Home About Us Knowledge Base FAQ Feedback Privacy Policy Support Us Contact Us Sitemap

Home Knowledgebase CCNA Security How to configure Site-to-Site IKEv2 IPSec VPN using Pre-Shared Key Authentication

How to configure Site-to-Site IKEv2 IPSec VPN using Pre-Shared Key

Tutorials External Resources
Authentication

Basic Networking If you are new to the basic concepts of VPN (Virtual Private Network) and IPSec, please learn following lessons
TCP/IP before continuing.

IPv6 What is VPN (Virtual Private Network)

CCNA What is IPSec and Why we need IPSec

CCNA Security Important Technical Terms Related with IPSec

Security What are the terms Encryption, Decryption, Clear-Text and Cipher-Text

Windows 2003 What are the terms Symmetric Encryption and Assymetric Encryption

Windows 2008 Important Symmetric and Assymmetric Encryption Algorithms

GNU/Linux What are Hash values? Important Hash value Algorithms

How Hash Values can be used to determine Integrity of Data

What is HMAC (Hashed Message Authentication Code)

What is Diffie-Hellman Key Exchange

What is Diffie-Hellman Group

Main Components of IPSec - IKE, ESP and AH

IPSec VPN Modes - Tunnel Mode and Transport Mode

Security Association and Security Parameter Index

IKEv1 Main Mode, Aggressive Mode and Quick mode Message Exchanges

What is Perfect Forward Secrecy (PFS)

IKEv2 Phase 1 (IKE SA) and Phase 2 (Child SA) Message Exchanges

What is NAT-Traversal (Network Address Translation - Traversal)

Site-to-Site IKEv2 IPSec VPN Configuration - Lab Topology

Before proceeding, make sure that all the IP Addresses of your network devices are configured correctly. Make sure
that routing is configured correctly. Make sure you can reach all the devices by pinging all IP Addresses.

Step 1: Configure Host name and Domain name in IPSec peer Routers
To configure Hostname on OmniSecuR1 use the following commands.

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname OmniSecuR1
OmniSecuR1(config)#exit
OmniSecuR1#
 To configure Domain name on OmniSecuR1, use the following commands.

OmniSecuR1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
OmniSecuR1(config)#ip domain-name omnisecu.com
OmniSecuR1(config)#exit
OmniSecuR1#

To configure Hostname on OmniSecuR2 use the following commands.

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname OmniSecuR2
OmniSecuR2(config)#exit
OmniSecuR2#

To configure Domain name on OmniSecuR2, use the following commands.

OmniSecuR2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
OmniSecuR2(config)#ip domain-name omnisecu.com
OmniSecuR2(config)#exit

Following are the main components which are used to construct Site-to-Site IKEv2 IPSec VPN.

IKEv2 Proposal
IKEv2 Policy
IKEv2 Profile
IKEv2 Keyring
Crypto Map

Step 2: Define IKEv2 Keyring

An IKEv2 keyring consists of preshared keys associated with an IKEv2 profile. Authentication is performed by Pre-
Shared Keys defined inside an IKEv2 keyring.

To define a IKEv2 Keyring in OmniSecuR1, use following commands.

OmniSecuR1#configure terminal
OmniSecuR1(config)#crypto ikev2 keyring KR-1
OmniSecuR1(config-ikev2-keyring)#peer SITE-2
OmniSecuR1(config-ikev2-keyring-peer)#address 192.168.0.2
OmniSecuR1(config-ikev2-keyring-peer)#pre-shared-key OmniSecuDotCom
OmniSecuR1(config-ikev2-keyring-peer)#exit
OmniSecuR1(config-ikev2-keyring)#exit
OmniSecuR1(config)#exit
OmniSecuR1#

To define a IKEv2 Keyring in OmniSecuR2, use following commands.

