How to configure Site-to-Site IKEv2 IPSec VPN using Pre-Shared Key Authentication
If you are new to the basic concepts of VPN (Virtual Private Network) and IPSec, please learn following lessons before continuing.
What is VPN (Virtual Private Network)
What is IPSec and Why we need IPSec
Important Technical Terms Related with IPSec
What are the terms Encryption, Decryption, Clear-Text and Cipher-Text
What are the terms Symmetric Encryption and Assymetric Encryption
Important Symmetric and Assymmetric Encryption Algorithms
What are Hash values? Important Hash value Algorithms
How Hash Values can be used to determine Integrity of Data
What is HMAC (Hashed Message Authentication Code)
What is Diffie-Hellman Key Exchange
Main Components of IPSec - IKE, ESP and AH
IPSec VPN Modes - Tunnel Mode and Transport Mode
Security Association and Security Parameter Index
IKEv1 Main Mode, Aggressive Mode and Quick mode Message Exchanges
What is Perfect Forward Secrecy (PFS)
IKEv2 Phase 1 (IKE SA) and Phase 2 (Child SA) Message Exchanges
What is NAT-Traversal (Network Address Translation - Traversal)
Site-to-Site IKEv2 IPSec VPN Configuration - Lab Topology
Before proceeding, make sure that all the IP Addresses of your network devices are configured correctly. Make sure that routing is configured correctly. Make sure you can reach all the devices by pinging all IP Addresses.
Step 1: Configure Host name and Domain name in IPSec peer Routers
• To configure Hostname on OmniSecuR1 use the following commands.
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname OmniSecuR1 OmniSecuR1(config)#exit OmniSecuR1#
• To configure Domain name on OmniSecuR1, use the following commands.
OmniSecuR1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. OmniSecuR1(config)#ip domain-name omnisecu.com OmniSecuR1(config)#exit OmniSecuR1#
• To configure Hostname on OmniSecuR2 use the following commands.
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname OmniSecuR2 OmniSecuR2(config)#exit OmniSecuR2#
• To configure Domain name on OmniSecuR2, use the following commands.
OmniSecuR2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. OmniSecuR2(config)#ip domain-name omnisecu.com OmniSecuR2(config)#exit
Following are the main components which are used to construct Site-to-Site IKEv2 IPSec VPN.
• IKEv2 Proposal
• IKEv2 Policy
• IKEv2 Profile
• IKEv2 Keyring
• Crypto Map
Step 2: Define IKEv2 Keyring
An IKEv2 keyring consists of preshared keys associated with an IKEv2 profile. Authentication is performed by Pre-Shared Keys defined inside an IKEv2 keyring.
• To define a IKEv2 Keyring in OmniSecuR1, use following commands.
OmniSecuR1#configure terminal OmniSecuR1(config)#crypto ikev2 keyring KR-1 OmniSecuR1(config-ikev2-keyring)#peer SITE-2 OmniSecuR1(config-ikev2-keyring-peer)#address 192.168.0.2 OmniSecuR1(config-ikev2-keyring-peer)#pre-shared-key OmniSecuDotCom OmniSecuR1(config-ikev2-keyring-peer)#exit OmniSecuR1(config-ikev2-keyring)#exit OmniSecuR1(config)#exit OmniSecuR1#
• To define a IKEv2 Keyring in OmniSecuR2, use following commands.
OmniSecuR2#configure terminal OmniSecuR2(config)#crypto ikev2 keyring KR-1 OmniSecuR2(config-ikev2-keyring)#peer SITE-1 OmniSecuR2(config-ikev2-keyring-peer)#address 192.168.0.1 OmniSecuR2(config-ikev2-keyring-peer)#pre-shared-key OmniSecuDotCom OmniSecuR2(config-ikev2-keyring-peer)#exit OmniSecuR2(config-ikev2-keyring)#exit OmniSecuR2(config)#exit OmniSecuR2#
Step 3: Define IKEv2 Proposal
An IKEv2 proposal consists of transforms which are used in the negotiation of IKE SAs, in IKE_SA_INIT exchange. Following parameters are defined.
• Encryption Algorithm
• Integrity Algorithm
• Pseudo-Random Function (PRF) algorithm
• Diffie-Hellman (DH) Group
• To define a IKEv2 Proposal in OmniSecuR1, use following commands.
