Dynamic Virtual Tunnel Interface IPsec VPN.

Posted: Sunday, August 24, 2014 by Mahmoud Ramadan Ali in Labels:
0

Manually configuring site to site VPN using static virtual tunnel interfaces (VTI) can become out of control as the number of remote sites grows. If you want to set up full mesh connectivity you have to create static VTI interfaces on each peer to all the other peers in you network which is considered to be a big hassle that will cost you time and administrative overhead.

On the other hand, Dynamic VTI - AKA virtual access interfaces - comes as an easy way to connect to multiple VPN peers without the need of adding static VTI interfaces manually pointing to each peer. Using a virtual template on the hub you can dynamically generate virtual tunnel interfaces as needed to reach the VPN peers.

Another important aspect that you should be aware of if you decided to use DVTI VPN is that no directed spoke to spoke communication is possible in such environment simply because DVTI VPN does not use any kind of next hop resolution to reach the remote spokes so spokes cannot talk to each other without passing through the hub.

“In this scenario I will illustrate how to configure DVTI VPN on R1 as a hub to allow spoke to spoke communication between R2 and R3 "

DVTI VPN Hub Configuration: 
IPsec Protection Configuration.
IKE Phase One / Internet Security and Key Management Protocol (ISAKMP) Configuration.
-Create an IKE phase 1 policy and define the encryption, authentication and Diffie-Hellman group to negotiate a security association with the VPN peers during the control channel setup.
R1(config)#crypto isakmp policy 1
R1(config-isakmp)# encr aes
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 5           

Key Ring Configuration.
-Create a key ring on the hub holding the pre shared keys to authenticate the spokes.
-Identify each peer with its public IP address and associate it with its key.
R1(config)#crypto keyring DVTI-VPN-KEYS
R1(conf-keyring)#  pre-shared-key address 192.168.1.2 key R2-KEY
R1(conf-keyring)#  pre-shared-key address 192.168.1.3 key R3-KEY          

ISAKMP Profile Configuration.
-The ISAKMP profile will authenticate the peers defined with the match statement against the key ring configured and will generate a virtual access interface from the virtual template defined if the peer has been authenticated successfully.
R1(config)#crypto isakmp profile ISAKMP-PROFILE
R1(conf-isa-prof)#   keyring DVTI-VPN-KEYS
R1(conf-isa-prof)#   match identity address 192.168.1.2 255.255.255.255
R1(conf-isa-prof)#   match identity address 192.168.1.3 255.255.255.255
R1(conf-isa-prof)#   virtual-template 1

IKE Phase Two / IPsec Configuration.
-Configure a transform set and define the security parameters to negotiate a security association to be used for data encryption and integrity during IKE phase 2 / IPsec phase.
-Include the transform set into an IPsec profile as a prerequisite to apply it to the DVTI template as a protection profile.
R1(config)#crypto ipsec transform-set IPSEC-TS esp-aes
R1(cfg-crypto-trans)#crypto ipsec profile IPSEC-PROFILE
R1(ipsec-profile)# set transform-set IPSEC-TS 

Unnumbered Interface and Public Interface Configuration.
-Configure the public interface facing the internet that will be used to connect to the VPN peer and create a loopback interface to barrow its IP address by the tunnel interface. Using a loopback interface will result in independency on a specific physical interface.
R1(config-if)# interface loopback 1
R1(config-if)# ip address 192.168.20.1 255.255.255.255
R1(config-if)#interface FastEthernet0/0
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# no shut         

Dynamic Virtual Tunnel Interface (DVTI) template Configuration.
-Instead of creating two static tunnel interfaces to each peer, you need to configure a dynamic VTI template to generate the VTI dynamically from the template as virtual access interfaces.
-Set the tunnel unnumbered interface and the protocol version (IPV4/IPV6) and the IPsec protection profile.
Notice: We did not specify the tunnel source because the template will generate it dynamically as virtual access interfaces.
R1(config)#interface Virtual-Template1 type tunnel
R1(config-if)# ip unnumbered Loopback1
R1(config-if)# tunnel mode ipsec ipv4
R1(config-if)# tunnel protection ipsec profile IPSEC-PROFILE

Spoke One Configuration.
IPsec Protection Configuration.
IKE Phase One / Internet Security and Key Management Protocol (ISAKMP) Configuration.
-Create an IKE phase 1 policy and define the encryption, authentication and Diffie-Hellman group to negotiate a security association with the VPN peer during the control channel setup.
-Configure the spoke key to match the key configured on the hub.
R2(config)#crypto isakmp policy 1
R2(config-isakmp)# encr aes
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 5
R2(config-isakmp)#crypto isakmp key R2-KEY address 192.168.1.1

IKE Phase Two / IPsec Configuration.
-Configure a transform set and define the security parameters to negotiate a security association to be used for data encryption and integrity during IKE phase 2 / IPsec phase.
-Include the transform set into an IPsec profile as a prerequisite to apply it to the VTI tunnel interface as a protection profile.
R2(config)#crypto ipsec transform-set IPSEC-TS esp-aes
R2(cfg-crypto-trans)#crypto ipsec profile IPSEC-PROFILE
R2(ipsec-profile)# set transform-set IPSEC-TS

