FlexVPN - client and server
It’s time to test IKEv2. Cisco introduced the new IKE version 2 together with new configuration “standard” - FlexVPN. The idea was to have one unified way of configuration for all VPN types like site-to-site, client server, DMVPN (GET VPN is still in development phase).
You should remember the IKEv1 and IKEv2 are not compatible and devices with different IKE versions can’t establish a secure connection. More information about IKEv2 and the FlexiVPN you can find here:
In today’s lab I would like to configure client-server VPN. Let’s start from parts which are common for the client and the server:
1) ikev2 proposal
Like with IKEv1 you need to specify parameters for the phase 1. You can use default ones or you can define your own:
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-128
integrity sha512
group 5
2) ikev2 policy
You can’t create the policy directly. First you need to specify the proposal and then your proposal is matched with your policy:
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL
3) keyring
For pre-share key authentication you have to define the keyring. There is a new functionality and you can define different keys for local and remote peer:
crypto ikev2 keyring KEYRING
peer R2
identity address 0.0.0.0
pre-shared-key local cisco123
pre-shared-key remote cisco123
4) aaa
aaa authorization network AUTH-LIST local
next the phase 2 part:
5) ipsec transform set and profile
crypto ipsec transform-set TS esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
set transform-set TS
set ikev2-profile IKEV2-PROFILE
Now it’s time to finish the client configuration:
6) authorization policy (client)
Under the authorization policy you have to define how the peer will send or learn its peer route. In below example the client will accept any route and it will send its interface IP to the server. The new routes will be reachable over the tunnel interface:
crypto ikev2 authorization policy default
route set interface
route accept any
7) ikev2 profile (client)
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local KEYRING123
aaa authorization group psk list AUTH-LIST default
8) crypto ikev2 client (client)
In the ikev2 client configuration you can specify more peers (server in my case) but in tunnel interface configuration your ‘tunnel destination’ should be ‘dynamic’. You need to also specify which tunnel interface should be used for this particular connection:
crypto ikev2 client flexvpn FLEXVPN-CLIENT
peer 1 8.8.8.2
client connect Tunnel0
connect auto
There are different methods of enabling the VPN. In my case I chose ‘auto’:
r6(config-ikev2-flexvpn)#connect ?
auto Enable FlexVPN in Automatic mode
manual Enable FlexVPN in Manual mode
track connect track object
r6(config-ikev2-flexvpn)#
9) interface (client)
If you want to learn an IP for the client tunnel interface from your server (pool) your ‘ip address’ should be ‘negotiated’:
interface Tunnel0
ip address negotiated
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile IPSEC-PROFILE
Now I finish the server side:
6) authorization policy + acl + pool (server)
On the server side, under the authorization policy, you need to specify two things: local pool (if your client needs to receive IP from the server), access-list with subnet you want to send to your client.
ip access-list standard ACL
permit 22.22.22.0 0.0.0.255
!
ip local pool MY-POOL 3.3.3.1 3.3.3.10
!
crypto ikev2 authorization policy default
pool MY-POOL
route set access-list ACL
!
7) ikev2 profile (server)
On the server side you need to add a virtual template (one difference between client and server):
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local KEYRING123
aaa authorization group psk list AUTH-LIST default
virtual-template 1
8) interface (server)
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROFILE
Once the configuration is completed I can check if everything works fine. On the client I check the connection status:
r6#sh crypto ikev2 client flexvpn
Profile : FLEXVPN-CLIENT
Current state:ACTIVE
Peer : 8.8.8.2
Source : FastEthernet0/0
ivrf : IP DEFAULT
fvrf : IP DEFAULT
Backup group: Default
Tunnel interface : Tunnel0
r6#
The phase one on the client:
r6#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 7.7.7.2/500 8.8.8.2/500 none/none READY
Encr: AES-CBC, keysize: 128, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4 sec
IPv6 Crypto IKEv2 SA
r6#
r6#sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 7.7.7.2/500 8.8.8.2/500 none/none READY
Encr: AES-CBC, keysize: 128, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/31 sec
CE id: 1029, Session-id: 25
Status Description: Negotiation done
Local spi: E0341D22812D9F47 Remote spi: 0B1273E12470126E
Local id: 7.7.7.2
Remote id: 8.8.8.2
Local req msg id: 3 Remote req msg id: 0
Local next msg id: 3 Remote next msg id: 0
Local req queued: 3 Remote req queued: 0
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
Pushed IP address: 3.3.3.9
Remote subnets:
22.22.22.0 255.255.255.0
IPv6 Crypto IKEv2 SA
r6#
Then the phase two:
r6#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 7.7.7.2
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 8.8.8.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 7.7.7.2, remote crypto endpt.: 8.8.8.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xCFF2C04F(3488792655)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x6E4689A8(1850116520)
transform: esp-256-aes esp-sha512-hmac ,
in use settings ={Tunnel, }
conn id: 64, flow_id: 64, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4274446/3483)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCFF2C04F(3488792655)
transform: esp-256-aes esp-sha512-hmac ,
in use settings ={Tunnel, }
conn id: 63, flow_id: 63, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4274446/3483)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
r6#
and then ‘detailed’ version:
r6#sh crypto ipsec sa detail
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 7.7.7.2
