(config)#exitOmniSecuR1#
• To apply Crypto Map to the WAN Interface on OmniSecuR2, use following commands.
OmniSecuR2#configure terminalOmniSecuR2(config)#interface gi0/0OmniSecuR2(config-if)#crypto map CMAP-SITE1OmniSecuR2(config-if)#exitOmniSecuR2(config)#exitOmniSecuR2#
After configuring, initiate an IP traffic from device inside at Site-1 network to reach a device at Site-2 network. Your IPSec VPN Main mode IPSec tunnel will be built when any router find interesting traffic.