Unnumbered Interface and Public Interface Configuration.
-Configure the public interface facing the internet that will be used to connect to the VPN peer and create a loopback interface to barrow its IP address by the tunnel interface.
R2(config)#interface Loopback2
R2(config-if)# ip address 192.168.20.2 255.255.255.255
R2(config-if)#interface FastEthernet0/0
R2(config-if)# ip address 192.168.1.2 255.255.255.0
R2(config-if)#no shut

Virtual Tunnel Interface (VTI) Configuration.
-Assign the IP address of the loopback interface to the VTI tunnel interface using the unnumbered command.
-Configure the VTI tunnel source as the public interface that will be used to connect to the VPN peer and the tunnel destination will be the public interface on the peer.
-Set the tunnel mode to IPsec IP Version 4 to enable IPsec protection using IP version 4 and apply the IPsec protection profile to the VTI tunnel interface.
R2(config-if)#interface Tunnel2
R2(config-if)# ip unnumbered Loopback2
R2(config-if)# tunnel source FastEthernet0/0
R2(config-if)# tunnel destination 192.168.1.1
R2(config-if)# tunnel mode ipsec ipv4
R2(config-if)# tunnel protection ipsec profile IPSEC-PROFILE

Spoke Two Configuration.
IPsec Protection Configuration.
IKE Phase One / Internet Security and Key Management Protocol (ISAKMP) Configuration.
-Create an IKE phase 1 policy and define the encryption, authentication and Diffie-Hellman group to negotiate a security association with the VPN peer during the control channel setup.
-Configure the spoke key to match the key configured on the hub.
R3(config)#crypto isakmp policy 1
R3(config-isakmp)# encr aes
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# group 5
R3(config-isakmp)#crypto isakmp key R3-KEY address 192.168.1.1

IKE Phase Two / IPsec Configuration.
-Configure a transform set and define the security parameters to negotiate a security association to be used for data encryption and integrity during IKE phase 2 / IPsec phase.
-Include the transform set into an IPsec profile as a prerequisite to apply it to the VTI tunnel interface as a protection profile.
R3(config)#crypto ipsec transform-set IPSEC-TS esp-aes
R3(cfg-crypto-trans)#crypto ipsec profile IPSEC-PROFILE
R3(ipsec-profile)# set transform-set IPSEC-TS

Unnumbered Interface and Public Interface Configuration.
-Configure the public interface facing the internet that will be used to connect to the VPN peer and create a loopback interface to barrow its IP address by the tunnel interface.
R3(config)#interface Loopback3
R3(config-if)# ip address 192.168.20.3 255.255.255.255
R3(config-if)#interface FastEthernet0/0
R3(config-if)# ip address 192.168.1.3 255.255.255.0
R3(config-if)#no shut

Virtual Tunnel Interface (VTI) Configuration.
-Assign the IP address of the loopback interface to the VTI tunnel interface using the unnumbered command.
-Configure the VTI tunnel source as the public interface that will be used to connect to the VPN peer and the tunnel destination will be the public interface on the peer.
-Set the tunnel mode to IPsec IP Version 4 to enable IPsec protection using IP version 4 and apply the IPsec protection profile to the VTI tunnel interface.
R3(config-if)# ip unnumbered Loopback2
R3(config-if)# tunnel source FastEthernet0/0
R3(config-if)# tunnel destination 192.168.1.1
R3(config-if)# tunnel mode ipsec ipv4
R3(config-if)# tunnel protection ipsec profile IPSEC-PROFILE

Verification:
Verify the Virtual access interfaces.
-Use the “show ip interface brief“to verify that the dynamic VTI template generated virtual access interfaces to reach the VPN spokes also notice that the IP address of the virtual access interfaces will be the IP address of the unnumbered interface configured in the virtual template configuration mode.
R1#sh ip int brief
Interface                          IP-Address      OK? Method     Status                Protocol
FastEthernet0/0            192.168.1.1       YES NVRAM   up                       up
Virtual-Template1          192.168.20.1    YES TFTP        down                 down
Virtual-Access1               192.168.20.1    YES TFTP        up                      up
Virtual-Access2               192.168.20.1    YES TFTP       up                      up
Loopback1                        192.168.20.1    YES NVRAM  up                      up

Verify the IKE phase one SA.
-The DVTI hub will establish two IKE phase one channels with a single bidirectional security association (SA) channel.
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst                    src                   state                     conn-id slot status
192.168.1.1     192.168.1.3     QM_IDLE           1002      0   ACTIVE
192.168.1.1     192.168.1.2     QM_IDLE           1001      0   ACTIVE

IPv6 Crypto ISAKMP SA

Verify the IKE phase two SA.
-Use the “sh crypto engine connections active” command to show all the active security associations including IKE phase one and two security associations in addition to the VPN encrypted/decrypted traffic. You should see two IKE phase one security associations since we have only two spokes and four IPsec security associations or two bidirectional pairs of security associations to and from each spoke.
R1#sh crypto engine connections active
Crypto Engine Connections
   ID   Interface  Type  Algorithm           Encrypt  Decrypt   IP-Address
    1     Fa0/0       IPsec AES                              0        0             192.168.1.1
    2    Fa0/0       IPsec AES                              0        0              192.168.1.1
    3    Fa0/0       IPsec AES                              0        0              192.168.1.1
    4    Fa0/0       IPsec AES                              0        0              192.168.1.1
 1001 Fa0/0       IKE   SHA+AES                   0        0              192.168.1.1
 1002Fa0/0       IKE   SHA+AES                   0        0              192.168.1.1