OmniSecuR2#configure terminal
OmniSecuR2(config)#crypto ikev2 keyring KR-1
OmniSecuR2(config-ikev2-keyring)#peer SITE-1
OmniSecuR2(config-ikev2-keyring-peer)#address 192.168.0.1
OmniSecuR2(config-ikev2-keyring-peer)#pre-shared-key OmniSecuDotCom
OmniSecuR2(config-ikev2-keyring-peer)#exit
OmniSecuR2(config-ikev2-keyring)#exit
OmniSecuR2(config)#exit
OmniSecuR2#

Step 3: Define IKEv2 Proposal

An IKEv2 proposal consists of transforms which are used in the negotiation of IKE SAs, in IKE_SA_INIT exchange.
Following parameters are defined.

Encryption Algorithm
Integrity Algorithm
Pseudo-Random Function (PRF) algorithm
Diffie-Hellman (DH) Group

To define a IKEv2 Proposal in OmniSecuR1, use following commands.

OmniSecuR1#configure terminal
OmniSecuR1(config)#crypto ikev2 proposal PROP-SITE2
OmniSecuR1(config-ikev2-proposal)#encryption aes-cbc-256
OmniSecuR1(config-ikev2-proposal)#integrity sha512
OmniSecuR1(config-ikev2-proposal)#group 24
OmniSecuR1(config-ikev2-proposal)#exit
OmniSecuR1(config)#exit
OmniSecuR1#

To define a IKEv2 Proposal in OmniSecuR2, use following commands.

OmniSecuR2#configure terminal
OmniSecuR2(config)#crypto ikev2 proposal PROP-SITE1
OmniSecuR2(config-ikev2-proposal)#encryption aes-cbc-256
OmniSecuR2(config-ikev2-proposal)#integrity sha512
OmniSecuR2(config-ikev2-proposal)#group 24
OmniSecuR2(config-ikev2-proposal)#exit
OmniSecuR2(config)#exit
OmniSecuR2#


Step 4: Define IKEv2 Policies

An IKEv2 Policy contains IKEv2 Proposals (defined in above step) which are used to negotiate the Encryption
Algorithm, Integrity Algorithm, PRF Algorithms, and Diffie-Hellman (DH) Group in IKE_SA_INIT exchange.

To define IKEv2 Policy in OmniSecuR1, use following commands.

OmniSecuR1#configure terminal
OmniSecuR1(config)#crypto ikev2 policy POL-SITE2
OmniSecuR1(config-ikev2-policy)#proposal PROP-SITE2
OmniSecuR1(config-ikev2-policy)#exit
OmniSecuR1(config)#exit
OmniSecuR1#

To define IKEv2 Policy in OmniSecuR2, use following commands.

OmniSecuR2#configure terminal
OmniSecuR2(config)#crypto ikev2 policy POL-SITE1
OmniSecuR2(config-ikev2-policy)#proposal PROP-SITE1
OmniSecuR2(config-ikev2-policy)#exit
OmniSecuR2(config)#exit
OmniSecuR2#

Step 5: Define Crypto ACL to identify IPSec secured traffic

Crypto ACL is just an ACL created using normal ACL syntax, with permit or deny statements. Crypto ACLs are not
used to permit or deny traffic similar to normal ACLs. In Crypto ACL, a permit statement is used to identify the
traffic which is to be secured using IPSec and a deny statement is used to identify the traffic whish doesn't need to
be secured. Here we are using "named extended access lists".

New to Access Control Lists (ACLs)? Please refer below lessons if you wish.

Introduction to Access Control Lists (ACL)

Standard Access Control Lists (ACLs)

Where should a Standard Access Control List (ACL) be placed

Access Control List (ACL) - Wildcard Masks

How to create and configure Standard Access Control Lists (ACLs)

Extended Access Control Lists (ACLs)

Where should an Extended Access Control List (ACL) be placed

Extended Access Control List (ACL) - Operators

Extended Access Control List (ACL) - TCP and UDP port numbers and names

Extended Access Control List (ACL)- established Keyword

How to create and configure Extended Access Control Lists (ACLs)

How to create and configure Access Control Lists (ACLs) for vty lines (telnet and ssh)

Named Access Control Lists (ACLs)

How to create and configure Standard Named Access Control Lists (ACLs)

How to create and configure Extended Named Access Control List (ACL)

How to edit a Named Access Control List (ACL) on router

To configure a Crypto ACL in OmniSecuR1 (to identify the traffic to OmniSecuR2), use the following commands.

