BUILDING FLEX VPN USING SMART DEFAULT CONFIGURATION
Internet Key Exchange Version (IKEv2) is the next-generation key management protocol. Cisco provides the implementation of IKEV2 on IOS with the use of FLEX VPN. Cisco FLEX VPN on IOS router includes smart default features which can help administrators to minimize configuration length and time. This document illustrates the cisco FLEX VPN smart default and also how to build a basic site-to-site VPN using the smart default. For a Full-blown IKEv2 configuration, CISCO IOS 15.2(3) T or above is required and recommended.
PREVIEWING FLEX VPN SMART DEFAULT CONFIGURATION
Using the show commands below, administrators can preview the FLEX VPN smart default values
R1#sh crypto ikev2 proposal default
IKEv2 proposal: default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : SHA512 SHA384 SHA256 SHA96 MD596
PRF : SHA512 SHA384 SHA256 SHA1 MD5
DH Group : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
R1#sh crypto ikev2 policy default
IKEv2 policy : default
Match fvrf : any
Match address local : any
Proposal : default
R1#sh crypto ikev2 authorization policy default
IKEv2 Authorization Policy : default
route set interface
route accept any tag : 1 distance : 1
R1#sh crypto ipsec transform-set default
{ esp-aes esp-sha-hmac }
will negotiate = { Transport, },
R1#sh crypto ipsec profile default
IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
R1#sh run all | s crypto
crypto ikev2 authorization policy default
route set interface
route accept any
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256 sha1 md5
group 5 2
crypto ikev2 policy default
match fvrf any
proposal default
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode transport
crypto ipsec profile default
set security-association lifetime kilobytes 4608000
set security-association lifetime seconds 3600
no set security-association idle-time
no set security-association replay window-size
MODIFYING FLEX VPN SMART DEFAULT CONFIGURATION
IKEv2 smart defaults can be modified for specific environment, though this is not suggested. Using the commands below from the global configuration mode on cisco IOS, the default value can be modified.
NGVPNROUTER(config)#crypto ikev2 proposal default
NGVPNROUTER(config)#crypto ikev2 policy default
NGVPNROUTER(config)#crypto ikev2 authorization policy default
NGVPNROUTER(config)#crypto ipsec transform-set default
NGVPNROUTER(config)#crypto ipsec profile default
Example:
NGVPNROUTER(config)#crypto ikev2 proposal default
%Warning: This will Modify Default IKEv2 Proposal. Exit if you don't want
NGVPNROUTER(config-ikev2-proposal)#integrity md5
NGVPNROUTER(config-ikev2-proposal)#group 16
Verifying the modification:
NGVPNROUTER#sh crypto ikev2 proposal default
IKEv2 proposal: default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : MD5
PRF : MD5
DH Group : DH_GROUP_4096_MODP/Group 16
RESTORING FLEX VPN SMART DEFAULT CONFIGURATION
Using the commands below, any modified smart default configuration can be restored to the initial smart default value.
NGVPNROUTER(config)# default crypto ikev2 proposal
NGVPNROUTER(config)# default crypto ikev2 policy
NGVPNROUTER(config)# default crypto ikev2 authorization policy
NGVPNROUTER(config)# default crypto ipsec transform-set
NGVPNROUTER(config)# default crypto ipsec profile
Example:
NGVPNROUTER(config)#default crypto ikev2 proposal
Verifying restoration:
NGVPNROUTER#sh crypto ikev2 proposal default
IKEv2 proposal: default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : SHA512 SHA384 SHA256 SHA96 MD596
PRF : SHA512 SHA384 SHA256 SHA1 MD5
DH Group : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
DISABLING FLEX VPN SMART DEFAULT CONFIGURATION
IKEv2 smart defaults configuration can also be disabled for specific environment, though this is not suggested. Using the commands below from the global configuration mode on cisco IOS, the default value can be disabled.