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 8.8.8.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 7.7.7.2, remote crypto endpt.: 8.8.8.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xCFF2C04F(3488792655)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x6E4689A8(1850116520)
transform: esp-256-aes esp-sha512-hmac ,
in use settings ={Tunnel, }
conn id: 64, flow_id: 64, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4274446/3450)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCFF2C04F(3488792655)
transform: esp-256-aes esp-sha512-hmac ,
in use settings ={Tunnel, }
conn id: 63, flow_id: 63, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4274446/3450)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
r6#
I check also the crypto session:
r6#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Tunnel0
Uptime: 00:03:30
Session status: UP-ACTIVE
Peer: 8.8.8.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 8.8.8.2
Desc: (none)
IKEv2 SA: local 7.7.7.2/500 remote 8.8.8.2/500 Active
Capabilities:(none) connid:1 lifetime:23:56:30
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 5 drop 0 life (KB/Sec) 4274446/3390
Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4274446/3390
r6#
And the same on the server:
r5#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 8.8.8.2/500 7.7.7.2/500 none/none READY
Encr: AES-CBC, keysize: 128, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/378 sec
IPv6 Crypto IKEv2 SA
r5#
r5#
r5#
r5#sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 8.8.8.2/500 7.7.7.2/500 none/none READY
Encr: AES-CBC, keysize: 128, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/383 sec
CE id: 1028, Session-id: 28
Status Description: Negotiation done
Local spi: 0B1273E12470126E Remote spi: E0341D22812D9F47
Local id: 8.8.8.2
Remote id: 7.7.7.2
Local req msg id: 0 Remote req msg id: 3
Local next msg id: 0 Remote next msg id: 3
Local req queued: 0 Remote req queued: 3
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
NAT-T is not detected
Cisco Trust Security SGT is disabled
Assigned host addr: 3.3.3.9
Initiator of SA : No
Remote subnets:
3.3.3.9 255.255.255.255
IPv6 Crypto IKEv2 SA
r5#
r5#sh crypto ipsec sa
interface: Virtual-Access1
Crypto map tag: Virtual-Access1-head-0, local addr 8.8.8.2
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 7.7.7.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 8.8.8.2, remote crypto endpt.: 7.7.7.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x6E4689A8(1850116520)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xCFF2C04F(3488792655)
transform: esp-256-aes esp-sha512-hmac ,
in use settings ={Tunnel, }
conn id: 65, flow_id: 65, sibling_flags 80000040, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4330399/3210)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6E4689A8(1850116520)
transform: esp-256-aes esp-sha512-hmac ,
in use settings ={Tunnel, }
conn id: 66, flow_id: 66, sibling_flags 80000040, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4330399/3210)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
r5#
r5#
r5#sh crypto ipsec sa detail
interface: Virtual-Access1
Crypto map tag: Virtual-Access1-head-0, local addr 8.8.8.2
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 7.7.7.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 8.8.8.2, remote crypto endpt.: 7.7.7.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x6E4689A8(1850116520)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xCFF2C04F(3488792655)
transform: esp-256-aes esp-sha512-hmac ,
in use settings ={Tunnel, }
conn id: 65, flow_id: 65, sibling_flags 80000040, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4330399/3205)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6E4689A8(1850116520)
transform: esp-256-aes esp-sha512-hmac ,
in use settings ={Tunnel, }
conn id: 66, flow_id: 66, sibling_flags 80000040, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4330399/3205)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
r5#
r5#sh crypto session
Crypto session current status
Interface: Virtual-Access1
Session status: UP-ACTIVE
Peer: 7.7.7.2 port 500
IKEv2 SA: local 8.8.8.2/500 remote 7.7.7.2/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
r5#sh crypto session d
r5#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Virtual-Access1
Uptime: 00:06:47
Session status: UP-ACTIVE
Peer: 7.7.7.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 7.7.7.2
Desc: (none)
IKEv2 SA: local 8.8.8.2/500 remote 7.7.7.2/500 Active
Capabilities:(none) connid:1 lifetime:23:53:13
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 5 drop 0 life (KB/Sec) 4330399/3193
Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4330399/3193
r5#
I check now if peers learned their peer IP:
r6#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
11.0.0.0/32 is subnetted, 1 subnets
C 11.11.11.11 is directly connected, Loopback0
22.0.0.0/24 is subnetted, 1 subnets
S 22.22.22.0 is directly connected, Tunnel0
r6#
As you see on the client we see static route of the server loopback interface (22.22.22.22).
r5#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
3.0.0.0/32 is subnetted, 1 subnets
S 3.3.3.9 is directly connected, Virtual-Access1
7.0.0.0/24 is subnetted, 1 subnets
S 7.7.7.0 [1/0] via 8.8.8.1
8.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 8.8.8.0/24 is directly connected, FastEthernet0/0
L 8.8.8.2/32 is directly connected, FastEthernet0/0
22.0.0.0/32 is subnetted, 1 subnets
C 22.22.22.22 is directly connected, Loopback0
r5#
On the server side we see the client tunnel interface IP assigned by the server (3.3.3.9).
Let’s test the connectivity between the client and the server:
r6#ping 22.22.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/86/92 ms
r6#
r6#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Tunnel0
Uptime: 00:04:29
Session status: UP-ACTIVE
Peer: 8.8.8.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 8.8.8.2
Desc: (none)
IKEv2 SA: local 7.7.7.2/500 remote 8.8.8.2/500 Active
Capabilities:(none) connid:1 lifetime:23:55:31
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 10 drop 0 life (KB/Sec) 4304981/3330
Outbound: #pkts enc'ed 10 drop 0 life (KB/Sec) 4304981/3330
r6#
46
Kudos
46
Kudos