OmniSecuR1#configure terminal
OmniSecuR1(config)#ip access-list extended SITE1-SITE2-CACL
OmniSecuR1(config-ext-nacl)#permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
OmniSecuR1(config-ext-nacl)#exit
OmniSecuR1(config)#exit
OmniSecuR1#

To configure a Crypto ACL in OmniSecuR2 (to identify the traffic to OmniSecuR1), use the following commands.

OmniSecuR2#configure terminal
OmniSecuR2(config)#ip access-list extended SITE2-SITE1-CACL
OmniSecuR2(config-ext-nacl)#permit ip 172.17.0.0 0.0.255.255 172.16.0.0 0.0.255.255
OmniSecuR2(config-ext-nacl)#exit
OmniSecuR2(config)#exit
OmniSecuR2#

Step 6: Define Transform Sets

A Transform Set is used to define how the data traffic between IPSec peers is going to be protected in Child Tunnel
(IPSec Tunnel).

To configure Transform Set in OmniSecuR1, use following commands.

OmniSecuR1#configure terminal
OmniSecuR1(config)#crypto ipsec transform-set SITE2-TS esp-aes esp-sha512-hmac
OmniSecuR1(cfg-crypto-trans)#exit
OmniSecuR1(config)#exit
OmniSecuR1#f

To configure Transform Set in OmniSecuR2, use following commands.

OmniSecuR2#configure terminal
OmniSecuR2(config)#crypto ipsec transform-set SITE1-TS esp-aes esp-sha512-hmac
OmniSecuR2(cfg-crypto-trans)#exit
OmniSecuR2(config)#exit
OmniSecuR2#

Step 7: Define IKEv2 Profiles

IKEv2 Profiles are similar to IKEv1 ISAKMP Profile.

To configure IKEv2 Profiles in OmniSecuR1, use following commands.

OmniSecuR1#configure terminal
OmniSecuR1(config)#crypto ikev2 profile SITE2-PROFILE
OmniSecuR1(config-ikev2-profile)#match identity remote address 192.168.0.2 255.255.255.255
OmniSecuR1(config-ikev2-profile)#authentication local pre-share
OmniSecuR1(config-ikev2-profile)#authentication remote pre-share
OmniSecuR1(config-ikev2-profile)#keyring local KR-1
OmniSecuR1(config-ikev2-profile)#exit
OmniSecuR1(config)#exit
OmniSecuR1#

To configure IKEv2 Profiles in OmniSecuR2, use following commands.

OmniSecuR2#configure terminal
OmniSecuR2(config)#crypto ikev2 profile SITE1-PROFILE
OmniSecuR2(config-ikev2-profile)#match identity remote address 192.168.0.1 255.255.255.255
OmniSecuR2(config-ikev2-profile)#authentication local pre-share
OmniSecuR2(config-ikev2-profile)#authentication remote pre-share
OmniSecuR2(config-ikev2-profile)#keyring local KR-1
OmniSecuR2(config-ikev2-profile)#exit
OmniSecuR2(config)#exit
OmniSecuR2#

Step 8: Define Crypto Maps

Crypto Maps are used to connect all the pieces of IPSec configuration together. A Crypto Map consists of one or
more entries. A Crypto Map is made up of Crypto ACL, Transform Set, Remote Peer, the lifetime of the data
connections etc.
 To define Crypto Map in OmniSecuR1, use following commands.

