Flex VPN Site to Site Using Smart Defaults.

Posted: Sunday, September 14, 2014 by Mahmoud Ramadan Ali in Labels:
0

Understanding the FlexVPN constructs and how they work together is shortest way to understand what the smart defaults feature is and what it can do for us. The FlexVPN constructs can be categorized into two main categories:

Internet Key Exchange Version 2 (IKEv2) Constructs:
IKEv2 Proposal
An Internet Key Exchange Version 2 (IKEv2) proposal is a collection of transforms used in the negotiation
of Internet Key Exchange (IKE) security associations (SAs) as part of the IKE_SA_INIT exchange. The
transform types used in the negotiation are encryption, integrity and Diffie-Hellman (DH) group algorithms
IKEv2 Policy
An IKEv2 policy contains proposals that are used to negotiate the encryption, integrity, PRF algorithms, and
DH group in the IKE_SA_INIT exchange. It can have match statements, which are used as selection criteria
to select a policy during negotiation.
IKEv2 Profile
An IKEv2 profile is a repository of nonnegotiable parameters of the IKE SA, such as local or remote identities
and authentication methods and services that are available to authenticated peers that match the profile. An
IKEv2 profile must be attached to either a crypto map or an IPsec profile on the initiator. An IKEv2 profile
is not mandatory on the responder.
IKEv2 Key Ring
An IKEv2 key ring is a repository of symmetric and asymmetric preshared keys and is independent of the
IKEv1 key ring. The IKEv2 key ring is associated with an IKEv2 profile and hence supports a set of peers
that match the IKEv2 profile.

FlexVPN IPsec Constructs:
Transform Set
An IPsec transform set is a collection of transforms used in the negotiation of IPsec security associations (SAs) used for data protection. The transform types used in the negotiation are encryption, integrity and Diffie-Hellman (DH) group algorithms
IPsec Profile
An IPsec profile will contain the IKEv Profile and will be applied to the tunnel interface as protection profile.

IKEv2 Smart Defaults
The IKEv2 Smart Defaults feature minimizes the FlexVPN configuration by Pre-existing constructs known as smart defaults. The defaults of IKEv2 includes a default proposal (default) and a default policy (default) also the IPsec defaults includes a default transform set (default) and a default profile (default) so Only an IKEv2 profile needs to be created.

The following rules apply to the IKEv2 Smart Defaults feature:
1 A default configuration is displayed in the corresponding show command with default as a keyword and
with no argument. For example, the show crypto ikev2 proposal default command displays the default
IKEv2 proposal and the show crypto ikev2 proposal command displays the default IKEv2 proposal,
along with any user-configured proposals.
2 A default configuration is displayed in the show running-config all command; it is not displayed in the
show running-config command.
3 You can modify the default configuration, which is displayed in the show running-config all command.
4 A default configuration can be disabled using the no form of the command; for example, no crypto ikev2
proposal default. A disabled default configuration is not used in negotiation but the configuration is
displayed in the show running-config command. A disabled default configuration loses any user
modification and restores system-configured values.
5 A default configuration can be reenabled using the default form of the command, which restores
system-configured values; for example, default crypto ikev2 proposal.
6 The default mode for the default transform set is transport; the default mode for all other transform sets
is tunnel.

 "In this senario i will show you how to configure Site to Site FlexVPN using Smart Defaults also you can download the configuration file from here"
R1 Configuration:
IKEv2 Configuration.
IKEV2 Proposal and Policy Configuration.
-No need to create new proposals or policy for the security association of IKEv2 hence Smart defaults already created IKEv2 proposal (default) that has encryption, integrity, Diffie-Hellman (DH) group algorithms pre-configured also it will create an IKEv2 profile (default) and will associate the default IKEv2 proposal into the IKEv2 profile.
-Use the “show crypto ikev2 proposal default “to list the (default) proposal algorithms including encryption, integrity, Diffie-Hellman (DH) group algorithms.
R1#sh crypto ikev2 proposal default
 IKEv2 proposal: default
     Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
     Integrity  : SHA512 SHA384 SHA256 SHA96 MD596
     PRF        : SHA512 SHA384 SHA256 SHA1 MD5
     DH Group   : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2

-Use the “show crypto ikev2 policy default” to verify the smart defaults configuration of the (default) IKEv2 policy and the association of the (default) proposal.
R1#sh crypto ikev2 policy default
 IKEv2 policy : default
      Match fvrf : any
      Match address local : any
      Proposal    : default                

Notice: You can customize the (default) proposal and (default) IKEv2 policy if you want also you can reset the changes back to the defaults using the “default crypto ikev2 proposal” and “default crypto ikev2 policy” commands.

