Cisco FlexVPN

Introduction

This document provides a sample configuration for FlexVPN site-to-site IPsec/GRE tunnel.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Network Diagram

This document uses this network setup:

PSK Tunnel Configuration

The procedure in this section describes how to use a pre-shared key (PSK) in order to configure the tunnels in this network environment.

Left-Router

1. Configure the IKEv2 keyring.

    crypto ikev2 keyring mykeys
    peer Right-Router
     address 172.20.5.43
     pre-shared-key Cisco123
   !

2. Reconfigure the IKEv2 default profile to:

   • match on IKE ID

   • set the authentication methods for local and remote

   • reference the above keyring

    crypto ikev2 profile default
    match identity remote address 172.20.5.43 255.255.255.255 
    authentication local pre-share
    authentication remote pre-share
    keyring local mykeys
    dpd 60 2 on-demand
   !

3. Re-configure the default IPsec profile to reference the default IKEv2 profile.

   crypto ipsec profile default
    set ikev2-profile default
   !
   interface Tunnel0
    ip address 10.1.12.100 255.255.255.0
    tunnel source Ethernet0/0
    tunnel destination 172.20.5.43
    tunnel protection ipsec profile default
   !

4. Configure the LAN and WAN interfaces.

    interface Ethernet0/0
    description WAN
    ip address 172.18.3.52 255.255.255.0
   !
   interface Ethernet0/1
    description LAN
    ip address 192.168.100.1 255.255.255.0
   !
   ip route 0.0.0.0 0.0.0.0 172.18.3.1 name route_to_internet

Right-Router

Repeat the steps from the Left-Router configuration but with the necessary changes.

 crypto ikev2 keyring mykeys
 peer Left-Router
  address 172.18.3.52
  pre-shared-key Cisco123
!
crypto ikev2 profile default
 match identity remote address 172.18.3.52 255.255.255.255 
 authentication local pre-share
 authentication remote pre-share
 keyring local mykeys
 dpd 60 2 on-demand
!
crypto ipsec profile default
 set ikev2-profile default
!         
interface Tunnel0
 ip address 10.1.12.1 255.255.255.0
 tunnel source Ethernet0/0
 tunnel destination 172.18.3.52
 tunnel protection ipsec profile default
!
interface Ethernet0/0
 description WAN
 ip address 172.20.5.43 255.255.255.0
!
interface Ethernet0/1
 description LAN
 ip address 192.168.200.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 172.20.5.1 name route_to_internet

PKI Tunnel Configuration

After you complete the tunnel above with PSK, you can easily change the authentication type to PKI. In this example, Left-Router authenticates itself using a certificate to the Right-Router. Right-Router continues to use a PSK to authenticate itself to the Left-Router. This has been done to show asymmetric authentication; however, it is trivial to switch both to use certificate authentication.

Left-Router

1. Configure IOS CA on router.

   Left-Router#config t
   Left-Router(config)#ip http server
   Left-Router(config)#crypto pki server S2S-CA
   Left-Router(cs-server)#issuer-name cn="S2S-CA"
   Left-Router(cs-server)#grant auto
   Left-Router(cs-server)#no shut
   %Some server settings cannot be changed after CA certificate generation.
   % Please enter a passphrase to protect the private key
   % or type Return to exit
   Password: 
   
   Re-enter password: 
   % Generating 1024 bit RSA keys, keys will be non-exportable...
   [OK] (elapsed time was 0 seconds)
   % Exporting Certificate Server signing certificate and keys...

2. Authenticate and enroll ID trustpoint.

   Left-Router#config t
   Left-Router(config)#ip domain name cisco.com
   Left-Router(config)#crypto pki trustpoint S2S-ID
   Left-Router(ca-trustpoint)#enrollment url http://172.18.3.52:80
   Left-Router(ca-trustpoint)#subject-name cn=Left-Router.cisco.com
   Left-Router(ca-trustpoint)#exit
   Left-Router(config)#crypto pki authenticate S2S-ID
   Certificate has the following attributes:
          Fingerprint MD5: C11CD575 EC2DEACD 97E9AA3A 2DACFCAB 
         Fingerprint SHA1: A8A6E79B D1932175 F12652F1 4F967077 3AEFAF08 
   
   % Do you accept this certificate? [yes/no]: yes
   Trustpoint CA certificate accepted.
   Left-Router(config)#
   Left-Router(config)#crypto pki enroll S2S-ID
   %
   % Start certificate enrollment .. 
   % Create a challenge password. You will need to verbally provide this
      password to the CA Administrator in order to revoke your certificate.
      For security reasons your password will not be saved in the configuration.
      Please make a note of it.
   