OmniSecuR1#configure terminal
OmniSecuR1(config)#crypto map CMAP-SITE2 10 ipsec-isakmp
OmniSecuR1(config-crypto-map)#set peer 192.168.0.2
OmniSecuR1(config-crypto-map)#set pfs group24
OmniSecuR1(config-crypto-map)#set security-association lifetime seconds 3600
OmniSecuR1(config-crypto-map)#set transform-set SITE2-TS
OmniSecuR1(config-crypto-map)#set ikev2-profile SITE2-PROFILE
OmniSecuR1(config-crypto-map)#match address SITE1-SITE2-CACL
OmniSecuR1(config-crypto-map)#exit
OmniSecuR1(config)#exit

To define Crypto Map in OmniSecuR2, use following commands.

OmniSecuR2#configure terminal
OmniSecuR2(config)#crypto map CMAP-SITE1 10 ipsec-isakmp
OmniSecuR2(config-crypto-map)#set peer 192.168.0.1
OmniSecuR2(config-crypto-map)#set pfs group24
OmniSecuR2(config-crypto-map)#set security-association lifetime seconds 3600
OmniSecuR2(config-crypto-map)#set transform-set SITE1-TS
OmniSecuR2(config-crypto-map)#set ikev2-profile SITE1-PROFILE
OmniSecuR2(config-crypto-map)#match address SITE2-SITE1-CACL
OmniSecuR2(config-crypto-map)#exit
OmniSecuR2(config)#exit
OmniSecuR2#

Step 9: Activate Crypto Maps by applying the Crypto Map to Router's Interface
To apply Crypto Map to the WAN Interface on OmniSecuR1, use following commands.

OmniSecuR1#configure terminal
OmniSecuR1(config)#interface gi0/0
OmniSecuR1(config-if)#crypto map CMAP-SITE2
OmniSecuR1(config-if)#exit
OmniSecuR1(config)#exit
OmniSecuR1#

To apply Crypto Map to the WAN Interface on OmniSecuR2, use following commands.

OmniSecuR2#configure terminal
OmniSecuR2(config)#interface gi0/0
OmniSecuR2(config-if)#crypto map CMAP-SITE1
OmniSecuR2(config-if)#exit
OmniSecuR2(config)#exit
OmniSecuR2#

After configuring, initiate an IP traffic from device inside at Site-1 network to reach a device at Site-2 network. Your
IPSec VPN Main mode IPSec tunnel will be built when any router find interesting traffic.


Jajish Thomas on

<< How to configure Site-to-Site IPSec VPN using IKEv1 Coming Soon!!! >>
(Main Mode) using Pre-shared Key Authentication

Related Topics

Sponsored Links

If You Were Born Under 1980 - This Game Is A Must

Throne: Free Online Game

Finally You Can Track Your Car Using Your Smartphone

Smart Device Trends

13 Gorgeous Wives & Girlfriends Of The World's Richest Men

Hooch

That's How You Find Cheap Flights

tripsinsider.com

The 20 Most Generous Billionaires In The World

AfriZap

Hitler's Final Bunker Discovered, Wait Till You See Inside

Trend Chaser
 0 Comments OmnuSecu.com
1 Login

Sort by Newest
Recommend Share

Start the discussion

LOG IN WITH

OR SIGN UP WITH DISQUS ?

Name

Be the first to comment.

Home | About Us | Knowledge Base | FAQ | Feedback | Disclaimer | Terms of Use | Trademarks | Privacy Policy | Support Us | Contact Us | Sitemap
Free Networking Tutorials, Free System Administration Tutorials and Free Security Tutorials
This Web site is best viewed on a Desktop PC, using Mozilla Firefox browser at a screen resolution of 1366 x 768 pixels or higher. This Web Site is not optimized for Mobile Operating
Systems. If you are experiencing distorted display, change your screen resolution to 1366 x 768 pixels. Copyright 2008 - 2017 OmniSecu.com. All Rights Reserved