Key Ring Configuration.
-Create a new IKEv2 key ring and define the peer name, public IP address, pre-shared key used locally by R1 to authenticate its self to the peer and the key that will be received by R1 from the remote peer. Notice that I’m using asymmetric pre-shared keys because the local and remote keys are not the same.
R1(config)#crypto ikev2 keyring IKEV2-Key-Ring
R1(config-ikev2-keyring)# peer R2
R1(config-ikev2-keyring-peer)#  address 192.168.1.2
R1(config-ikev2-keyring-peer)#  pre-shared-key local R1-KEY
R1(config-ikev2-keyring-peer)#  pre-shared-key remote R2-KEY

Configure IKEv2 Profile.
-Create a new IKEv2 profile to define the remote peer public IP address, local and remote authentication methods and the key ring used for authentication.
R1(config)#crypto ikev2 profile IKEV2-Profile
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.
R1(config-ikev2-profile)# match identity remote address 192.168.1.2 255.255.255.255
R1(config-ikev2-profile)# authentication remote pre-share
R1(config-ikev2-profile)# authentication local pre-share
R1(config-ikev2-profile)# keyring local IKEV2-Key-Ring

IPsec Configuration.
Configure IPsec Profile.
-No need to create a new IPsec profile or transform set for IPsec security association (SA) since they are already configured as smart defaults.
-In the default IPsec profile (default) there are two parameters to configure, the IKEv2 profile and the default transform set (default) that is pre-configured using smart defaults.
R1(config)#crypto ipsec profile default                         
R1(ipsec-profile)# set ikev2-profile IKEV2-Profile

-Use the “show crypto ipsec profile default” command to list the (default) IPsec profile and verify the (default) transform set association. You can customize the IPsec profile and reset the changes back to the default using the “default crypto ipsec profile” command.
R1#sh crypto ipsec profile default
IPSEC profile default
        IKEV2 profile IKEV2-Profile
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,
        }
-Use the “show crypto ipsec transform-set default” command to list the (default) transform set algorithms.
R1#sh crypto ipsec transform-set default
{ esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },
Note: You can customize the default transform set and reset the changes back to the default using the “default crypto ipsec transform-set” command.

Unnumbered Interface and Public Interface Configuration.
-Configure the public interface facing the internet that will be used to connect to the VPN peer and create a loopback interface to barrow its IP address by the tunnel interface. Using a loopback interface will result in independency on a specific physical interface.
R1(config)#interface FastEthernet0/0
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#interface Loopback1
R1(config-if)# ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shut                                                     
Virtual Tunnel Interface (VTI) Configuration.
-Assign the IP address of the loopback interface to the VTI tunnel interface using the unnumbered command.
-Configure the VTI tunnel source as the public interface that will be used to connect to the VPN peer and the tunnel destination will the public interface on that peer.
-Apply the IPsec protection profile to the VTI tunnel interface.
R1(config)#interface Tunnel 1
R1(config-if)# ip unnumbered Loopback1
R1(config-if)# tunnel source FastEthernet0/0
R1(config-if)# tunnel destination 192.168.1.2
R1(config-if)# tunnel protection ipsec profile default

R2 Configuration:
IKEv2 Configuration.
IKEV2 Proposal and Policy Configuration.
-Remember, No need to create new proposals or policy for the security association of IKEv2 hence Smart defaults already created IKEv2 proposal (default) that has encryption, integrity, Diffie-Hellman (DH) group algorithms also it will create an IKEv2 profile (default) and will associate the default IKEv2 proposal into the IKEv2 profile.
-Use the “show crypto ikev2 proposal default “to list the (default) proposal algorithms including encryption, integrity, Diffie-Hellman (DH) group algorithms.
R2#sh crypto ikev2 proposal default
 IKEv2 proposal: default
     Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
     Integrity  : SHA512 SHA384 SHA256 SHA96 MD596
     PRF        : SHA512 SHA384 SHA256 SHA1 MD5
     DH Group   : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
-Use the “show crypto ikev2 policy default” to verify the smart defaults configuration of the (default) IKEv2 policy and the association of the (default) proposal.
R2#sh crypto ikev2 policy default
 IKEv2 policy : default
      Match fvrf : any
      Match address local : any
      Proposal    : default                

Key Ring Configuration.
-Create a new IKEv2 key ring and define the peer name, public IP address, pre-shared key used locally by R1 to authenticate its self to the peer and the key that will be received by R1 from the remote peer.
R2(config)#crypto ikev2 keyring IKEV2-Key-Ring
R2(config-ikev2-keyring)# peer R1
R2(config-ikev2-keyring-peer)#  address 192.168.1.1
R2(config-ikev2-keyring-peer)#  pre-shared-key local R2-KEY
R2(config-ikev2-keyring-peer)#  pre-shared-key remote R1-KEY