NGVPNROUTER(config)# no crypto ikev2 proposal default
NGVPNROUTER(config)# no crypto ikev2 policy default
NGVPNROUTER(config)# no default crypto ikev2 authorization policy default
NGVPNROUTER(config)# no default crypto ipsec transform-set default
NGVPNROUTER(config)# no default crypto ipsec profile default
EXAMPLE:
NGVPNROUTER(config)#no crypto ikev2 proposal default
SITE-TO-SITE VPN USING FLEX VPN SMART DEFAULT CONFIGURATION (PKI AUTH)
The configuration below shows a configured Site-to-Site VPN using flex VPN smart default configuration with the use of PKI authentication. We assume a valid route to remote public IP exit on both R1 and R2. Also valid trust point called “GoryealCA” exists on the both R1 and R2.
Please note, for an Ikev2 profile, you MUST either specify a “match identity remote address” or “match certificate “statement. To use a “match certificate” statement, you must configure a certificate map. Also unlike IKEv1, IKEv2 does not fall back to the default trust point configured globally; you must explicitly specify the trust point under the crypto ikev2 profile.
For the creation of site -to-site VPN using smart default configuration, ONLY the following steps are required
ü Create and configure a crypto ikev2 profile called default
ü Create and configure a tunnel interface
ü Create a static route to remote local subnet via the tunnel
R1 CONFIGURATION
!
crypto ikev2 profile default
match identity remote address 10.10.10.2 255.255.255.255
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint GoryealCA
!
interface Tunnel10
ip address 200.200.200.1 255.255.255.0
tunnel source Ethernet0/0
tunnel destination 10.10.10.2
tunnel protection ipsec profile default
!
ip route 2.2.2.2 255.255.255.255 Tunnel10
!
interface Ethernet0/0
ip address 100.100.100.2 255.255.255.0
!
interface Loopback1
ip address 1.1.1.1 255.255.255.0
R2 CONFIGURATION
!
crypto ikev2 profile default
match identity remote address 100.100.100.2 255.255.255.255
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint GoryealCA
!
interface Tunnel10
ip address 200.200.200.2 255.255.255.0
tunnel source Ethernet0/0
tunnel destination 100.100.100.2
tunnel protection ipsec profile default
!
ip route 1.1.1.1 255.255.255.255 Tunnel10
!
interface Ethernet0/0
ip address 10.10.10.2 255.255.255.0
!
interface Loopback1
ip address 2.2.2.2 255.255.255.0
!
TUNNEL ESTABLISHMENT VERIFICATION
R2#ping 1.1.1.1 repeat 200 source loopback1
Type escape sequence to abort.
Sending 200, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (200/200), round-trip min/avg/max = 1/4/20 ms
R2#sh cry session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Tunnel10
Uptime: 00:10:26
Session status: UP-ACTIVE
Peer: 100.100.100.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 100.100.100.2
Desc: (none)
IKEv2 SA: local 10.10.10.2/500 remote 100.100.100.2/500 Active
Capabilities:(none) connid:1 lifetime:23:49:34
IPSEC FLOW: permit 47 host 10.10.10.2 host 100.100.100.2
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 200 drop 0 life (KB/Sec) 4248818/2973
Outbound: #pkts enc'ed 200 drop 0 life (KB/Sec) 4248818/2973
R1# sh cry session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Tunnel10
Uptime: 00:10:43
Session status: UP-ACTIVE
Peer: 10.10.10.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 10.10.10.2
Desc: (none)
IKEv2 SA: local 100.100.100.2/500 remote 10.10.10.2/500 Active
Capabilities:(none) connid:1 lifetime:23:49:17
IPSEC FLOW: permit 47 host 100.100.100.2 host 10.10.10.2
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 200 drop 0 life (KB/Sec) 4227505/2956
Outbound: #pkts enc'ed 200 drop 0 life (KB/Sec) 4227505/2956
R1 DEBUG
R1#sh debug
IKEV2:
IKEv2 error debugging is on
IKEv2 default debugging is on
IKEv2 packet debugging is on
Cryptographic Subsystem:
Crypto IPSEC debugging is on
Dec 15 20:16:02.914: IKEv2:Received Packet [From 10.10.10.2:500/To 100.100.100.2:500/VRF i0:f0]
Initiator SPI : 1D8625DFB9698916 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Dec 15 20:16:02.914: IKEv2:Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 496
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 144
last proposal: 0x0, reserved: 0x0, length: 140
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 15 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA384
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: MD5
