Setup Site-to-site IKEv2 IPsec VPN

Today I am going to set up site-to-site IKEv2 IPsec VPN with Cisco router. If you are looking for ASA Route-based VPN configuration, check out my another post 🙂

What is site-to-site VPN?

It is a VPN connection that allows you to securely connect two LANs over the internet. Site-to-Site VPN extends company’s network making company resources available from one location to another.

Diagram

Here is a diagram that I am going to use for this post.

IKEv2 configuration

Let’s start with IKEv2 proposal configuration. IKEv2 proposal is a collection of parameters used in the negotiation of IKE SAs. The parameter types used in the negotiation are as follows:

  • Encryption algorithm
  • Integrity algorithm
  • Pseudo-Random Function algorithm (Optional)
  • Diffie-Hellman (DH) group

You must configure at least one encryption algorithm, one integrity algorithm, and one DH group. Here is an example configuration for the proposal.

R1(config)#crypto ikev2 proposal site1_to_site2
R1(config-ikev2-proposal)#encryption aes-cbc-256
R1(config-ikev2-proposal)#integrity sha256
R1(config-ikev2-proposal)#group 14

The next up is an IKEv2 policy. an IKEv2 policy contains proposals that are used to negotiate the encryption, integrity, PRF algorithms, and DH group. Specify your local WAN interface IP address with the match statement and proposal which was created in the previous step.

R1(config)#crypto ikev2 policy site1_to_site2-policy
R1(config-ikev2-policy)#match address local 42.1.1.1
R1(config-ikev2-policy)#proposal site1_to_site2

An IKEv2 keyring is a repository of preshared keys. The IKEv2 keyring is associated with an IKEv2 profile which will be created in the next step. The peer and the address here is information of the other side of the router (Site 2)

R1(config)#crypto ikev2 keyring site1_to_site2-keyring
R1(config-ikev2-keyring)#peer 52.1.1.1
R1(config-ikev2-keyring-peer)#address 52.1.1.1
R1(config-ikev2-keyring-peer)#pre-shared-key tayams2skey

An IKEv2 profile is a repository of the nonnegotiable parameters of the IKE SA. An IKEv2 profile must be attached to either crypto map or IPSec profile on both IKEv2 initiator and responder.

R1(config)#crypto ikev2 profile site1_to_site2-profile
R1(config-ikev2-profile)#match address local 42.1.1.1
R1(config-ikev2-profile)#match identity remote address 52.1.1.1 255.255.255.255
R1(config-ikev2-profile)#authentication remote pre-share
R1(config-ikev2-profile)#authentication local pre-share
R1(config-ikev2-profile)#keyring local site1_to_site2-keyring
R1(config-ikev2-profile)#lifetime 3600
R1(config-ikev2-profile)#dpd 10 5 on-demand

And this completes the IKEv2 configurtaion. The next step will be IPsec configuration.

IPsec configuration

Create a transform-set. a transform-set is a set of protocols and algorithms specified to secure data in IPsec tunnel.

R1(config)#crypto ipsec transform-set site1_to_site2-transformSet esp-aes 256 esp-sha256-hmac
R1(cfg-crypto-trans)#mode tunnel

Create crypto ACL and specify criteria to send traffic over IPsec tunnel. This crypto ACL will be associated to a crypto map which will be created in the next step.

R1(config)#ip access-list extended site1-site2-cacl
R1(config-ext-nacl)#permit ip 10.10.1.0 0.0.0.255 10.20.1.0 0.0.0.255

Create crypto map. A crypto map is a feature binding all the information which was configured in the previous steps.

R1(config)#crypto map cmap-site1 10 ipsec-isakmp
R1(config-crypto-map)#set peer 52.1.1.1
R1(config-crypto-map)#set transform-set site1_to_site2-transformset
R1(config-crypto-map)#set ikev2-profile site1_to_site2-profile
R1(config-crypto-map)#match address site1-site2-cacl
R1(config-crypto-map)#set security-association lifetime seconds 3600
R1(config-crypto-map)#set pfs group14

Associate the crypto map created in the previous step to WAN interface.

R1(config-if)#crypto map
R1(config-if)#crypto map cmap-site1

Configure NAT exemption by adding deny statement for the traffic which traverses in the IPsec tunnel.

R1(config)#access-list 100 deny ip 10.10.1.0 0.0.0.255 10.20.1.0 0.0.0.255
R1(config)#access-list 100 permit ip 10.10.1.0 0.0.0.255 any
ip nat inside source list 100 interface GigabitEthernet0/0 overload

You might also want to adjust mtu and mss values to avoid packet fragmentation.

###this is set on the WAN interface
R1(config-if)#ip tcp adjust-mss 1360
R1(config-if)#mtu 1400

Now you need to put the reverse configuration on the other side of the router and here is a sample configuration.

crypto ikev2 proposal site2_to_site1
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy site2_to_site1-policy
match address local 52.1.1.1
proposal site2_to_site1
!
crypto ikev2 keyring site2_to_site1-keyring
peer 42.1.1.1
address 42.1.1.1
pre-shared-key tayams2skey
!
!
!
crypto ikev2 profile site2_to_site1-profile
match address local 52.1.1.1
match identity remote address 42.1.1.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local site2_to_site1-keyring
lifetime 3600
dpd 10 5 on-demand
!
!
!
crypto ipsec transform-set site2_to_site1-transformset esp-aes 256 esp-sha256-hmac
mode tunnel
!
!
!
crypto map cmap-site2 10 ipsec-isakmp
set peer 42.1.1.1
set transform-set site2_to_site1-transformset
set pfs group14
set ikev2-profile site2_to_site1-profile
match address site2-site1-cacl

interface GigabitEthernet0/0
ip tcp adjust-mss 1360
mtu 1400
crypto map cmap-site2

ip access-list extended site2-site1-cacl
permit ip 10.20.1.0 0.0.0.255 10.10.1.0 0.0.0.255

access-list 100 deny ip 10.20.1.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 100 permit ip 10.20.1.0 0.0.0.255 any

At this point the network 10.10.1.0/24 and 10.20.1.0/24 should be able to communicate each other. Let’s send icmp packet to 10.20.1.2.

As you can see these icmp packets are successfully encapsulated and reached on the other side of the network.