IPsec Site to Site VPN Using VTI.

Posted: Thursday, August 14, 2014 by Mahmoud Ramadan Ali in Labels:
0

The best way to understand VTI-Based Site-to-Site VPN is to put it in comparison with the classic site to site IPsec VPN using crypto maps. Essentially much like the classic site to site IPsec crypto VPN that we all know and love, it uses IKE phase one as the control channel and IKE phase two as the data channel however no need to use a crypto ACL to define the IPsec traffic to encrypt.

You can setup a tunnel interface on each peer to connect the two sites together using a virtual tunnel and apply an IPsec profile to each tunnel interface so traffic going in or out the tunnel interface will be magically encrypted according to the security policy defined in the IPsec profile.

“In this scenario I will illustrate how to configure VTI-Based Site-to-Site VPN between R1 and R2 also you can download the configuration files from here

R1 Configuration: 
IPsec Protection Configuration.
IKE Phase One / Internet Security and Key Management Protocol (ISAKMP) Configuration.
-Create an IKE phase 1 policy and define the encryption, authentication and Diffie-Hellman group to negotiate a security association with the VPN peer during the control channel setup.
-Configure the IKE phase one key to authenticate R1 to R2.It is important to match the key configured on R2 otherwise you will break the security association.
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encr aes
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#crypto isakmp key CISCO address 192.168.1.2

IKE Phase Two / IPsec Configuration.
-Configure a transform set and define the security parameters to negotiate a security association to be used for data encryption and integrity during IKE phase 2 / IPsec phase.
-Include the transform set into an IPsec profile as a prerequisite to apply it to the VTI tunnel interface as a protection profile.
R1(config)#crypto ipsec transform-set IPSEC-TRANSFORM-SET esp-aes
R1(cfg-crypto-trans)#crypto ipsec profile IPSEC-PROFILE
R1(ipsec-profile)#set transform-set IPSEC-TRANSFORM-SET

Unnumbered Interface and Public Interface Configuration.
-Configure the public interface facing the internet that will be used to connect to the VPN peer and create a loopback interface to barrow its IP address by the tunnel interface. Using a loop back interface will result in independence on a specific physical interface.
R1(config-if)#interface FastEthernet0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shut
R1(config)#interface Loopback1
R1(config-if)#ip address 1.1.1.1 255.255.255.0

Virtual Tunnel Interface (VTI) Configuration.
-Assign the IP address of the loopback interface to the VTI tunnel interface using the unnumbered command.
-Configure the VTI tunnel source as the public interface that will be used to connect to the VPN peer and the tunnel destination will the public interface on that peer.
-Set the tunnel mode to IPsec IP Version 4 to enable IPsec protection using IP version 4 and apply the IPsec protection profile to the VTI tunnel interface.
R1(config-if)#interface Tunnel0
R1(config-if)#ip unnumbered Loopback1
R1(config-if)#tunnel source FastEthernet0/0
R1(config-if)#tunnel destination 192.168.1.2
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#tunnel protection ipsec profile IPSEC-PROFILE

R2 Configuration:
“R2 configuration will be virtually identical to R1 especially the IKE phase 1 and 2 configuration “
IPsec Protection Configuration.
IKE Phase One / Internet Security and Key Management Protocol (ISAKMP) Configuration.
-Create an IKE phase 1 policy and define the encryption, authentication and Diffie-Hellman group to negotiate a security association with the VPN peer during the control channel setup.
-Configure the IKE phase one key to authenticate R2 to R1.Again it is important to match the key configured on R1 otherwise you will break the security association.
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#encr aes
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 2
R2(config-isakmp)#crypto isakmp key CISCO address 192.168.1.1 no-xauth

IKE Phase Two / IPsec Configuration. 
-Configure a transform set and define the security parameters to negotiate a security association to be used for data encryption and integrity during IKE phase 2 / IPsec phase.
-Include the transform set into an IPsec profile as a prerequisite to apply it to the VTI tunnel interface as a protection profile.
R2(config)#crypto ipsec transform-set IPSEC-TRANSFORM-SET esp-aes
R2(cfg-crypto-trans)#crypto ipsec profile IPSEC-PROFILE
R2(ipsec-profile)#set transform-set IPSEC-TRANSFORM-SET

Unnumbered Interface and Public Interface Configuration.
-Configure the public interface facing the internet that will be used to connect to the VPN peer and create a loopback interface to barrow its IP address by the tunnel interface.
R2(config-if)#interface FastEthernet0/0
R2(config-if)#ip address 192.168.1.2 255.255.255.0
R2(config-if)#no shut
R2(ipsec-profile)#interface Loopback2
R2(config-if)#ip address 2.2.2.2 255.255.255.0

Virtual Tunnel Interface (VTI) Configuration. 
-Assign the IP address of the loopback interface to the VTI tunnel interface using the unnumbered command.
-Configure the VTI tunnel source as the public interface that will be used to connect to the VPN peer and the tunnel destination will be the public interface on the peer.
-Set the tunnel mode to IPsec IP Version 4 to enable IPsec protection using IP version 4 and apply the IPsec protection profile to the VTI tunnel interface.
R2(config-if)#interface Tunnel0
R2(config-if)#ip unnumbered Loopback2
R2(config-if)#tunnel source FastEthernet0/0
R2(config-if)#tunnel destination 192.168.1.1
R2(config-if)#tunnel mode ipsec ipv4
R2(config-if)#tunnel protection ipsec profile IPSEC-PROFILE

Verification:
Verify the IKE phase one SA.
-In general, the IKE phase one channel is a single bidirectional security association (SA) channel on contrast to the IPsec channel which is two unidirectional channels per security association (SA).
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.1.1     192.168.1.2     QM_IDLE           1002 ACTIVE
IPv6 Crypto ISAKMP SA
 
R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.1.1     192.168.1.2     QM_IDLE           1002 ACTIVE
IPv6 Crypto ISAKMP SA

Verify the IKE phase two SA.
-The “sh crypto engine connections active” command shows all the active security associations on each peer in addition to the VPN encrypted/decrypted traffic. You should see one IKE phase one security association and two IPsec security associations, one for encrypting the outgoing IPsec packets and another for decrypting the incoming IPsec packets.
R1#sh crypto engine connections active
Crypto Engine Connections
   ID   Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
    3     IPsec   AES                       0       27        0 192.168.1.1
    4     IPsec   AES                      29        0        0 192.168.1.1
 1002 IKE     SHA+AES              0        0        0 192.168.1.1

R2#sh crypto engine connections active
Crypto Engine Connections
   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
    3    IPsec   AES                       0       55        0 192.168.1.2
    4    IPsec   AES                      54        0        0 192.168.1.2
 1002 IKE     SHA+AES             0        0        0 192.168.1.2