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA384
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: MD596
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
KE Next payload: N, reserved: 0x0, length: 200
DH group: 5, Reserved: 0x0
N Next payload: VID, reserved: 0x0, length: 24
VID Next payload: VID, reserved: 0x0, length: 23
VID Next payload: NOTIFY, reserved: 0x0, length: 21
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: NONE, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
Dec 15 20:16:02.914: IKEv2:(SA ID = 1):Verify SA init message
Dec 15 20:16:02.914: IKEv2:(SA ID = 1):Insert SA
Dec 15 20:16:02.914: IKEv2:Searching Policy with fvrf 0, local address 100.100.100.2
Dec 15 20:16:02.914: IKEv2:Using the Default Policy for Proposal
Dec 15 20:16:02.914: IKEv2:Found Policy 'default'
Dec 15 20:16:02.914: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
Dec 15 20:16:02.914: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Dec 15 20:16:02.914: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4' 'Trustpool3' 'Trustpool2' 'Trustpool1' 'Trustpool' 'GoryealCA'
Dec 15 20:16:02.914: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Dec 15 20:16:02.914: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
Dec 15 20:16:02.914: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
Dec 15 20:16:02.914: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
Dec 15 20:16:02.914: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
Dec 15 20:16:02.914: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Dec 15 20:16:02.914: IKEv2:(SA ID = 1):Request queued for computation of DH key
Dec 15 20:16:02.914: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
Dec 15 20:16:02.924: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Dec 15 20:16:02.924: IKEv2:(SA ID = 1):Request queued for computation of DH secret
Dec 15 20:16:02.924: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
Dec 15 20:16:02.924: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
Dec 15 20:16:02.924: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
Dec 15 20:16:02.924: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
Dec 15 20:16:02.924: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA512 SHA512 DH_GROUP_1536_MODP/Group 5
Dec 15 20:16:02.924: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Dec 15 20:16:02.924: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4' 'Trustpool3' 'Trustpool2' 'Trustpool1' 'Trustpool' 'GoryealCA'
Dec 15 20:16:02.924: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Dec 15 20:16:02.924: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
Dec 15 20:16:02.924: IKEv2:(SA ID = 1):Sending Packet [To 10.10.10.2:500/From 100.100.100.2:500/VRF i0:f0]
Initiator SPI : 1D8625DFB9698916 - Responder SPI : 4C01BF4D81E8D29D Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Dec 15 20:16:02.924: IKEv2:(SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 533
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 48
last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
KE Next payload: N, reserved: 0x0, length: 200
DH group: 5, Reserved: 0x0
N Next payload: VID, reserved: 0x0, length: 24
VID Next payload: VID, reserved: 0x0, length: 23
VID Next payload: NOTIFY, reserved: 0x0, length: 21
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: CERTREQ, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
CERTREQ Next payload: NOTIFY, reserved: 0x0, length: 125
Cert encoding Hash and URL of PKIX
NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: HTTP_CERT_LOOKUP_SUPPORTED
Dec 15 20:16:02.924: IKEv2:(SA ID = 1):Completed SA init exchange
Dec 15 20:16:02.924: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message
Dec 15 20:16:02.939: IKEv2:(SA ID = 1):Received Packet [From 10.10.10.2:500/To 100.100.100.2:500/VRF i0:f0]
Initiator SPI : 1D8625DFB9698916 - Responder SPI : 4C01BF4D81E8D29D Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Dec 15 20:16:02.939: IKEv2:(SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 1392
Payload contents:
VID Next payload: IDi, reserved: 0x0, length: 20
IDi Next payload: CERT, reserved: 0x0, length: 12
Id type: IPv4 address, Reserved: 0x0 0x0
CERT Next payload: CERTREQ, reserved: 0x0, length: 525
Cert encoding X.509 Certificate - signature
CERTREQ Next payload: NOTIFY, reserved: 0x0, length: 125
Cert encoding Hash and URL of PKIX