OmniSecuR1#configure terminal OmniSecuR1(config)#crypto ikev2 proposal PROP-SITE2 OmniSecuR1(config-ikev2-proposal)#encryption aes-cbc-256 OmniSecuR1(config-ikev2-proposal)#integrity sha512 OmniSecuR1(config-ikev2-proposal)#group 24 OmniSecuR1(config-ikev2-proposal)#exit OmniSecuR1(config)#exit OmniSecuR1#
• To define a IKEv2 Proposal in OmniSecuR2, use following commands.
OmniSecuR2#configure terminal OmniSecuR2(config)#crypto ikev2 proposal PROP-SITE1 OmniSecuR2(config-ikev2-proposal)#encryption aes-cbc-256 OmniSecuR2(config-ikev2-proposal)#integrity sha512 OmniSecuR2(config-ikev2-proposal)#group 24 OmniSecuR2(config-ikev2-proposal)#exit OmniSecuR2(config)#exit OmniSecuR2#
Step 4: Define IKEv2 Policies
An IKEv2 Policy contains IKEv2 Proposals (defined in above step) which are used to negotiate the Encryption Algorithm, Integrity Algorithm, PRF Algorithms, and Diffie-Hellman (DH) Group in IKE_SA_INIT exchange.
• To define IKEv2 Policy in OmniSecuR1, use following commands.
OmniSecuR1#configure terminal OmniSecuR1(config)#crypto ikev2 policy POL-SITE2 OmniSecuR1(config-ikev2-policy)#proposal PROP-SITE2 OmniSecuR1(config-ikev2-policy)#exit OmniSecuR1(config)#exit OmniSecuR1#
• To define IKEv2 Policy in OmniSecuR2, use following commands.
OmniSecuR2#configure terminal OmniSecuR2(config)#crypto ikev2 policy POL-SITE1 OmniSecuR2(config-ikev2-policy)#proposal PROP-SITE1 OmniSecuR2(config-ikev2-policy)#exit OmniSecuR2(config)#exit OmniSecuR2#
Step 5: Define Crypto ACL to identify IPSec secured traffic
Crypto ACL is just an ACL created using normal ACL syntax, with permit or deny statements. Crypto ACLs are not used to permit or deny traffic similar to normal ACLs. In Crypto ACL, a permit statement is used to identify the traffic which is to be secured using IPSec and a deny statement is used to identify the traffic whish doesn't need to be secured. Here we are using "named extended access lists".
New to Access Control Lists (ACLs)? Please refer below lessons if you wish.
Introduction to Access Control Lists (ACL)
Standard Access Control Lists (ACLs)
Where should a Standard Access Control List (ACL) be placed
Access Control List (ACL) - Wildcard Masks
How to create and configure Standard Access Control Lists (ACLs)
Extended Access Control Lists (ACLs)
Where should an Extended Access Control List (ACL) be placed
Extended Access Control List (ACL) - Operators
Extended Access Control List (ACL) - TCP and UDP port numbers and names
Extended Access Control List (ACL)- established Keyword
How to create and configure Extended Access Control Lists (ACLs)
How to create and configure Access Control Lists (ACLs) for vty lines (telnet and ssh)
Named Access Control Lists (ACLs)
How to create and configure Standard Named Access Control Lists (ACLs)
How to create and configure Extended Named Access Control List (ACL)
How to edit a Named Access Control List (ACL) on router
• To configure a Crypto ACL in OmniSecuR1 (to identify the traffic to OmniSecuR2), use the following commands.
OmniSecuR1#configure terminal OmniSecuR1(config)#ip access-list extended SITE1-SITE2-CACL OmniSecuR1(config-ext-nacl)#permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255 OmniSecuR1(config-ext-nacl)#exit OmniSecuR1(config)#exit OmniSecuR1#
• To configure a Crypto ACL in OmniSecuR2 (to identify the traffic to OmniSecuR1), use the following commands.
OmniSecuR2#configure terminal OmniSecuR2(config)#ip access-list extended SITE2-SITE1-CACL OmniSecuR2(config-ext-nacl)#permit ip 172.17.0.0 0.0.255.255 172.16.0.0 0.0.255.255 OmniSecuR2(config-ext-nacl)#exit OmniSecuR2(config)#exit OmniSecuR2#
Step 6: Define Transform Sets
A Transform Set is used to define how the data traffic between IPSec peers is going to be protected in Child Tunnel (IPSec Tunnel).
• To configure Transform Set in OmniSecuR1, use following commands.
OmniSecuR1#configure terminal OmniSecuR1(config)#crypto ipsec transform-set SITE2-TS esp-aes esp-sha512-hmac OmniSecuR1(cfg-crypto-trans)#exit OmniSecuR1(config)#exit OmniSecuR1#f
• To configure Transform Set in OmniSecuR2, use following commands.
OmniSecuR2#configure terminal OmniSecuR2(config)#crypto ipsec transform-set SITE1-TS esp-aes esp-sha512-hmac OmniSecuR2(cfg-crypto-trans)#exit OmniSecuR2(config)#exit OmniSecuR2#
Step 7: Define IKEv2 Profiles
IKEv2 Profiles are similar to IKEv1 ISAKMP Profile.
• To configure IKEv2 Profiles in OmniSecuR1, use following commands.
OmniSecuR1#configure terminal OmniSecuR1(config)#crypto ikev2 profile SITE2-PROFILE OmniSecuR1(config-ikev2-profile)#match identity remote address 192.168.0.2 255.255.255.255 OmniSecuR1(config-ikev2-profile)#authentication local pre-share OmniSecuR1(config-ikev2-profile)#authentication remote pre-share OmniSecuR1(config-ikev2-profile)#keyring local KR-1 OmniSecuR1(config-ikev2-profile)#exit OmniSecuR1(config)#exit OmniSecuR1#
• To configure IKEv2 Profiles in OmniSecuR2, use following commands.
OmniSecuR2#configure terminal OmniSecuR2(config)#crypto ikev2 profile SITE1-PROFILE OmniSecuR2(config-ikev2-profile)#match identity remote address 192.168.0.1 255.255.255.255 OmniSecuR2(config-ikev2-profile)#authentication local pre-share OmniSecuR2(config-ikev2-profile)#authentication remote pre-share OmniSecuR2(config-ikev2-profile)#keyring local KR-1 OmniSecuR2(config-ikev2-profile)#exit OmniSecuR2(config)#exit OmniSecuR2#
Step 8: Define Crypto Maps
Crypto Maps are used to connect all the pieces of IPSec configuration together. A Crypto Map consists of one or more entries. A Crypto Map is made up of Crypto ACL, Transform Set, Remote Peer, the lifetime of the data connections etc.
• To define Crypto Map in OmniSecuR1, use following commands.
OmniSecuR1#configure terminal OmniSecuR1(config)#crypto map CMAP-SITE2 10 ipsec-isakmp OmniSecuR1(config-crypto-map)#set peer 192.168.0.2 OmniSecuR1(config-crypto-map)#set pfs group24 OmniSecuR1(config-crypto-map)#set security-association lifetime seconds 3600 OmniSecuR1(config-crypto-map)#set transform-set SITE2-TS OmniSecuR1(config-crypto-map)#set ikev2-profile SITE2-PROFILE OmniSecuR1(config-crypto-map)#match address SITE1-SITE2-CACL OmniSecuR1(config-crypto-map)#exit OmniSecuR1(config)#exit
• To define Crypto Map in OmniSecuR2, use following commands.
OmniSecuR2#configure terminal OmniSecuR2(config)#crypto map CMAP-SITE1 10 ipsec-isakmp OmniSecuR2(config-crypto-map)#set peer 192.168.0.1 OmniSecuR2(config-crypto-map)#set pfs group24 OmniSecuR2(config-crypto-map)#set security-association lifetime seconds 3600 OmniSecuR2(config-crypto-map)#set transform-set SITE1-TS OmniSecuR2(config-crypto-map)#set ikev2-profile SITE1-PROFILE OmniSecuR2(config-crypto-map)#match address SITE2-SITE1-CACL OmniSecuR2(config-crypto-map)#exit OmniSecuR2(config)#exit OmniSecuR2#
Step 9: Activate Crypto Maps by applying the Crypto Map to Router's Interface
• To apply Crypto Map to the WAN Interface on OmniSecuR1, use following commands.
OmniSecuR1#configure terminal OmniSecuR1(config)#interface gi0/0 OmniSecuR1(config-if)#crypto map CMAP-SITE2 OmniSecuR1(config-if)#exit OmniSecuR1(config)#exit OmniSecuR1#
• To apply Crypto Map to the WAN Interface on OmniSecuR2, use following commands.
OmniSecuR2#configure terminal OmniSecuR2(config)#interface gi0/0 OmniSecuR2(config-if)#crypto map CMAP-SITE1 OmniSecuR2(config-if)#exit OmniSecuR2(config)#exit OmniSecuR2#
After configuring, initiate an IP traffic from device inside at Site-1 network to reach a device at Site-2 network. Your IPSec VPN Main mode IPSec tunnel will be built when any router find interesting traffic.