   Password: 
   Re-enter password: 
   *Oct 29 15:15:50.287: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
   
   % The subject name in the certificate will include: cn=R1.cisco.com
   % The subject name in the certificate will include: R1.cisco.com
   % Include the router serial number in the subject name? [yes/no]: no
   % Include an IP address in the subject name? [no]: no
   Request certificate from CA? [yes/no]: yes
   % Certificate request sent to Certificate Authority
   % The 'show crypto pki certificate verbose S2S-ID' command will show the fingerprint.
   
   *Oct 29 15:15:57.722: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 
        CA34FD51 A85007EF A785E058 60D8877D 
   *Oct 29 15:15:57.722: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 
        E37AAE3C 851953C3 9FABE1FD 2F0EACD5 566F361E 
   Left-Router(config)#exit
   Left-Router#
   *Oct 29 15:16:57.829: %PKI-6-CERTRET: Certificate received from Certificate 
        Authority

3. Reconfigure IKEv2 profile.

    crypto ikev2 profile default
    authentication local rsa-sig
    identity local dn
    pki trustpoint S2S-ID 

Right-Router

1. Authenticate CA trustpoint so that the router can verify the Left-Router certificate.

   Right-Router#config t
   Right-Router(config)#ip domain name cisco.com
   Right-Router(config)#crypto pki trustpoint S2S-ID
   Right-Router(ca-trustpoint)#enrollment url http://172.18.3.52:80
   Right-Router(ca-trustpoint)#revocation-check none
   Right-Router(ca-trustpoint)#exit
   Right-Router(config)#crypto pki authenticate S2S-ID
   Certificate has the following attributes:
          Fingerprint MD5: C11CD575 EC2DEACD 97E9AA3A 2DACFCAB 
         Fingerprint SHA1: A8A6E79B D1932175 F12652F1 4F967077 3AEFAF08 
   
   % Do you accept this certificate? [yes/no]: yes
   Trustpoint CA certificate accepted.
   Right-Router(config)#

2. Reconfigure IKEv2 profile to match the incoming connection.

    crypto pki certificate map S2S-Cert-Map 10
     issuer eq cn=S2S-CA
   crypto ikev2 profile default
    match certificate S2S-Cert-Map
    authentication remote rsa-sig

Verify

Use the show command in order to verify the configuration.

Right-Router shows the following:

• Auth Sign = How this router authenticates itself to Left-Router = Pre-shared-Key

• Auth Verify = How Left-Router authenticates itself to this router = RSA (Certificate)

• Local/Remote id = The ISAKMP identities exchanged

 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         172.20.5.43/500       172.18.3.52/500       none/none            READY  
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: RSA
      Life/Active Time: 86400/3165 sec
      CE id: 1043, Session-id: 22
      Status Description: Negotiation done
      Local spi: 3443E884EB151E8D       Remote spi: 92779BC873F58132
      Local id: 172.20.5.43
      Remote id: hostname=Left-Router.cisco.com,cn=Left-Router.cisco.com
      Local req msg id:  0              Remote req msg id:  4         
      Local next msg id: 0              Remote next msg id: 4         
      Local req queued:  0              Remote req queued:  4         
      Local window:      5              Remote window:      5         
      DPD configured for 60 seconds, retry 2
      NAT-T is not detected  
      Cisco Trust Security SGT is disabled
      Initiator of SA : No
      
 IPv6 Crypto IKEv2  SA 

Routing Configuration

The previous configuration example allows the tunnel to be established but does not provide any information regarding routing (that is, what destinations are available over the tunnel). With IKEv2, there are two ways to exchange this information: Dynamic Routing Protocols and IKEv2 Routes.

Dynamic Routing Protocols

Since the tunnel is a point-to-point GRE tunnel, it will behave just like any other point-to-point interface (that is, serial, dialer) and it is possible to run any IGP/EGP over the link in order to exchange routing information. Here is an example of EIGRP:

1. Configure Left-Router to enable and advertise EIGRP on the LAN and tunnel interfaces.

   router eigrp 100
     no auto-summary
     network 10.1.12.0 0.0.0.255
     network 192.168.100.0 0.0.0.255

2. Configure Right-Router to enable and advertise EIGRP on the LAN and tunnel interfaces.

   router eigrp 100
     no auto-summary
     network 10.1.12.0 0.0.0.255
     network 192.168.200.0 0.0.0.255

3. Confirm that the route to 192.168.200.0/24 is learned over the tunnel via EIGRP.

   Left-Router#show ip route
   Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
          D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
          N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
          E1 - OSPF external type 1, E2 - OSPF external type 2
          i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
          ia - IS-IS inter area, * - candidate default, U - per-user static route
          o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
          + - replicated route, % - next hop override
   
   Gateway of last resort is 172.18.3.1 to network 0.0.0.0
   
   S*    0.0.0.0/0 [1/0] via 172.18.3.1
         10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
   C        10.1.12.0/24 is directly connected, Tunnel0
   L        10.1.12.100/32 is directly connected, Tunnel0
         172.18.0.0/16 is variably subnetted, 2 subnets, 2 masks
   C        172.18.3.0/24 is directly connected, Ethernet0/0
   L        172.18.3.52/32 is directly connected, Ethernet0/0
         192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
   C        192.168.100.0/24 is directly connected, Ethernet0/1
   L        192.168.100.1/32 is directly connected, Ethernet0/1
   D     192.168.200.0/24 [90/27008000] via 10.1.12.1, 00:00:22, Tunnel0

IKEv2 Routes

In the establishment of an IKEv2 SA, various attributes can be exchanged. Routes can be advertised from one peer to the other.

1. On Left-Router, configure a list of the subnets that Left-Router will advertise to Right-Router.

   ip access-list standard Net-List
    permit 192.168.100.0 0.0.0.255

2. On Left-Router, configure an authorization policy to specify the subnets to advertise:

   • /32 configured on the tunnel interface

   • /24 route referenced in the ACL

   crypto ikev2 authorization policy default
     route set interface
     route set access-list Net-List

3. On Left-Router, reconfigure the IKEv2 profile to reference the authorization policy when using pre-shared keys

   crypto ikev2 profile default
     aaa authorization group psk list default default

4. On Right-Router, repeat steps 1 and 2 and adjust the ikev2 profile to reference the authorization policy when using certificates.

   ip access-list standard Net-List
     permit 192.168.200.0 0.0.0.255
   
   crypto ikev2 authorization policy default
      route set interface
      route set access-list Net-List
   
   crypto ikev2 profile default
     aaa authorization group cert list default default

5. Use the shut and no shut commands on the tunnel interface in order to force a new IKEv2 to be built.

6. Verify the IKEv2 routes are exchanged. See "Remote subnets" in the sample output below.

   Right-Router#show crypto ikev2 sa detailed 
    IPv4 Crypto IKEv2  SA 
   
   Tunnel-id Local                 Remote                fvrf/ivrf            Status 
   1         172.20.5.43/500       172.18.3.52/500       none/none            READY  
         Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: RSA
         Life/Active Time: 86400/3165 sec
         CE id: 1043, Session-id: 22
         Status Description: Negotiation done
         Local spi: 3443E884EB151E8D       Remote spi: 92779BC873F58132
         Local id: 172.20.5.43
         Remote id: hostname=R100.cisco.com,cn=R100.cisco.com
         Local req msg id:  0              Remote req msg id:  4         
         Local next msg id: 0              Remote next msg id: 4         
         Local req queued:  0              Remote req queued:  4         
         Local window:      5              Remote window:      5         
         DPD configured for 60 seconds, retry 2
         NAT-T is not detected  
         Cisco Trust Security SGT is disabled
         Initiator of SA : No
   
         Remote subnets:
         10.1.12.100 255.255.255.255
         192.168.100.0 255.255.255.0
   
    IPv6 Crypto IKEv2  SA 

Related Information

• Technical Support & Documentation - Cisco Systems