Site-to-Site FlexVPN Lab 1: static tunnel + pre-shared key

This is a translation version of my original post in Chinese. There are 4 labs in my site-to-site FlexVPN series using CSR1000v on GNS3 (ref. Install CSR1000v on GNS3):

  1. Static tunnel + PSK
  2. Static tunnel + PKI
  3. Hub-to-spoke dynamic tunnel
  4. Spoke-to-spoke dynamic tunnel enabled by NHRP

Different from traditional DMVPN which uses IKEv1, FlexVPN adopts Internet Key Exchange Version as key exchange protocol. IOS version 15.2(1)T and plus has built-in Smart Default function to provide default IKEv2 configuration and simplify FlexVPN configuration.

Following is quick mind refresher of IKEv1 and IKEv2.

IKEv1

IKEv1 framework includes two explicit phases: Phase 1 is to authenticate IPSec peers and negotiate IKE SAs; Phase 2 is to negotiate IPSec SAs.

We can choose main mode or aggressive mode in Phase 1. Main mode requires more packet exchange, but it provides better security than aggressive mode as it protests peer identity information. In aggressive mode, PSK information is sent in clear text. Phase 2 only has one mode, which is quick mode.

IKEv2 explicitly segments the 2 phases; therefore, in troubleshooting, we will verify whether IKE/ISAKMP SA is successfully negotiated and then whether IPSEC SA is successfully negotiated.

IKEv2

IKEv2 mixes IKE SA and IPSec SA negotiation together. Whoever developed the protocol, all of sudden, noticed that everybody deploys IKE and IPSec in conjunction. Nobody configures IPSec without configuration IKE…then why separate the phases and send IKE and IPSec messages in different packets?

A single packet can carry both IKE and IPSec messages in IKEv2. In this case, fewer packets are exchanged to establish IPSec tunnel. IKEv2 combines benefits of both main mode and aggressive mode – fewer packet exchange and better security. It provides secured approach to verify peer identity, which helps prevent DoS attack.

IKEv2 framework includes 3 phases: 1) IKE_INIT phase; 2) IKE_AUTH phase ; and 3) Create_Child_SA phase.

Phase 1 is to encrypt tunnel; Phase 2 and Phase 3 information exchanges will be protected then. Phase 2 is to authenticate and exchange IKE and IPSec SA information. In addition to IKEv1 supporting RSA and PSK, IKEv2 also supports EAP, which makes remote user authentication easier. Phase 3 is similar to IKEv1 Phase 2 but with less packet exchange.

The following diagram illustrates IKEv1 vs. IKEv2 packet exchange process and phases
115936-understanding-ikev2-packet-exch-debug-01

(Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/115936-understanding-ikev2-packet-exch-debug.html)

IKEv2 vs. IKEv1

In summary, IKEv2 provides better security anti-DoS, quicker tunnel establishment due to less packet exchange required, less bandwidth usage, more authentication option EAP and etc.

Lab Introduction

This lab is to establish site-to-site static FlexVPN tunnel, with PSK as authentication. Lab topology as below; only HUB1 and SPOKE1 are used in this lab. HUB2 and SPOKE1-HOST are NOT required in this lab.

NTP points to external NTP server.
FlexVPN_site

Interface Configuration

CSR-HUB1
g3: 200.1.13.1/24
Tunnel 0: 10.1.13.1/24
MGMT: 192.168.1.91/24

CSR-SPOKE1

g3: 200.1.13.3/24
Tunnel0: 10.1.13.3/24
MGMT: 192.168.1.93/24

CSR-HUB1 Configuration

Step 1 – Configure pre-share key

# configure peer group and restrict IP to enhance security
crypto ikev2 keyring mykeys
peer SPOKE
address 200.1.13.3
pre-shared-key Cisco123

Step 2 – Configue IKEv2 profile

crypto ikev2 profile FLEXVPN-Static
# restrict remote address to enhance security. It can be configured as ‘any'.
match identity remote address 200.1.13.3 255.255.255.255
# configure PSK authentication when authenticate to remote device
authentication remote pre-share
# configure PSK authentication when remote device authenticates to local. Remote and local authentication can be different.
authentication local pre-share
# use previously define key ring
keyring local mykeys
# configure dead peer detection attributes
dpd 60 2 on-demand

Step 3 – Apply IKEv2 profile to IPSec profile, so that when IPSec profile is applied on interface the designated IKEv2 profile will be executed

crypto ipsec profile default
set ikev2-profile FLEXVPN-Static

Step 4 – Apply IPSec profile on tunnel interface to encrypt

CSR-HUB1#show run interface tu 0

interface Tunnel0
ip address 10.1.13.1 255.255.255.0
tunnel source GigabitEthernet3
tunnel destination 200.1.13.3
tunnel protection ipsec profile default

CSR-SPOKE 1 Configuration

Please refer to HUB1 and configure correspondingly.

Verification

CSR-SPOKE1#     show crypto ikev2 sa detailed

IPv4 Crypto IKEv2 SA
Tunnel-id Local                 Remote               fvrf/ivrf           Status
1         200.1.13.3/500       200.1.13.1/500       none/none           READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/1792 sec
CE id: 1561, Session-id: 1
Status Description: Negotiation done
Local spi: 4A27CEEEEB3E4CA7       Remote spi: E83A70F5492CE2C7
Local id: 200.1.13.3
Remote id: 200.1.13.1
Local req msg id: 3             Remote req msg id: 1
Local next msg id: 3             Remote next msg id: 1
Local req queued: 3             Remote req queued: 1
Local window:     5             Remote window:     5
DPD configured for 60 seconds, retry 2
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
IPv6 Crypto IKEv2 SA
CSR-SPOKE1#     show crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 200.1.13.3
protected vrf: (none)
 local ident (addr/mask/prot/port): (200.1.13.3/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (200.1.13.1/255.255.255.255/47/0)
current_peer 200.1.13.1 port 500
PERMIT, flags={origin_is_acl,}
   #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
   #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 200.1.13.3, remote crypto endpt.: 200.1.13.1
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet3
current outbound spi: 0xC7C8CD12(3351825682)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x1405901D(335908893)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80000008, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607999/1725)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC7C8CD12(3351825682)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80000008, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607999/1725)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
CSR-HUB1#show crypto session

Crypto session current status
Interface: Tunnel0
Profile: FLEXVPN-Static
Session status: UP-ACTIVE
Peer: 200.1.13.3 port 500
Session ID: 288
IKEv2 SA: local 200.1.13.1/500 remote 200.1.13.3/500 Active
IPSEC FLOW: permit 47 host 200.1.13.1 host 200.1.13.3
Active SAs: 2, origin: crypto map
CSR-HUB1#show ip int br

Interface             IP-Address     OK? Method Status                Protocol
GigabitEthernet1       192.168.1.91   YES manual up                   up
GigabitEthernet2       unassigned     YES NVRAM administratively down down
GigabitEthernet3       200.1.13.1     YES manual up                   up
GigabitEthernet4       unassigned     YES NVRAM administratively down down
Tunnel0               10.1.13.1       YES manual up                   up
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s