Pages

Wednesday, January 27, 2016

FlexVPN IKEv2 Site to Site Tunnels


FLEX VPN: combination of all sorts of VPN techniques that we have

GCM: Galois/Counter mode is a mode of operation for symmetric key cryptographic block ciphers.

R5:
Verify the connectivity
ping 46.0.0.6 source 45.0.0.5

show crypto ikev2 proposal default

show crypto ikev2 policy default

! Use default IKEv2 proposal
! demo custom one
conf t
crypto ikev2 proposal OUR-Proposal
! demo question mark, encryption, integrity, group
exit

no crypto ikev2 proposal OUR-Proposal
do show crypto ikev2 proposal

crypto ikev2 keyring OUR-KEY-RING
peer R6-Branch-Router
description This describes R6
address 46.0.0.6
identity fqdn r6.cbtnuggets.com
pre-shared-key local cisco-ABC
pre-shared-key remote cisco-XYZ
exit
exit

crypto ikev2 profile OUR-PROFILE
identity local fqdn R5.cbtnuggets.com
match identity remote fqdn R6.cbtnuggets.com
authentication local pre-share
authentication remote pre-share
keyring OUR-KEY-RING
exit

do show crypto ipsec transform-set

crypto ipsec profile default
set ikev2-profile OUR-PROFILE
exit

interface tunnel 3
ip unnumbered loop 0
tunnel source gig 0/0
tunnel destination 46.0.0.6
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
ip mtu 1400
ip tcp adjust-mss 1360
exit

Use static route:
ip route 10.6.0.0 255.255.255.0 tunnel 3 200
end

R6:
conf t
crypto ikev2 keyring OUR-KEY-RING
peer R5-HQ-Router
address 45.0.0.5
identity fqdn r5.cbtnuggets.com

pre-shared-key local cisco-XYZ

pre-shared-key remote cisco-ABC
exit

exit

crypto ikev2 profile OUR-PROFILE
identity local fqdn R6.cbtnuggets.com
match identity remote fqdn R5.cbtnuggets.com
authentication local pre-share
authentication remote pre-share
keyring OUR-KEY-RING
exit

crypto ipsec profile default
set ikev2-profile OUR-PROFILE
exit

interface tunnel 3
ip unnumbered loop 0
tunnel source gig 0/1
tunnel mode ipsec ipv4
tunnel destination 45.0.0.5
tunnel protection ipsec profile default
ip mtu 1400
ip tcp adjust-mss 1360
exit

ip route 10.5.0.0 255.255.255.0 tunnel 3 200
end

show ip route

ping 10.5.0.5 source 10.6.0.6

show crypto ikev2 sa

show crypto ipsec sa

show crypto engine connections active

ping 10.5.0.5 source 10.6.0.6 repeat 1000

show crypto engine connections active

! Still on R6
conf t
router ospf 1
network 10.0.0.0 0.255.255.255 area 0
exit

interface tunnel 3
ip ospf 1 area 0
exit

end

show ip ospf int brief

! R5
conf t
router ospf 1
network 10.0.0.0 0.255.255.255 area 0
exit

interface tunnel 3
ip ospf 1 area 0
end

show ip ospf int brief

show ip ospf neighbor

show ip route ospf

ping 10.6.0.6 source 10.5.0.5




Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)