Configure IKEv2 Profile.
-Create a new IKEv2 profile to define the remote peer public IP address, local and remote authentication methods and the key ring used for authentication.
R2(config)#crypto ikev2 profile IKEV2-Profile
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.
R2(config-ikev2-profile)# match identity remote address 192.168.1.1 255.255.255.255
R2(config-ikev2-profile)# authentication remote pre-share
R2(config-ikev2-profile)# authentication local pre-share
R2(config-ikev2-profile)# keyring local IKEV2-Key-Ring

Configure The IPsec Profile.
-Again, no need to create a new IPsec profile or transform set for IPsec security association (SA) since they are already configured as smart defaults.
-In the default IPsec profile (default) there are two parameters to configure, the IKEv2 profile and the default transform set (default) that is pre-configured using smart default.
R2(config)#crypto ipsec profile default                         
R2(ipsec-profile)# set ikev2-profile IKEV2-Profile
-Use the “show crypto ipsec profile default” command to list the (default) IPsec profile and verify the (default) transform set association.
R2#sh crypto ipsec profile default
IPSEC profile default
        IKEV2 profile IKEV2-Profile
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,
        }
-Use the “show crypto ipsec transform-set default” command to list the (default) transform set algorithms.
R2#sh crypto ipsec transform-set default
{ esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },

Unnumbered Interface and Public Interface Configuration.
-Configure the public interface facing the internet that will be used to connect to the VPN peer and create a loopback interface to barrow its IP address by the tunnel interface. Using a loopback interface will result in independency on a specific physical interface.
R2(config)#interface FastEthernet0/0
R2(config-if)# ip address 192.168.1.2 255.255.255.0
R2(config-if)#no shut
R2(config-if)#exit
R2(config)#interface Loopback 2
R2(config-if)# ip address 192.168.10.2 255.255.255.0
R2(config-if)#no shut                                                     
Virtual Tunnel Interface (VTI) Configuration.
-Assign the IP address of the loopback interface to the VTI tunnel interface using the unnumbered command.
-Configure the VTI tunnel source as the public interface that will be used to connect to the VPN peer and the tunnel destination will the public interface on that peer.
-Apply the IPsec protection profile to the VTI tunnel interface.
R2(config)#interface Tunnel 2
R2(config-if)# ip unnumbered Loopback 2
R2(config-if)# tunnel source FastEthernet0/0
R2(config-if)# tunnel destination 192.168.1.1
R2(config-if)# tunnel protection ipsec profile default

Verification.
IKEv2  Verification.
R1 IKEv2  Verification.
-Use the “show crypto ikev2 sa” command to verify IKEv2 SA between R1 to R2.
R1#sh crypto ikev2 sa
 IPv4 Crypto IKEv2  SA
Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         192.168.1.1/500       192.168.1.2/500       none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/211 sec
 IPv6 Crypto IKEv2  SA
R2 IKEv2  Verification.
-Use the “show crypto ikev2 sa” command to verify IKEv2 SA between R2 to R1.
R2#sh crypto ikev2 sa
 IPv4 Crypto IKEv2  SA
Tunnel-id Local                 Remote                fvrf/ivrf            Status
2         192.168.1.2/500       192.168.1.1/500       none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/483 sec
 IPv6 Crypto IKEv2  SA
IPsec Verification.

R1 IPsec Verification.
-Use the “show crypto ipsec sa” command to verify IPsec inbound/outbound SA.
R1#sh crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 192.168.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/47/0)
   current_peer 192.168.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96
    #pkts decaps: 94, #pkts decrypt: 94, #pkts verify: 94
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x91510770(2438006640)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x5A3580A4(1513455780)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 4, flow_id: 4, sibling_flags 80000000, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4329051/3175)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x91510770(2438006640)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 3, flow_id: 3, sibling_flags 80000000, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4329051/3175)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
R2 IPsec Verification.
-Use the “show crypto ipsec sa” command to verify IPsec inbound/outbound SA.
R2#sh crypto ipsec sa

interface: Tunnel2
    Crypto map tag: Tunnel2-head-0, local addr 192.168.1.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/47/0)
   current_peer 192.168.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 116, #pkts encrypt: 116, #pkts digest: 116
    #pkts decaps: 117, #pkts decrypt: 117, #pkts verify: 117
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x5A3580A4(1513455780)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x91510770(2438006640)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 1, flow_id: 1, sibling_flags 80000000, crypto map: Tunnel2-head-0
        sa timing: remaining key lifetime (k/sec): (4306232/3076)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x5A3580A4(1513455780)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2, flow_id: 2, sibling_flags 80000000, crypto map: Tunnel2-head-0
        sa timing: remaining key lifetime (k/sec): (4306232/3076)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas: